Analysis

  • max time kernel
    129s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 02:35

General

  • Target

    f2057621dafe3cf02981cb350fb8ad4d.exe

  • Size

    692KB

  • MD5

    f2057621dafe3cf02981cb350fb8ad4d

  • SHA1

    bf6ab848e5d91a425f04bbabb82575e9574dfcfb

  • SHA256

    ea8ecda6aaf0a6560b614a46a33112caf8ab6404be64ced23fa202737ddbacbf

  • SHA512

    691908a97884081e128efdecb1e6500a68492c2474c6949617f186bbc4a7f5f1369a95e74960b729475d41c5d1b9384e2589cc0fa9befc8b9a588d49509a398f

  • SSDEEP

    12288:nMrvy90qCuyf+7apRUEglUwkYwLVeRk6EmYmY8BUs2Rww8lOXT+w3ZRbpPlZKfch:QyYRQEgnkYwUUmYmYY92RwDlOXaWTFXD

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detect ZGRat V1 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 6 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe
    "C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3812
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2260
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 540
                6⤵
                • Program crash
                PID:440
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 540
                6⤵
                • Program crash
                PID:2812
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe
            4⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:4292
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3448
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:4396
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:2332
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe
            2⤵
            • Executes dropped EXE
            PID:1372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260
          1⤵
            PID:2372
          • C:\Users\Admin\AppData\Local\Temp\D807.exe
            C:\Users\Admin\AppData\Local\Temp\D807.exe
            1⤵
            • Executes dropped EXE
            PID:3424
          • C:\Users\Admin\AppData\Local\Temp\E6CD.exe
            C:\Users\Admin\AppData\Local\Temp\E6CD.exe
            1⤵
            • Executes dropped EXE
            PID:4864
          • C:\Users\Admin\AppData\Local\Temp\EBC0.exe
            C:\Users\Admin\AppData\Local\Temp\EBC0.exe
            1⤵
              PID:3588
            • C:\Users\Admin\AppData\Local\Temp\B30.exe
              C:\Users\Admin\AppData\Local\Temp\B30.exe
              1⤵
                PID:3160
              • C:\Users\Admin\AppData\Local\Temp\DE0.exe
                C:\Users\Admin\AppData\Local\Temp\DE0.exe
                1⤵
                  PID:2940
                • C:\Users\Admin\AppData\Local\Temp\1256.exe
                  C:\Users\Admin\AppData\Local\Temp\1256.exe
                  1⤵
                    PID:3100

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\1256.exe

                    Filesize

                    627KB

                    MD5

                    73ae6c3b85c619aa3fb06de545597251

                    SHA1

                    eb1aebe3b76ca3a2b5075880a307c7da2a7d4526

                    SHA256

                    622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427

                    SHA512

                    912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

                  • C:\Users\Admin\AppData\Local\Temp\1256.exe

                    Filesize

                    627KB

                    MD5

                    73ae6c3b85c619aa3fb06de545597251

                    SHA1

                    eb1aebe3b76ca3a2b5075880a307c7da2a7d4526

                    SHA256

                    622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427

                    SHA512

                    912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

                  • C:\Users\Admin\AppData\Local\Temp\B30.exe

                    Filesize

                    12.6MB

                    MD5

                    c6efb8a96d16975e226f757619892d09

                    SHA1

                    fe1d7fc49e6ca211930347334eb27b0d64d9b5dc

                    SHA256

                    2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c

                    SHA512

                    d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec

                  • C:\Users\Admin\AppData\Local\Temp\B30.exe

                    Filesize

                    12.6MB

                    MD5

                    c6efb8a96d16975e226f757619892d09

                    SHA1

                    fe1d7fc49e6ca211930347334eb27b0d64d9b5dc

                    SHA256

                    2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c

                    SHA512

                    d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec

                  • C:\Users\Admin\AppData\Local\Temp\D807.exe

                    Filesize

                    15.2MB

                    MD5

                    211097310dfd7c551035a38baae5f637

                    SHA1

                    e376bd625016637fc68ee4b22280c26edc6594d2

                    SHA256

                    733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436

                    SHA512

                    73316cb83ede1431c0759eb8c03ccead213ad9d1ac8e7fa3c80501475305e7e40e621efd27a97da83bd072bb70a7e9e7e9629953f8b1970abdf71c57e3f7aee9

                  • C:\Users\Admin\AppData\Local\Temp\DE0.exe

                    Filesize

                    931KB

                    MD5

                    d497d6f5d3b74379d1ca2e1abde20281

                    SHA1

                    937aac5cf9191e833724edda2742ed115a5237c7

                    SHA256

                    a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564

                    SHA512

                    bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

                  • C:\Users\Admin\AppData\Local\Temp\DE0.exe

                    Filesize

                    931KB

                    MD5

                    d497d6f5d3b74379d1ca2e1abde20281

                    SHA1

                    937aac5cf9191e833724edda2742ed115a5237c7

                    SHA256

                    a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564

                    SHA512

                    bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

                  • C:\Users\Admin\AppData\Local\Temp\E6CD.exe

                    Filesize

                    428KB

                    MD5

                    00b8992b81895399705febca26261d2f

                    SHA1

                    cad8070a0a9d26c5157af0430f3c6e4cfd507dc4

                    SHA256

                    ecaa0c2607027b807cd7092124f7e3ce4982fb7a05436ede18e2fb3b66a48528

                    SHA512

                    7bbb1e9f73b9f0c5aa1df89839c7affc59609deb483cc93b733707cb8248ed27f9c1cef6a0f12f5b50caf8ec6243c8d1114283d4fd5dbbbd7fef9cd16345f4c1

                  • C:\Users\Admin\AppData\Local\Temp\E6CD.exe

                    Filesize

                    428KB

                    MD5

                    00b8992b81895399705febca26261d2f

                    SHA1

                    cad8070a0a9d26c5157af0430f3c6e4cfd507dc4

                    SHA256

                    ecaa0c2607027b807cd7092124f7e3ce4982fb7a05436ede18e2fb3b66a48528

                    SHA512

                    7bbb1e9f73b9f0c5aa1df89839c7affc59609deb483cc93b733707cb8248ed27f9c1cef6a0f12f5b50caf8ec6243c8d1114283d4fd5dbbbd7fef9cd16345f4c1

                  • C:\Users\Admin\AppData\Local\Temp\EBC0.exe

                    Filesize

                    95KB

                    MD5

                    0592c6d7674c77b053080c5b6e79fdcb

                    SHA1

                    693339ede19093e2b4593fda93be0b140be69141

                    SHA256

                    fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

                    SHA512

                    37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

                  • C:\Users\Admin\AppData\Local\Temp\EBC0.exe

                    Filesize

                    95KB

                    MD5

                    0592c6d7674c77b053080c5b6e79fdcb

                    SHA1

                    693339ede19093e2b4593fda93be0b140be69141

                    SHA256

                    fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

                    SHA512

                    37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

                    Filesize

                    73KB

                    MD5

                    1d71ef189dabc8c5abb381286f47cc85

                    SHA1

                    93c4c272d017af943205b54719ab51553a43ade8

                    SHA256

                    6f7aaa2c7e4418b4e280c82fdb6b8684f7e653b9584f7be4b05bf2a9fb70ca41

                    SHA512

                    93eb68da6bb99dc5d77fece799f0a9c221eedabad73449806ba0e48a29bc51bf83635129c578477d8c867ce177e2e30a1c3a34e0ff2e72355a326fc11e35fa64

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

                    Filesize

                    73KB

                    MD5

                    1d71ef189dabc8c5abb381286f47cc85

                    SHA1

                    93c4c272d017af943205b54719ab51553a43ade8

                    SHA256

                    6f7aaa2c7e4418b4e280c82fdb6b8684f7e653b9584f7be4b05bf2a9fb70ca41

                    SHA512

                    93eb68da6bb99dc5d77fece799f0a9c221eedabad73449806ba0e48a29bc51bf83635129c578477d8c867ce177e2e30a1c3a34e0ff2e72355a326fc11e35fa64

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

                    Filesize

                    570KB

                    MD5

                    53e3d7f256fba648ef59ca0021c58305

                    SHA1

                    125f02ca07f09513b226a85ccbd7ec0c99658a34

                    SHA256

                    cfa5cb889924899fc5331bf7c7ae2391d9dd33171eb08f368b69b52ed4502b54

                    SHA512

                    4526699112f29fe1ab14962b5b65c15a716540a6485aa8ccb4d5b3447d381f8dfbaa51ba42f198da0fc4f1fbefd5f5442ac09a6a9e94ee336ad552e2ff27deec

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

                    Filesize

                    570KB

                    MD5

                    53e3d7f256fba648ef59ca0021c58305

                    SHA1

                    125f02ca07f09513b226a85ccbd7ec0c99658a34

                    SHA256

                    cfa5cb889924899fc5331bf7c7ae2391d9dd33171eb08f368b69b52ed4502b54

                    SHA512

                    4526699112f29fe1ab14962b5b65c15a716540a6485aa8ccb4d5b3447d381f8dfbaa51ba42f198da0fc4f1fbefd5f5442ac09a6a9e94ee336ad552e2ff27deec

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

                    Filesize

                    339KB

                    MD5

                    14d9834611ad581afcfea061652ff6cb

                    SHA1

                    802f964d0be7858eb2f1e7c6fcda03501fd1b71c

                    SHA256

                    e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

                    SHA512

                    cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

                    Filesize

                    339KB

                    MD5

                    14d9834611ad581afcfea061652ff6cb

                    SHA1

                    802f964d0be7858eb2f1e7c6fcda03501fd1b71c

                    SHA256

                    e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

                    SHA512

                    cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

                    Filesize

                    334KB

                    MD5

                    21814dae68da51c7551de838872f3d88

                    SHA1

                    7c891b62a59937c92502880d4d57de8c92dc533a

                    SHA256

                    436300a43d42fd20930d95ae14eb6388d558623679bf44a1c7ecbc5691373958

                    SHA512

                    b9f952b55d94e0590a2e88637d71aa3d7880da20cc5dc204dbc9468264dd3a5a9aed012a04c1a89c8bd2f9312c547fcf3f9317f44c1e3c8170f099337edb71d3

                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

                    Filesize

                    334KB

                    MD5

                    21814dae68da51c7551de838872f3d88

                    SHA1

                    7c891b62a59937c92502880d4d57de8c92dc533a

                    SHA256

                    436300a43d42fd20930d95ae14eb6388d558623679bf44a1c7ecbc5691373958

                    SHA512

                    b9f952b55d94e0590a2e88637d71aa3d7880da20cc5dc204dbc9468264dd3a5a9aed012a04c1a89c8bd2f9312c547fcf3f9317f44c1e3c8170f099337edb71d3

                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

                    Filesize

                    300KB

                    MD5

                    784667bb96ccb30c4cf44f2c5f493769

                    SHA1

                    28185165ab4dbbb4a139ae1af0bb6934ebe05c04

                    SHA256

                    1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

                    SHA512

                    62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

                    Filesize

                    300KB

                    MD5

                    784667bb96ccb30c4cf44f2c5f493769

                    SHA1

                    28185165ab4dbbb4a139ae1af0bb6934ebe05c04

                    SHA256

                    1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

                    SHA512

                    62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

                    Filesize

                    37KB

                    MD5

                    b938034561ab089d7047093d46deea8f

                    SHA1

                    d778c32cc46be09b107fa47cf3505ba5b748853d

                    SHA256

                    260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

                    SHA512

                    4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

                    Filesize

                    37KB

                    MD5

                    b938034561ab089d7047093d46deea8f

                    SHA1

                    d778c32cc46be09b107fa47cf3505ba5b748853d

                    SHA256

                    260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

                    SHA512

                    4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

                  • memory/2260-25-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                  • memory/2260-21-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                  • memory/2260-23-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                  • memory/2260-22-0x0000000000400000-0x0000000000433000-memory.dmp

                    Filesize

                    204KB

                  • memory/2332-37-0x0000000000400000-0x000000000043C000-memory.dmp

                    Filesize

                    240KB

                  • memory/2332-60-0x00000000738C0000-0x0000000074070000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2940-90-0x000001A69DD50000-0x000001A69DD60000-memory.dmp

                    Filesize

                    64KB

                  • memory/2940-79-0x000001A69DDD0000-0x000001A69DEB0000-memory.dmp

                    Filesize

                    896KB

                  • memory/2940-85-0x00007FFFA9300000-0x00007FFFA9DC1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2940-83-0x000001A6B6620000-0x000001A6B6700000-memory.dmp

                    Filesize

                    896KB

                  • memory/2940-87-0x000001A6B6700000-0x000001A6B67C8000-memory.dmp

                    Filesize

                    800KB

                  • memory/2940-93-0x000001A6B68D0000-0x000001A6B6998000-memory.dmp

                    Filesize

                    800KB

                  • memory/2940-73-0x000001A69BF60000-0x000001A69C04E000-memory.dmp

                    Filesize

                    952KB

                  • memory/3100-94-0x0000023971EF0000-0x0000023971F3C000-memory.dmp

                    Filesize

                    304KB

                  • memory/3100-91-0x0000023957DF0000-0x0000023957E46000-memory.dmp

                    Filesize

                    344KB

                  • memory/3100-77-0x00000239578D0000-0x0000023957972000-memory.dmp

                    Filesize

                    648KB

                  • memory/3100-88-0x00007FFFA9300000-0x00007FFFA9DC1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3100-80-0x0000023971DF0000-0x0000023971EF0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/3100-95-0x00000239727F0000-0x0000023972844000-memory.dmp

                    Filesize

                    336KB

                  • memory/3100-92-0x0000023957DB0000-0x0000023957DC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3160-82-0x0000000000BD0000-0x000000000186A000-memory.dmp

                    Filesize

                    12.6MB

                  • memory/3160-67-0x00000000738C0000-0x0000000074070000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3260-30-0x0000000003140000-0x0000000003156000-memory.dmp

                    Filesize

                    88KB

                  • memory/3424-86-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

                    Filesize

                    9.7MB

                  • memory/3424-78-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

                    Filesize

                    9.7MB

                  • memory/3424-89-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

                    Filesize

                    9.7MB

                  • memory/3424-97-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

                    Filesize

                    9.7MB

                  • memory/3588-81-0x0000000000F10000-0x0000000000F2E000-memory.dmp

                    Filesize

                    120KB

                  • memory/3588-61-0x00000000738C0000-0x0000000074070000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4292-32-0x0000000000400000-0x000000000040B000-memory.dmp

                    Filesize

                    44KB

                  • memory/4292-28-0x0000000000400000-0x000000000040B000-memory.dmp

                    Filesize

                    44KB

                  • memory/4864-62-0x00000000738C0000-0x0000000074070000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4864-55-0x0000000000540000-0x000000000059A000-memory.dmp

                    Filesize

                    360KB

                  • memory/4864-52-0x0000000000400000-0x000000000046F000-memory.dmp

                    Filesize

                    444KB

                  • memory/4864-96-0x0000000007130000-0x00000000076D4000-memory.dmp

                    Filesize

                    5.6MB