Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 13:06

General

  • Target

    35DE7C29B04A8DDF9846DC4E72EADFA8.exe

  • Size

    4.1MB

  • MD5

    35de7c29b04a8ddf9846dc4e72eadfa8

  • SHA1

    6809d9310993ae69cb0830666090f29f3147dde7

  • SHA256

    b7c1f1f97c8a58f45f777ea7651b7cc691878a770fe36edc2e37fc3f02595ded

  • SHA512

    f825fe5d157e2a09f12d924b2ce261ca65e707fd1f73bfb7412de8a440b4b8dd386ebcf2fbe6143dcfbed424edacd1a4e4284786941002b0a8a8a547f33b9c97

  • SSDEEP

    98304:wzpg8gUmhLVYgQjxvDS875vO5504aswc22JXm/o/189MsuhebehGOG:lBUmVf+xDvOM4at2JBaiRgbGG

Malware Config

Signatures

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe
    "C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe
      "C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HyperChainfontsavesmonitor\VPTeWp0smbQ3qHZZcYkR4mgdSacpq1BQvDCAsQjp2MnhMD2wVcQQLBRVQ.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\HyperChainfontsavesmonitor\ye0QVtfzdmAHBoO0xyfpKNTjr1iJYvGquri2e5NU7SmBq2hfP7YACWvOyXf.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\HyperChainfontsavesmonitor\AgentWeb.exe
            "C:\HyperChainfontsavesmonitor/AgentWeb.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2380
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/HyperChainfontsavesmonitor/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2984
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:556
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2200
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:656
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3000
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3012
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\Idle.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:884
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:876
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\sppsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2168
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\AgentWeb.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2992
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B5PzsbuUqI.bat"
              6⤵
                PID:2612
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:1476
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • Runs ping.exe
                    PID:664
                  • C:\HyperChainfontsavesmonitor\AgentWeb.exe
                    "C:\HyperChainfontsavesmonitor\AgentWeb.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 11 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "AgentWeb" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 14 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\HyperChainfontsavesmonitor\AgentWeb.exe

        Filesize

        2.5MB

        MD5

        4b20a0a921bf2778c6d643f3afdb8419

        SHA1

        195f17c986b1942e62c2269d1d0b2a63e18d110d

        SHA256

        e7b025bc1f1fc181c8de6fc035d28ddf3acbbb394cbc29f46dc4b39f96718442

        SHA512

        f651a219ca65038ae6b9d3580ea23bc1e9411e7dea46c1f07afdfa12306803ce52e6477de5cefb3aa937785d08a71aaf7ad2b3e5c22eef3df469c8be4e82e372

      • C:\HyperChainfontsavesmonitor\VPTeWp0smbQ3qHZZcYkR4mgdSacpq1BQvDCAsQjp2MnhMD2wVcQQLBRVQ.vbe

        Filesize

        263B

        MD5

        08171dc11a58c300408352870959ce45

        SHA1

        5d61e429f578cea630ea54cc4a27239a00e3ae08

        SHA256

        5f140165d4ec9dfd66792e9cfb710b0ee1f65f2b9ec276746f1a93037c963e47

        SHA512

        7d99d4fa9840fb80bcd87a86353464408f1a0a68a4ff428d4a0d28af085fcbd1901c62c560c9c24896bd84237b641c84afea9319ee5ed9fc892c060132c8c1fb

      • C:\HyperChainfontsavesmonitor\ye0QVtfzdmAHBoO0xyfpKNTjr1iJYvGquri2e5NU7SmBq2hfP7YACWvOyXf.bat

        Filesize

        90B

        MD5

        880fd79f115c3b7f289427dfc8c4950c

        SHA1

        87ee49153a0cd7d585b9f181b556189254c2117d

        SHA256

        c95faa1c733a2f18bd665a7a9c8a82d256edfd066c1ddaff7d54841e45cba6d0

        SHA512

        17febaa1fda2027885a554ad43d3e060454b3bb93d88ef82bc9c89dcbe574c8316ba665c3bcfa4b9d9df45014820acbb55081b15dc31c60774a3d5a9221cbeea

      • C:\Users\Admin\AppData\Local\Temp\B5PzsbuUqI.bat

        Filesize

        170B

        MD5

        e9f06ad17087f5617a852dde21118d79

        SHA1

        2c0b2b7ec7287fa8f19260b8c04c97b20d032f67

        SHA256

        bee64a1fa71d0a7415327164ff0fd20a6045edd1221f19a78517825d3aa4cd37

        SHA512

        4f9935c887ab85f480582584b23b2714587924981503b0c3c60ac19c914f4b6b0a94dbecef8ecd66ef321da16b79ad79d1252af1043323e5f72931e669b20858

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        c3f74051d170260f16e65566c26f3766

        SHA1

        2d6a08e48cbffdadaa2276971724dd6a26154f98

        SHA256

        8a162ab5c2b6852b0939fd5c46a6a9a77438729fd463f653b5d0e68f8ff2a497

        SHA512

        6c1bceda27764eba838f10d476b315ee4c88460c0cc89a8a886a037ca1c4220db01c0516cc717065cd2f7c4f542add07d842f412239e286c782bb88317ce886e

      • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

        Filesize

        2.8MB

        MD5

        dab4e930c87d238e4cdb33e0e64c3b28

        SHA1

        aaed628d72ad1c16aeb8957ce606783352d5fb1f

        SHA256

        8577d3ed5cf75eea951fbadd42d61eda1b23e0353e7f39db3b2d67085759ef9e

        SHA512

        dd02f7b2609032437714af6ae3e385268f68817c20adcef8b038f536466f1a31bf838a0bd3ec942b2a2d47ba0da13fa642573edd4864c0bbe498e5493bf80f09

      • \Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe

        Filesize

        1.7MB

        MD5

        284adb37469a257c1c38771f779fe221

        SHA1

        e9472ae1b52020ddcbe786672ac10cca78acdef8

        SHA256

        6eef0272844e65f51d32eec425fb5e2eb2490ddef9ab14b7f1af569d154940a8

        SHA512

        3be96daa1a098b8739a6558acff5486a728ecad8a31ea29927f88d64d4071bd1c54311205a3c8bbb301e129c607b5fa8e75dfb88ca12d9ff333354f4b6c9995b

      • memory/876-79-0x000000001B780000-0x000000001BA62000-memory.dmp

        Filesize

        2.9MB

      • memory/876-81-0x0000000001D80000-0x0000000001D88000-memory.dmp

        Filesize

        32KB

      • memory/1048-53-0x0000000002270000-0x00000000022CA000-memory.dmp

        Filesize

        360KB

      • memory/1048-51-0x0000000000510000-0x0000000000520000-memory.dmp

        Filesize

        64KB

      • memory/1048-59-0x0000000000560000-0x000000000056C000-memory.dmp

        Filesize

        48KB

      • memory/1048-35-0x00000000009E0000-0x0000000000C60000-memory.dmp

        Filesize

        2.5MB

      • memory/1048-37-0x0000000000480000-0x000000000048E000-memory.dmp

        Filesize

        56KB

      • memory/1048-39-0x00000000004B0000-0x00000000004CC000-memory.dmp

        Filesize

        112KB

      • memory/1048-41-0x00000000004F0000-0x0000000000508000-memory.dmp

        Filesize

        96KB

      • memory/1048-43-0x0000000000490000-0x000000000049E000-memory.dmp

        Filesize

        56KB

      • memory/1048-45-0x0000000000530000-0x0000000000542000-memory.dmp

        Filesize

        72KB

      • memory/1048-47-0x00000000004A0000-0x00000000004AC000-memory.dmp

        Filesize

        48KB

      • memory/1048-49-0x00000000004D0000-0x00000000004DC000-memory.dmp

        Filesize

        48KB

      • memory/1048-57-0x0000000000550000-0x0000000000558000-memory.dmp

        Filesize

        32KB

      • memory/1048-55-0x0000000000520000-0x000000000052E000-memory.dmp

        Filesize

        56KB

      • memory/2812-27-0x0000000000350000-0x0000000000356000-memory.dmp

        Filesize

        24KB

      • memory/2812-28-0x000000001B930000-0x000000001B952000-memory.dmp

        Filesize

        136KB

      • memory/2812-34-0x0000000002460000-0x0000000002466000-memory.dmp

        Filesize

        24KB

      • memory/2812-26-0x000000001B360000-0x000000001B5D8000-memory.dmp

        Filesize

        2.5MB

      • memory/2812-25-0x0000000000370000-0x000000000038E000-memory.dmp

        Filesize

        120KB

      • memory/2812-23-0x00000000003C0000-0x0000000000586000-memory.dmp

        Filesize

        1.8MB

      • memory/2812-14-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

        Filesize

        4KB

      • memory/2812-186-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

        Filesize

        4KB

      • memory/2920-173-0x0000000000B90000-0x0000000000E10000-memory.dmp

        Filesize

        2.5MB