Resubmissions

20-03-2024 16:08

240320-tla6hadc8t 10

27-11-2023 17:21

231127-vw5zasag8z 7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2023 17:21

General

  • Target

    74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe

  • Size

    2.0MB

  • MD5

    2f05a56a349dce85119e7fda9e8047ac

  • SHA1

    2f5afa9af299cba599c57fd99319268db803b31b

  • SHA256

    74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994

  • SHA512

    fe85ed5b4702c60770dca17790e826a64cbb028fd0ee6d325cac90e3040efe9700eb7db0d11c71f7dfab20d283acb036e6c8cb3de61ca7e583c28026acf08d0b

  • SSDEEP

    49152:13NvRA0BjE8tCpIQontgzhDeGN8HHA7twVJ6M7Qzio1/Hzwo7L:13Q0BnkpiCzhjNaHA7M7Qz/bh7L

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
    "C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:2392
    • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
      "C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c
        3⤵
          PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c
          3⤵
            PID:1332
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c
            3⤵
              PID:1552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c
              3⤵
                PID:1648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c
                3⤵
                  PID:268
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c
                  3⤵
                    PID:2684
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c
                    3⤵
                      PID:2900
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c
                      3⤵
                        PID:2872
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c
                        3⤵
                          PID:2852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c
                          3⤵
                            PID:1380
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c
                            3⤵
                              PID:2812
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c
                              3⤵
                                PID:2848
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c
                                3⤵
                                  PID:1592
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c
                                  3⤵
                                    PID:1272
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c
                                    3⤵
                                      PID:284
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c
                                      3⤵
                                        PID:1364
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c
                                        3⤵
                                          PID:2100
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c
                                          3⤵
                                            PID:1148
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c
                                            3⤵
                                              PID:1996
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c
                                              3⤵
                                                PID:1640
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c
                                                3⤵
                                                  PID:1872
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c
                                                  3⤵
                                                    PID:1600
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c
                                                    3⤵
                                                      PID:712
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c
                                                      3⤵
                                                        PID:1880
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c
                                                        3⤵
                                                          PID:1408
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c
                                                          3⤵
                                                            PID:2140
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c
                                                            3⤵
                                                              PID:2892
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c
                                                              3⤵
                                                                PID:1268
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c
                                                                3⤵
                                                                  PID:956
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c
                                                                  3⤵
                                                                    PID:2356
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c
                                                                    3⤵
                                                                      PID:2148
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c
                                                                      3⤵
                                                                        PID:1028
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c
                                                                        3⤵
                                                                          PID:280
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c
                                                                          3⤵
                                                                            PID:2064
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c
                                                                            3⤵
                                                                              PID:1076
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c
                                                                              3⤵
                                                                                PID:2296
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c
                                                                                3⤵
                                                                                  PID:2264
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c
                                                                                  3⤵
                                                                                    PID:1936
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c
                                                                                    3⤵
                                                                                      PID:556
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c
                                                                                      3⤵
                                                                                        PID:2688
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c
                                                                                        3⤵
                                                                                          PID:1792
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c
                                                                                          3⤵
                                                                                            PID:2004
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c
                                                                                            3⤵
                                                                                              PID:2980
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c
                                                                                              3⤵
                                                                                                PID:1588
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c
                                                                                                3⤵
                                                                                                  PID:2312
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c
                                                                                                  3⤵
                                                                                                    PID:1960
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c
                                                                                                    3⤵
                                                                                                      PID:1544
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c
                                                                                                      3⤵
                                                                                                        PID:1972
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c
                                                                                                        3⤵
                                                                                                          PID:3048
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c
                                                                                                          3⤵
                                                                                                            PID:1820
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c
                                                                                                            3⤵
                                                                                                              PID:2220
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c
                                                                                                              3⤵
                                                                                                                PID:2392
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c
                                                                                                                3⤵
                                                                                                                  PID:2216
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c
                                                                                                                  3⤵
                                                                                                                    PID:1860
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c
                                                                                                                    3⤵
                                                                                                                      PID:1884
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c
                                                                                                                      3⤵
                                                                                                                        PID:1828
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                                                      2⤵
                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                      PID:2660
                                                                                                                      • C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                        ipconfig /renew
                                                                                                                        3⤵
                                                                                                                        • Gathers network information
                                                                                                                        PID:2924
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                      2⤵
                                                                                                                        PID:644
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                        C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                        2⤵
                                                                                                                          PID:2756
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                          2⤵
                                                                                                                            PID:1768
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                            2⤵
                                                                                                                              PID:1464
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                              2⤵
                                                                                                                                PID:1428
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                2⤵
                                                                                                                                  PID:844
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                  2⤵
                                                                                                                                    PID:1580
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                    2⤵
                                                                                                                                      PID:588
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                      2⤵
                                                                                                                                        PID:596
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                                        2⤵
                                                                                                                                          PID:940

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IS2BN16O\ResultCMD[1].htm

                                                                                                                                        Filesize

                                                                                                                                        2B

                                                                                                                                        MD5

                                                                                                                                        81051bcc2cf1bedf378224b0a93e2877

                                                                                                                                        SHA1

                                                                                                                                        ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                                                                                                                                        SHA256

                                                                                                                                        7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                                                                                                                                        SHA512

                                                                                                                                        1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SUYBBARZ\Heartbeat[1].htm

                                                                                                                                        Filesize

                                                                                                                                        13B

                                                                                                                                        MD5

                                                                                                                                        d6dc9501f65262c5398d9ed188bf351a

                                                                                                                                        SHA1

                                                                                                                                        4f6160ece6b535f3d1d33f0ef419ef4655bd52bb

                                                                                                                                        SHA256

                                                                                                                                        087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37

                                                                                                                                        SHA512

                                                                                                                                        7ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                                        Filesize

                                                                                                                                        1.7MB

                                                                                                                                        MD5

                                                                                                                                        7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                                        SHA1

                                                                                                                                        6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                                        SHA256

                                                                                                                                        28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                                        SHA512

                                                                                                                                        f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                                        Filesize

                                                                                                                                        1.7MB

                                                                                                                                        MD5

                                                                                                                                        7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                                        SHA1

                                                                                                                                        6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                                        SHA256

                                                                                                                                        28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                                        SHA512

                                                                                                                                        f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                                                      • \Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                                        Filesize

                                                                                                                                        1.7MB

                                                                                                                                        MD5

                                                                                                                                        7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                                        SHA1

                                                                                                                                        6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                                        SHA256

                                                                                                                                        28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                                        SHA512

                                                                                                                                        f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                                                      • memory/804-54-0x0000000002590000-0x00000000025D0000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        256KB

                                                                                                                                      • memory/804-52-0x000000006EE80000-0x000000006F42B000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        5.7MB

                                                                                                                                      • memory/804-57-0x000000006EE80000-0x000000006F42B000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        5.7MB

                                                                                                                                      • memory/804-55-0x0000000002590000-0x00000000025D0000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        256KB

                                                                                                                                      • memory/804-53-0x000000006EE80000-0x000000006F42B000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        5.7MB

                                                                                                                                      • memory/2244-5-0x00000000063E0000-0x00000000065C2000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                      • memory/2244-7-0x0000000006790000-0x0000000006958000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.8MB

                                                                                                                                      • memory/2244-4-0x00000000050A0000-0x0000000005280000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                      • memory/2244-3-0x0000000004EC0000-0x00000000050A2000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.9MB

                                                                                                                                      • memory/2244-0-0x0000000000360000-0x000000000056C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        2.0MB

                                                                                                                                      • memory/2244-2-0x0000000004650000-0x0000000004690000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        256KB

                                                                                                                                      • memory/2244-10-0x0000000004650000-0x0000000004690000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        256KB

                                                                                                                                      • memory/2244-9-0x0000000073F10000-0x00000000745FE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        6.9MB

                                                                                                                                      • memory/2244-1-0x0000000073F10000-0x00000000745FE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        6.9MB

                                                                                                                                      • memory/2244-8-0x0000000000700000-0x000000000074C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        304KB

                                                                                                                                      • memory/2244-6-0x00000000065C0000-0x000000000678A000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        1.8MB

                                                                                                                                      • memory/2244-63-0x0000000073F10000-0x00000000745FE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        6.9MB

                                                                                                                                      • memory/2252-25-0x00000000001E0000-0x00000000001EA000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        40KB

                                                                                                                                      • memory/2252-74-0x00000000001E0000-0x00000000001EA000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        40KB

                                                                                                                                      • memory/2252-73-0x00000000001E0000-0x00000000001EA000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        40KB

                                                                                                                                      • memory/2252-26-0x00000000001E0000-0x00000000001EA000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        40KB