Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 05:58

General

  • Target

    2aedfa0dfb06ef02b268ec62486e6f80.exe

  • Size

    4.0MB

  • MD5

    2aedfa0dfb06ef02b268ec62486e6f80

  • SHA1

    0e998e4a93dd1fd666aece318b77d9f1756d9c17

  • SHA256

    bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95

  • SHA512

    f5db800199bed799c593b779909364727824ed22076939e10fba0bd83b8dbecf772de34e9d7c9a083cbf734a52a8056b2c38817e52890bfae2f9a5e8dff1979f

  • SSDEEP

    98304:y8DDoeOv58eCbmQKYSA/tEcDtXH0QdCbu1Vq7qd9tknkPzg:y8Poe6G0YSAzJBdCbCVqGntknE8

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

redline

Botnet

pab3

C2

185.215.113.15:61506

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32
rc4.i32

Extracted

Family

cryptbot

C2

knurxh28.top

moraku02.top

Attributes
  • payload_url

    http://sargym03.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 6 IoCs
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 3 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 56 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 11 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe
    "C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe
          4⤵
          • Loads dropped DLL
          PID:2624
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe
            Tue166801dd1c.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2460
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 948
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe
          4⤵
          • Loads dropped DLL
          PID:2164
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe
            Tue165b45f01bf.exe
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:1232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe
          4⤵
          • Loads dropped DLL
          PID:2152
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe
          4⤵
          • Loads dropped DLL
          PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe
          4⤵
          • Loads dropped DLL
          PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe
          4⤵
          • Loads dropped DLL
          PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue168468791c.exe
          4⤵
          • Loads dropped DLL
          PID:1940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 432
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe
          4⤵
          • Loads dropped DLL
          PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
            PID:2128
    • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe
      Tue16c3a7ed6a67.exe
      1⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe
      Tue16b2aff6f6632f.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      PID:2408
      • C:\Windows\SysWOW64\dllhost.exe
        dllhost.exe
        2⤵
          PID:1324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c cmd < Vai.pdf
          2⤵
            PID:1424
            • C:\Windows\SysWOW64\cmd.exe
              cmd
              3⤵
              • Loads dropped DLL
              PID:1768
        • C:\Windows\SysWOW64\PING.EXE
          ping SFVRQGEO -n 30
          1⤵
          • Runs ping.exe
          PID:1344
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
          Volevo.exe.com H
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:964
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H
            2⤵
            • Executes dropped EXE
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:452
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf
          1⤵
            PID:1068
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exe
            Tue1619562504c6402.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:472
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe" -a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1052
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe
            Tue1643024cec44eb6.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1912
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe
            Tue16dbd9f0964.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue168468791c.exe
            Tue168468791c.exe
            1⤵
            • Executes dropped EXE
            PID:2664
          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
            Tue16fdfa6cf2ae0.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2788

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\libcurlpp.dll

            Filesize

            54KB

            MD5

            e6e578373c2e416289a8da55f1dc5e8e

            SHA1

            b601a229b66ec3d19c2369b36216c6f6eb1c063e

            SHA256

            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

            SHA512

            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

            Filesize

            1.7MB

            MD5

            09715e63b0f201fce0fe2e1a3f09d887

            SHA1

            8646e5e3782b48239cfcc8c6d8a22fb6341b7646

            SHA256

            058d55f5a4da05259682b45166488acde6c3f228e39a0cf3a96cd4a3f4094f9c

            SHA512

            b66b8efa68b8270a8823261a88e06a5ef8a4f03f03c8af02cc926d839fdad43b7df6aed19af3ddff9cbd68234ffd3509b81d74f7bf223e53fb173d40d50e3174

          • C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

            Filesize

            1.4MB

            MD5

            54fc337115e32de7540b16c30500f3d8

            SHA1

            9a4eb9c3752efd26e88e022c40aca59b0e13fc87

            SHA256

            a2d3df4a4790591670440fb94a03042422b04f6651c83d1f6223cd12c5c1f804

            SHA512

            d468d265127905e466779b8f50341d9f3e9ae4bf95c0f93f3004287373b306004ae13210ce02f2bd0dae77694a4ba24a52449d2e43e9d10521b10ace84bcfdc1

          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            2.8MB

            MD5

            ba7363cf29d36dbca8a2e30ee3a681cb

            SHA1

            6e1bcaa49bff83744818fbf4a43570b2dc9efba3

            SHA256

            048a7d8f99be0d38da7c74188f5893db6e89646b30014d6701b528566fdf1371

            SHA512

            35351d56ed687ceea2f18c4304125cc2d8e2565313287fc5c980b4d42209b65c0e2a080d37769ccb1be24adad801810004b43aae8fc154c829f88581e2281ab8

          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            2.6MB

            MD5

            6704eb8895bb417cb1cccb479cc5672e

            SHA1

            685aecc08cb369b7d8f6a1f60f61f22565eb9314

            SHA256

            470e8ec30a9e28bc99e991b2b25f5ac13c12d949361db149e58bb0aa2489cf25

            SHA512

            14b0aa8314e3db2899bd87c45ae14a1a44d30e70b02cb1b453c6900c21f559fa3af41ea1511e7019112716ef204d856cae94c27cb5a813555f8ab31676b32871

          • \Users\Admin\AppData\Local\Temp\7zS46829F36\libwinpthread-1.dll

            Filesize

            69KB

            MD5

            1e0d62c34ff2e649ebc5c372065732ee

            SHA1

            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

            SHA256

            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

            SHA512

            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

          • \Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

            Filesize

            1.4MB

            MD5

            a6209722759997ac8aa3db612ade10ea

            SHA1

            a9f2a89e388abe9b45627a365a9ba21358d5082c

            SHA256

            557750ca1516461fda0f0fe0051a8a59f24efb50c04640fdfafbdb3834b845aa

            SHA512

            8ae45e8e8613a4806090c8077b942dc6332858c97c1048561e2843b326ad5e96299937deabbbf78025736c6fe3664b44a239ba873d54b769025debdaa0eadfe8

          • \Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

            Filesize

            2.1MB

            MD5

            2de1749b1fdd76fd0e056846bf27400f

            SHA1

            4d5b5fcd89041b9f421dc73ed7c30a0095b2793d

            SHA256

            f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0

            SHA512

            06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf

          • \Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

            Filesize

            1.9MB

            MD5

            dca239b7e656c12e35e521ca8ffbf446

            SHA1

            407bfc0c4af2f50e869b3e867d6967e715aab583

            SHA256

            7724430d2607be34f80bd8755338220aac47ae7e6d8e15771b4c85a2d73a3df7

            SHA512

            4221428cf43c89cdd1745682092d3bda089bea13f5859b5c63bd3f21fc1464323d84573d691b39f00600ecbc49a56cbfb21d2084b296414a38d6619ea5cd5070

          • \Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            894KB

            MD5

            8110444f5679006728e049da671dea26

            SHA1

            91693a83172524af60b3dc25a2f1b543aee8de5f

            SHA256

            77e73ae69cbfe9c3bd902a1a53f2b40a304444e1dc89652464b7b7ca1e6fcf5b

            SHA512

            bfcbe022a24d31716ebb5b8b7c7cf010c60cd3ad6c538058fcde39ff2ae75981f9bdac64890862a528f62972c8f318cefebe52e7471fa5bf65e6f5fd0dd27bfc

          • \Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            2.6MB

            MD5

            2ece127c2ec745fc1cd46012da3f6d66

            SHA1

            172ca20766febe8c2f8bd4812466de3c3d0f0e31

            SHA256

            5d2480c8d19a612b55b0e2fd71466ec8e10a3d8666f9b61494a10b361c62b062

            SHA512

            ec945fd8a900b9e5a4f9967975df3e6b2bca131488b223f829384eb3338fc0b5109f15ec10573174cb3fa1993ea07c3e6bb28bb8551e3a92dc996bb987ff5f02

          • \Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            1.8MB

            MD5

            7a0d0e10337b5fd6a1d698fd0c7b8913

            SHA1

            2aa561f75d3b08ad1af0403fb583522baeed9bd7

            SHA256

            e1eeb5511793c9174cee5888b43eec0b487d93358bac5385ded1341bc5f539b1

            SHA512

            a505a50c07833a610b81b8eb86c0ebc4f9e7a89733e592cbf78fbe8f02756f00cf5069b0ef835d9772488fee2dddd33c3f6b01a1c55f7082298e3d7601273f10

          • \Users\Admin\AppData\Local\Temp\setup_installer.exe

            Filesize

            1.7MB

            MD5

            e03e85e32bf29dd7bf9a7b29f650dcaf

            SHA1

            be8e9b92d6669a0106211e0ef097d34b18064d60

            SHA256

            9d099c1b2062d5879e1f2b175794f1122213cb7f6afd759d089c4b01fea18eb3

            SHA512

            5a70f7d1f5da8cd39105cced038ec6f0bff55e3e0d5795b17631308c53383f74ee98dd837779c915b8b2d9b80604b79d064127a6b91c38a1c0912f65229ceaa1

          • memory/452-379-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-408-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-644-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-378-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-377-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-380-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-382-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-383-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/452-381-0x0000000003D40000-0x0000000003DE3000-memory.dmp

            Filesize

            652KB

          • memory/1156-144-0x0000000000180000-0x0000000000186000-memory.dmp

            Filesize

            24KB

          • memory/1156-136-0x0000000000050000-0x000000000007C000-memory.dmp

            Filesize

            176KB

          • memory/1156-368-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

            Filesize

            9.9MB

          • memory/1156-148-0x00000000001B0000-0x00000000001B6000-memory.dmp

            Filesize

            24KB

          • memory/1156-185-0x000000001B010000-0x000000001B090000-memory.dmp

            Filesize

            512KB

          • memory/1156-163-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

            Filesize

            9.9MB

          • memory/1156-145-0x0000000000190000-0x00000000001B2000-memory.dmp

            Filesize

            136KB

          • memory/1208-302-0x0000000004200000-0x0000000004216000-memory.dmp

            Filesize

            88KB

          • memory/1232-398-0x000000001B170000-0x000000001B1F0000-memory.dmp

            Filesize

            512KB

          • memory/1232-120-0x0000000000A50000-0x0000000000A58000-memory.dmp

            Filesize

            32KB

          • memory/1232-187-0x000000001B170000-0x000000001B1F0000-memory.dmp

            Filesize

            512KB

          • memory/1232-146-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

            Filesize

            9.9MB

          • memory/1232-395-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

            Filesize

            9.9MB

          • memory/1672-397-0x0000000002E90000-0x0000000002F90000-memory.dmp

            Filesize

            1024KB

          • memory/1672-186-0x0000000002E90000-0x0000000002F90000-memory.dmp

            Filesize

            1024KB

          • memory/1672-153-0x0000000000400000-0x0000000002CD3000-memory.dmp

            Filesize

            40.8MB

          • memory/1672-137-0x0000000004880000-0x00000000048A2000-memory.dmp

            Filesize

            136KB

          • memory/1672-399-0x0000000007610000-0x0000000007650000-memory.dmp

            Filesize

            256KB

          • memory/1672-188-0x0000000007610000-0x0000000007650000-memory.dmp

            Filesize

            256KB

          • memory/1672-151-0x00000000049D0000-0x00000000049F0000-memory.dmp

            Filesize

            128KB

          • memory/1672-147-0x0000000002CE0000-0x0000000002D0F000-memory.dmp

            Filesize

            188KB

          • memory/1912-184-0x0000000000400000-0x00000000023AC000-memory.dmp

            Filesize

            31.7MB

          • memory/1912-303-0x0000000000400000-0x00000000023AC000-memory.dmp

            Filesize

            31.7MB

          • memory/1912-165-0x0000000000260000-0x0000000000269000-memory.dmp

            Filesize

            36KB

          • memory/1912-164-0x0000000002810000-0x0000000002910000-memory.dmp

            Filesize

            1024KB

          • memory/1924-152-0x0000000073240000-0x00000000737EB000-memory.dmp

            Filesize

            5.7MB

          • memory/1924-161-0x0000000073240000-0x00000000737EB000-memory.dmp

            Filesize

            5.7MB

          • memory/2460-396-0x00000000002C0000-0x00000000003C0000-memory.dmp

            Filesize

            1024KB

          • memory/2460-376-0x0000000000400000-0x0000000002D1A000-memory.dmp

            Filesize

            41.1MB

          • memory/2460-150-0x0000000003230000-0x00000000032CD000-memory.dmp

            Filesize

            628KB

          • memory/2460-149-0x00000000002C0000-0x00000000003C0000-memory.dmp

            Filesize

            1024KB

          • memory/2460-162-0x0000000000400000-0x0000000002D1A000-memory.dmp

            Filesize

            41.1MB

          • memory/2824-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2824-371-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2824-373-0x000000006EB40000-0x000000006EB63000-memory.dmp

            Filesize

            140KB

          • memory/2824-374-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-372-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2824-370-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

          • memory/2824-369-0x0000000000400000-0x000000000051B000-memory.dmp

            Filesize

            1.1MB

          • memory/2824-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2824-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2824-71-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

          • memory/2824-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2824-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2824-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2824-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2824-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2824-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB