Resubmissions

20-03-2024 16:08

240320-tla6hadc8t 10

27-11-2023 17:21

231127-vw5zasag8z 7

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2023 17:21

General

  • Target

    74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe

  • Size

    2.0MB

  • MD5

    2f05a56a349dce85119e7fda9e8047ac

  • SHA1

    2f5afa9af299cba599c57fd99319268db803b31b

  • SHA256

    74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994

  • SHA512

    fe85ed5b4702c60770dca17790e826a64cbb028fd0ee6d325cac90e3040efe9700eb7db0d11c71f7dfab20d283acb036e6c8cb3de61ca7e583c28026acf08d0b

  • SSDEEP

    49152:13NvRA0BjE8tCpIQontgzhDeGN8HHA7twVJ6M7Qzio1/Hzwo7L:13Q0BnkpiCzhjNaHA7M7Qz/bh7L

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
    "C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4388
    • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
      "C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c
        3⤵
          PID:4448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4012
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1636
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c
          3⤵
            PID:3208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c
            3⤵
              PID:1832
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c
              3⤵
                PID:1764
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c
                3⤵
                  PID:5108
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c
                  3⤵
                    PID:3388
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c
                    3⤵
                      PID:4896
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c
                      3⤵
                        PID:3576
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c
                        3⤵
                          PID:1872
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c
                          3⤵
                            PID:3956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c
                            3⤵
                              PID:1276
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c
                              3⤵
                                PID:4840
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c
                                3⤵
                                  PID:3572
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c
                                  3⤵
                                    PID:3892
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c
                                    3⤵
                                      PID:2204
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c
                                      3⤵
                                        PID:2840
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c
                                        3⤵
                                          PID:3672
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c
                                          3⤵
                                            PID:4872
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c
                                            3⤵
                                              PID:3036
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c
                                              3⤵
                                                PID:376
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c
                                                3⤵
                                                  PID:3084
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c
                                                  3⤵
                                                    PID:4432
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c
                                                    3⤵
                                                      PID:3940
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c
                                                      3⤵
                                                        PID:4392
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c
                                                        3⤵
                                                          PID:3108
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c
                                                          3⤵
                                                            PID:3352
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c
                                                            3⤵
                                                              PID:4036
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c
                                                              3⤵
                                                                PID:3632
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c
                                                                3⤵
                                                                  PID:4080
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c
                                                                  3⤵
                                                                    PID:1816
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c
                                                                    3⤵
                                                                      PID:4448
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c
                                                                      3⤵
                                                                        PID:3436
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c
                                                                        3⤵
                                                                          PID:3616
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c
                                                                          3⤵
                                                                            PID:2280
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c
                                                                            3⤵
                                                                              PID:4692
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c
                                                                              3⤵
                                                                                PID:1368
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c
                                                                                3⤵
                                                                                  PID:676
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c
                                                                                  3⤵
                                                                                    PID:4288
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c
                                                                                    3⤵
                                                                                      PID:3040
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c
                                                                                      3⤵
                                                                                        PID:2004
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c
                                                                                        3⤵
                                                                                          PID:4636
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c
                                                                                          3⤵
                                                                                            PID:2768
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c
                                                                                            3⤵
                                                                                              PID:4612
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c
                                                                                              3⤵
                                                                                                PID:4280
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c
                                                                                                3⤵
                                                                                                  PID:5036
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c
                                                                                                  3⤵
                                                                                                    PID:2140
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c
                                                                                                    3⤵
                                                                                                      PID:2284
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c
                                                                                                      3⤵
                                                                                                        PID:1832
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c
                                                                                                        3⤵
                                                                                                          PID:4704
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c
                                                                                                          3⤵
                                                                                                            PID:4212
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c
                                                                                                            3⤵
                                                                                                              PID:656
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c
                                                                                                              3⤵
                                                                                                                PID:5092
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c
                                                                                                                3⤵
                                                                                                                  PID:2752
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                                                2⤵
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:4016
                                                                                                                • C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                  ipconfig /renew
                                                                                                                  3⤵
                                                                                                                  • Gathers network information
                                                                                                                  PID:3292
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
                                                                                                                2⤵
                                                                                                                  PID:5040
                                                                                                              • C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                ipconfig /release
                                                                                                                1⤵
                                                                                                                • Gathers network information
                                                                                                                PID:1844

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\Users\Admin\AppData\Local\BunnyLogs\Information.txt

                                                                                                                Filesize

                                                                                                                356B

                                                                                                                MD5

                                                                                                                5239d9e8e12d1b70b09c69048188e912

                                                                                                                SHA1

                                                                                                                2b5eb41cad7332b21affedbb2f34733850a32f25

                                                                                                                SHA256

                                                                                                                e1f1344673de836dcf2d4108be040f85de07be7aa5499c860a55a9cb6fa4f274

                                                                                                                SHA512

                                                                                                                36cc51f1a970ac2790a852fa263f02bb5434d6fc29b56ceb9a8038718aaefff7b819ae3aa9ce0d2b18bdf1a07bcceb8487f3b400707b52e9505e7d540a881eaa

                                                                                                              • C:\Users\Admin\AppData\Local\BunnyLogs\No RDP Login detected

                                                                                                                Filesize

                                                                                                                3B

                                                                                                                MD5

                                                                                                                382b0f5185773fa0f67a8ed8056c7759

                                                                                                                SHA1

                                                                                                                08d2e98e6754af941484848930ccbaddfefe13d6

                                                                                                                SHA256

                                                                                                                e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635

                                                                                                                SHA512

                                                                                                                3d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a

                                                                                                              • C:\Users\Admin\AppData\Local\BunnyLogs\No keystrokes found

                                                                                                                Filesize

                                                                                                                3B

                                                                                                                MD5

                                                                                                                382b0f5185773fa0f67a8ed8056c7759

                                                                                                                SHA1

                                                                                                                08d2e98e6754af941484848930ccbaddfefe13d6

                                                                                                                SHA256

                                                                                                                e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635

                                                                                                                SHA512

                                                                                                                3d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a

                                                                                                              • C:\Users\Admin\AppData\Local\BunnyLogs\ngrok not found

                                                                                                                Filesize

                                                                                                                19B

                                                                                                                MD5

                                                                                                                048a507e7cd987cc13b5bdff543b3076

                                                                                                                SHA1

                                                                                                                24701c4f9bf4f7d0be73a5bae8fa94243a3a8ed6

                                                                                                                SHA256

                                                                                                                307cff63c960749cb552660fe5987ea5bd7afdd7163a931db4af1db0148e013f

                                                                                                                SHA512

                                                                                                                dead24b99dff03a532ca2a4bae65f3e16a64deff4cdf3d012877414c9ed3b543d162147499e76afe9d6b645d83c7c31523bbcea44533a6c7a115fad5a6c2e48d

                                                                                                              • C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip

                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                088ef465fb6d9f894576eb5262d7ac88

                                                                                                                SHA1

                                                                                                                a7ef9470efec00fb45701302407dd11772bae59a

                                                                                                                SHA256

                                                                                                                6dc2ea605d32f264b29d0a94bca829d19d4f45bba80bbb24b650ce752e6d33d4

                                                                                                                SHA512

                                                                                                                11a2b26d277d6067844461e2b2184a1ccacf14e5fbb551e5706c1b0d03f43be11cca9abbd8fab0a8ef392ec6cd4793ef76892f453e1efc4a8c9415747f1050ea

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\Heartbeat[1].htm

                                                                                                                Filesize

                                                                                                                13B

                                                                                                                MD5

                                                                                                                d6dc9501f65262c5398d9ed188bf351a

                                                                                                                SHA1

                                                                                                                4f6160ece6b535f3d1d33f0ef419ef4655bd52bb

                                                                                                                SHA256

                                                                                                                087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37

                                                                                                                SHA512

                                                                                                                7ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\ResultCMD[1].htm

                                                                                                                Filesize

                                                                                                                2B

                                                                                                                MD5

                                                                                                                81051bcc2cf1bedf378224b0a93e2877

                                                                                                                SHA1

                                                                                                                ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                                                                                                                SHA256

                                                                                                                7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                                                                                                                SHA512

                                                                                                                1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                                MD5

                                                                                                                7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                SHA1

                                                                                                                6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                SHA256

                                                                                                                28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                SHA512

                                                                                                                f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                                MD5

                                                                                                                7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                SHA1

                                                                                                                6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                SHA256

                                                                                                                28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                SHA512

                                                                                                                f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                                MD5

                                                                                                                7b1c3df953e3da8ce48bbb7ca94213c8

                                                                                                                SHA1

                                                                                                                6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15

                                                                                                                SHA256

                                                                                                                28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382

                                                                                                                SHA512

                                                                                                                f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5pegd30.im0.ps1

                                                                                                                Filesize

                                                                                                                60B

                                                                                                                MD5

                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                SHA1

                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                SHA256

                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                SHA512

                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                              • memory/1636-70-0x0000000005C40000-0x0000000005CA6000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/1636-86-0x0000000007990000-0x000000000800A000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.5MB

                                                                                                              • memory/1636-105-0x0000000074FC0000-0x0000000075770000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.7MB

                                                                                                              • memory/1636-96-0x0000000007650000-0x0000000007662000-memory.dmp

                                                                                                                Filesize

                                                                                                                72KB

                                                                                                              • memory/1636-64-0x0000000001240000-0x0000000001276000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/1636-65-0x0000000074FC0000-0x0000000075770000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.7MB

                                                                                                              • memory/1636-66-0x0000000001290000-0x00000000012A0000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                              • memory/1636-67-0x0000000001290000-0x00000000012A0000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                              • memory/1636-68-0x0000000005550000-0x0000000005B78000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.2MB

                                                                                                              • memory/1636-69-0x0000000005470000-0x0000000005492000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/1636-71-0x0000000005CB0000-0x0000000005D16000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/1636-94-0x0000000006920000-0x000000000692A000-memory.dmp

                                                                                                                Filesize

                                                                                                                40KB

                                                                                                              • memory/1636-87-0x0000000006860000-0x000000000687A000-memory.dmp

                                                                                                                Filesize

                                                                                                                104KB

                                                                                                              • memory/1636-81-0x0000000005E20000-0x0000000006174000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/1636-82-0x0000000006340000-0x000000000635E000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/1636-83-0x0000000006380000-0x00000000063CC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/1636-85-0x0000000001290000-0x00000000012A0000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                              • memory/4616-3-0x0000000005730000-0x0000000005912000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.9MB

                                                                                                              • memory/4616-0-0x0000000000A00000-0x0000000000C0C000-memory.dmp

                                                                                                                Filesize

                                                                                                                2.0MB

                                                                                                              • memory/4616-8-0x00000000056C0000-0x000000000570C000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/4616-2-0x0000000005720000-0x0000000005730000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                              • memory/4616-10-0x0000000005720000-0x0000000005730000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                              • memory/4616-1-0x0000000074FC0000-0x0000000075770000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.7MB

                                                                                                              • memory/4616-4-0x0000000005910000-0x0000000005AF0000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.9MB

                                                                                                              • memory/4616-9-0x0000000074FC0000-0x0000000075770000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.7MB

                                                                                                              • memory/4616-18-0x0000000008360000-0x0000000008904000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.6MB

                                                                                                              • memory/4616-92-0x0000000074FC0000-0x0000000075770000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.7MB

                                                                                                              • memory/4616-7-0x0000000006FA0000-0x0000000007168000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.8MB

                                                                                                              • memory/4616-6-0x0000000006DD0000-0x0000000006F9A000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.8MB

                                                                                                              • memory/4616-5-0x0000000006BF0000-0x0000000006DD2000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.9MB

                                                                                                              • memory/5040-90-0x0000000000400000-0x00000000005AC000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                              • memory/5040-93-0x0000000000400000-0x00000000005AC000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                              • memory/5040-95-0x0000000000400000-0x00000000005AC000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                              • memory/5040-91-0x0000000000400000-0x00000000005AC000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.7MB

                                                                                                              • memory/5040-88-0x0000000000400000-0x00000000005AC000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.7MB