Analysis

  • max time kernel
    44s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    23/11/2021, 16:32

General

  • Target

    77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe

  • Size

    6.2MB

  • MD5

    f4405d3dd08690d4ce4e9a02d4c641df

  • SHA1

    26975067cc24f634f6c64a79b98f356fb639d77e

  • SHA256

    77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59

  • SHA512

    992bd478eaa78efa74a16dc2338b0f9dccf6b91644b35631673aa038e174b6463b6845bbac80fbb14d27fdef8952331c3ce3ae92e14d46ce8cf9290939b3517f

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.ecgbg.com/

Extracted

Family

redline

Botnet

janera

C2

65.108.20.195:6774

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

redline

Botnet

matthew2009

C2

213.166.69.181:64650

Extracted

Family

vidar

Version

41

Botnet

706

C2

https://mas.to/@killern0

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 7 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 4 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 20 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe
    "C:\Users\Admin\AppData\Local\Temp\77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS49E14995\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
            PID:3312
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2740
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu0024eb0c01ddf62.exe /mixone
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0024eb0c01ddf62.exe
              Thu0024eb0c01ddf62.exe /mixone
              5⤵
              • Executes dropped EXE
              PID:3972
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 660
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2712
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 672
                6⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3236
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 776
                6⤵
                • Program crash
                PID:904
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 812
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:904
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 836
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:4156
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 924
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:4852
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1180
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:4880
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1152
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:4912
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1352
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:4936
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu00e6dc783f.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3288
            • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00e6dc783f.exe
              Thu00e6dc783f.exe
              5⤵
              • Executes dropped EXE
              PID:776
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu00b87bb8a6c15.exe
            4⤵
              PID:2788
              • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00b87bb8a6c15.exe
                Thu00b87bb8a6c15.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1152
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im chrome.exe
                  6⤵
                    PID:2644
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im chrome.exe
                      7⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3800
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Thu00308459d5d1.exe
                4⤵
                  PID:2584
                  • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00308459d5d1.exe
                    Thu00308459d5d1.exe
                    5⤵
                    • Executes dropped EXE
                    PID:588
                    • C:\Users\Admin\AppData\Local\Temp\is-MJK9L.tmp\Thu00308459d5d1.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-MJK9L.tmp\Thu00308459d5d1.tmp" /SL5="$20114,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00308459d5d1.exe"
                      6⤵
                        PID:2712
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu00baff0b12d.exe
                    4⤵
                      PID:1476
                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00baff0b12d.exe
                        Thu00baff0b12d.exe
                        5⤵
                        • Executes dropped EXE
                        • Checks BIOS information in registry
                        • Checks whether UAC is enabled
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1360
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu00c42c363480.exe
                      4⤵
                        PID:1428
                        • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00c42c363480.exe
                          Thu00c42c363480.exe
                          5⤵
                          • Executes dropped EXE
                          PID:3328
                          • C:\Users\Admin\Pictures\Adobe Films\7fKV6GhopFBuJFoJqwCxLA4w.exe
                            "C:\Users\Admin\Pictures\Adobe Films\7fKV6GhopFBuJFoJqwCxLA4w.exe"
                            6⤵
                              PID:5060
                            • C:\Users\Admin\Pictures\Adobe Films\STM1hAMcxfsF3LyUNiT_KmR7.exe
                              "C:\Users\Admin\Pictures\Adobe Films\STM1hAMcxfsF3LyUNiT_KmR7.exe"
                              6⤵
                                PID:4228
                              • C:\Users\Admin\Pictures\Adobe Films\l1gydy3gVmcG8t1NS2opGHbH.exe
                                "C:\Users\Admin\Pictures\Adobe Films\l1gydy3gVmcG8t1NS2opGHbH.exe"
                                6⤵
                                  PID:4212
                                • C:\Users\Admin\Pictures\Adobe Films\OqI_gmaEMYatwEIvwmw56gCI.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\OqI_gmaEMYatwEIvwmw56gCI.exe"
                                  6⤵
                                    PID:4256
                                  • C:\Users\Admin\Pictures\Adobe Films\1z03anLryLE3Sqr0KYfnhFmh.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\1z03anLryLE3Sqr0KYfnhFmh.exe"
                                    6⤵
                                      PID:4340
                                    • C:\Users\Admin\Pictures\Adobe Films\dZG07bxHRP1maBQzsLI7Kqkq.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\dZG07bxHRP1maBQzsLI7Kqkq.exe"
                                      6⤵
                                        PID:4324
                                      • C:\Users\Admin\Pictures\Adobe Films\ri4rx7QwKuVQuKDHKUSv39kH.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\ri4rx7QwKuVQuKDHKUSv39kH.exe"
                                        6⤵
                                          PID:4312
                                        • C:\Users\Admin\Pictures\Adobe Films\o0dzUQHqO3XjnCDNqXd3cAO2.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\o0dzUQHqO3XjnCDNqXd3cAO2.exe"
                                          6⤵
                                            PID:4356
                                          • C:\Users\Admin\Pictures\Adobe Films\ScSE_Vsuz2HcnNv5VJOZO42_.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\ScSE_Vsuz2HcnNv5VJOZO42_.exe"
                                            6⤵
                                              PID:4432
                                            • C:\Users\Admin\Pictures\Adobe Films\9S9vt25VG11cwf7Wp7G9x1Z6.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\9S9vt25VG11cwf7Wp7G9x1Z6.exe"
                                              6⤵
                                                PID:4392
                                              • C:\Users\Admin\Pictures\Adobe Films\QgnQVrXGVjLTZsrRq9a0iOeT.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\QgnQVrXGVjLTZsrRq9a0iOeT.exe"
                                                6⤵
                                                  PID:4456
                                                • C:\Users\Admin\Pictures\Adobe Films\kCggRAxeXVeWHBbeOQ6hfREu.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\kCggRAxeXVeWHBbeOQ6hfREu.exe"
                                                  6⤵
                                                    PID:4608
                                                  • C:\Users\Admin\Pictures\Adobe Films\6oEQiVzZamskIs4pDxs1DCzk.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\6oEQiVzZamskIs4pDxs1DCzk.exe"
                                                    6⤵
                                                      PID:4600
                                                    • C:\Users\Admin\Pictures\Adobe Films\HgxySBynqYi3rSVZEpgzFD1q.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\HgxySBynqYi3rSVZEpgzFD1q.exe"
                                                      6⤵
                                                        PID:4576
                                                      • C:\Users\Admin\Pictures\Adobe Films\_tTwEMvOyRwexrp4NN1H0aFl.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\_tTwEMvOyRwexrp4NN1H0aFl.exe"
                                                        6⤵
                                                          PID:4584
                                                        • C:\Users\Admin\Pictures\Adobe Films\Xyfk7MbNSN3NcTMW4m08d76Z.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\Xyfk7MbNSN3NcTMW4m08d76Z.exe"
                                                          6⤵
                                                            PID:4552
                                                          • C:\Users\Admin\Pictures\Adobe Films\w1Umc4kV2ArNatN9A7wQROMP.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\w1Umc4kV2ArNatN9A7wQROMP.exe"
                                                            6⤵
                                                              PID:4512
                                                            • C:\Users\Admin\Pictures\Adobe Films\pRbZoyglPhZlhMbKo7cnI0Mt.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\pRbZoyglPhZlhMbKo7cnI0Mt.exe"
                                                              6⤵
                                                                PID:4500
                                                              • C:\Users\Admin\Pictures\Adobe Films\y4bmXZFqNcGJxHg20HyUxBGj.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\y4bmXZFqNcGJxHg20HyUxBGj.exe"
                                                                6⤵
                                                                  PID:4492
                                                                • C:\Users\Admin\Pictures\Adobe Films\g0boIGBQYYf9j13ikafC45TP.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\g0boIGBQYYf9j13ikafC45TP.exe"
                                                                  6⤵
                                                                    PID:4484
                                                                  • C:\Users\Admin\Pictures\Adobe Films\ZT_95tBiy6eMkYqM26w0GQ_b.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\ZT_95tBiy6eMkYqM26w0GQ_b.exe"
                                                                    6⤵
                                                                      PID:4468
                                                                    • C:\Users\Admin\Pictures\Adobe Films\ednI6tftcxCvQdn4dGRILTtx.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\ednI6tftcxCvQdn4dGRILTtx.exe"
                                                                      6⤵
                                                                        PID:4472
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c Thu00381dcd157d70.exe
                                                                    4⤵
                                                                      PID:1380
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00381dcd157d70.exe
                                                                        Thu00381dcd157d70.exe
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        PID:1260
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1476
                                                                          6⤵
                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                          • Program crash
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:688
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c Thu009182426214b9c.exe
                                                                      4⤵
                                                                        PID:696
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe
                                                                          Thu009182426214b9c.exe
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:2164
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:684
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:2540
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c Thu0033b1bf632d.exe
                                                                        4⤵
                                                                          PID:372
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0033b1bf632d.exe
                                                                            Thu0033b1bf632d.exe
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:3256
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c Thu0046fa0086fb73b2f.exe
                                                                          4⤵
                                                                            PID:1264
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0046fa0086fb73b2f.exe
                                                                              Thu0046fa0086fb73b2f.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2296
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 592
                                                                            4⤵
                                                                            • Program crash
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3816
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c Thu000ee9073d9260.exe
                                                                            4⤵
                                                                              PID:3624
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c Thu008c1e505ef28ce.exe
                                                                              4⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:1140
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c Thu00e1362251a3.exe
                                                                              4⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:3668
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c Thu006994f743f.exe
                                                                              4⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:3724
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00e1362251a3.exe
                                                                        Thu00e1362251a3.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:2972
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exe
                                                                        Thu008c1e505ef28ce.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        PID:1184
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exe
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          PID:3376
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu000ee9073d9260.exe
                                                                        Thu000ee9073d9260.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2376
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu006994f743f.exe
                                                                        Thu006994f743f.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:3168

                                                                      Network

                                                                            MITRE ATT&CK Enterprise v6

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • memory/588-217-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                              Filesize

                                                                              436KB

                                                                            • memory/776-247-0x0000000004BF0000-0x0000000004C0F000-memory.dmp

                                                                              Filesize

                                                                              124KB

                                                                            • memory/776-257-0x00000000070D0000-0x00000000070EE000-memory.dmp

                                                                              Filesize

                                                                              120KB

                                                                            • memory/776-245-0x00000000072B0000-0x00000000072B1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/776-244-0x0000000000400000-0x0000000002BA2000-memory.dmp

                                                                              Filesize

                                                                              39.6MB

                                                                            • memory/776-253-0x00000000072B2000-0x00000000072B3000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/776-254-0x00000000072B3000-0x00000000072B4000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/776-199-0x0000000002EB2000-0x0000000002ED5000-memory.dmp

                                                                              Filesize

                                                                              140KB

                                                                            • memory/776-269-0x00000000072B4000-0x00000000072B6000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                            • memory/776-242-0x0000000002BB0000-0x0000000002CFA000-memory.dmp

                                                                              Filesize

                                                                              1.3MB

                                                                            • memory/776-250-0x00000000072C0000-0x00000000072C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1184-238-0x0000000002960000-0x00000000029D6000-memory.dmp

                                                                              Filesize

                                                                              472KB

                                                                            • memory/1184-240-0x00000000029C0000-0x00000000029C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1184-218-0x0000000000620000-0x0000000000621000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1184-231-0x0000000004E40000-0x0000000004E41000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1260-304-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                            • memory/1260-303-0x00000000021D0000-0x00000000022A4000-memory.dmp

                                                                              Filesize

                                                                              848KB

                                                                            • memory/1360-229-0x0000000077610000-0x000000007779E000-memory.dmp

                                                                              Filesize

                                                                              1.6MB

                                                                            • memory/1360-243-0x0000000005940000-0x0000000005941000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1360-263-0x00000000054C0000-0x00000000054C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1360-246-0x00000000053E0000-0x00000000053E1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1360-265-0x0000000005330000-0x0000000005936000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                            • memory/1360-249-0x0000000005510000-0x0000000005511000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1360-258-0x0000000005480000-0x0000000005481000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1360-233-0x0000000000160000-0x0000000000161000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1840-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                              Filesize

                                                                              572KB

                                                                            • memory/1840-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                              Filesize

                                                                              572KB

                                                                            • memory/1840-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                              Filesize

                                                                              100KB

                                                                            • memory/1840-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                              Filesize

                                                                              1.5MB

                                                                            • memory/1840-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                              Filesize

                                                                              572KB

                                                                            • memory/1840-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                              Filesize

                                                                              100KB

                                                                            • memory/1840-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                              Filesize

                                                                              1.5MB

                                                                            • memory/1840-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                              Filesize

                                                                              1.5MB

                                                                            • memory/1840-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                              Filesize

                                                                              152KB

                                                                            • memory/1840-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                              Filesize

                                                                              1.5MB

                                                                            • memory/1840-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                              Filesize

                                                                              100KB

                                                                            • memory/1840-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                              Filesize

                                                                              100KB

                                                                            • memory/2156-452-0x0000000001290000-0x00000000012A5000-memory.dmp

                                                                              Filesize

                                                                              84KB

                                                                            • memory/2164-220-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2164-239-0x0000000005A20000-0x0000000005A21000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2296-228-0x0000000001060000-0x0000000001062000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                            • memory/2296-216-0x0000000000F80000-0x0000000000F81000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2296-210-0x0000000000860000-0x0000000000861000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2376-201-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2376-214-0x000000001B190000-0x000000001B192000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                            • memory/2540-285-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/2540-301-0x0000000005180000-0x0000000005786000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                            • memory/2712-252-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-219-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-222-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-275-0x0000000007370000-0x0000000007371000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-256-0x0000000007260000-0x0000000007261000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-255-0x0000000006F70000-0x0000000006F71000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-327-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-248-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-232-0x0000000007420000-0x0000000007421000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-326-0x000000007F490000-0x000000007F491000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-259-0x0000000007A50000-0x0000000007A51000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-236-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-230-0x0000000002F30000-0x0000000002F31000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2740-237-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/3256-305-0x00000000004B0000-0x00000000005FA000-memory.dmp

                                                                              Filesize

                                                                              1.3MB

                                                                            • memory/3256-211-0x0000000000826000-0x000000000082F000-memory.dmp

                                                                              Filesize

                                                                              36KB

                                                                            • memory/3256-306-0x0000000000400000-0x00000000004AB000-memory.dmp

                                                                              Filesize

                                                                              684KB

                                                                            • memory/3328-556-0x0000000006160000-0x00000000062AC000-memory.dmp

                                                                              Filesize

                                                                              1.3MB

                                                                            • memory/3376-283-0x00000000052D0000-0x00000000058D6000-memory.dmp

                                                                              Filesize

                                                                              6.0MB

                                                                            • memory/3376-271-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/3972-300-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                              Filesize

                                                                              816KB

                                                                            • memory/3972-299-0x00000000020C0000-0x0000000002108000-memory.dmp

                                                                              Filesize

                                                                              288KB

                                                                            • memory/4256-577-0x0000000001300000-0x00000000013AE000-memory.dmp

                                                                              Filesize

                                                                              696KB