Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:03

General

  • Target

    42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe

  • Size

    6.7MB

  • MD5

    09627559587e099b024796e1b61fbd4c

  • SHA1

    28cab95f8d7262958b09a3a622ff14196a05d52a

  • SHA256

    42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d

  • SHA512

    b8bc5e8afa775a7878e82e6a6fea355a1c61018bdafc9967f8b136ef999490b655daa4ae551c152b7f1e092797929e17f8bfa2d6d5d89865d078d03fe91c94ae

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Vidar Stealer 1 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:868
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2804
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:2664
      • C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe
        "C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSC8270316\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
                PID:1988
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:484
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                  5⤵
                    PID:856
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Sat1246754647.exe
                  4⤵
                    PID:1108
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat125c6837fefc9.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1816
                    • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat125c6837fefc9.exe
                      Sat125c6837fefc9.exe
                      5⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Loads dropped DLL
                      PID:1736
                      • C:\Users\Admin\Pictures\Adobe Films\xGhxua_Wah4rE0jI7Z4QR4KQ.exe
                        "C:\Users\Admin\Pictures\Adobe Films\xGhxua_Wah4rE0jI7Z4QR4KQ.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2912
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 776
                        6⤵
                        • Program crash
                        PID:2444
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat123037f78f205c.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1672
                    • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat123037f78f205c.exe
                      Sat123037f78f205c.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Modifies system certificate store
                      • Suspicious use of AdjustPrivilegeToken
                      PID:384
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im chrome.exe
                        6⤵
                          PID:2320
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            7⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2420
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat128942fc3c9a4e75.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1828
                      • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat128942fc3c9a4e75.exe
                        Sat128942fc3c9a4e75.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1212
                        • C:\Users\Admin\AppData\Local\0db114c3-f46a-4059-b918-2dd237644825.exe
                          "C:\Users\Admin\AppData\Local\0db114c3-f46a-4059-b918-2dd237644825.exe"
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:3020
                        • C:\Users\Admin\AppData\Local\8b3f6a25-ab9b-47f8-921c-d5f1b83a039b.exe
                          "C:\Users\Admin\AppData\Local\8b3f6a25-ab9b-47f8-921c-d5f1b83a039b.exe"
                          6⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          PID:2060
                          • C:\Users\Admin\AppData\Roaming\63012148\3576340613837327.exe
                            "C:\Users\Admin\AppData\Roaming\63012148\3576340613837327.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:1240
                        • C:\Users\Admin\AppData\Local\63eb208d-9a54-44ff-bd73-58b41f1cae96.exe
                          "C:\Users\Admin\AppData\Local\63eb208d-9a54-44ff-bd73-58b41f1cae96.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:2152
                        • C:\Users\Admin\AppData\Local\32da0520-daee-498b-8e33-a848562b901c.exe
                          "C:\Users\Admin\AppData\Local\32da0520-daee-498b-8e33-a848562b901c.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:576
                        • C:\Users\Admin\AppData\Local\3b3c9a66-af60-4773-97d1-7824d13c48d8.exe
                          "C:\Users\Admin\AppData\Local\3b3c9a66-af60-4773-97d1-7824d13c48d8.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:1972
                          • C:\Users\Admin\AppData\Roaming\6521203.exe
                            "C:\Users\Admin\AppData\Roaming\6521203.exe"
                            7⤵
                              PID:1828
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Sat1266d17883454b1.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1680
                        • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat1266d17883454b1.exe
                          Sat1266d17883454b1.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          PID:1604
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c taskkill /im Sat1266d17883454b1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat1266d17883454b1.exe" & del C:\ProgramData\*.dll & exit
                            6⤵
                              PID:1548
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im Sat1266d17883454b1.exe /f
                                7⤵
                                • Kills process with taskkill
                                PID:2448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat1283d3fd9a.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1436
                          • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat1283d3fd9a.exe
                            Sat1283d3fd9a.exe
                            5⤵
                            • Executes dropped EXE
                            PID:968
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat12faf3464bdfb3c.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1656
                          • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12faf3464bdfb3c.exe
                            Sat12faf3464bdfb3c.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:1480
                            • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12faf3464bdfb3c.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12faf3464bdfb3c.exe" -u
                              6⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat1296f0ebf057bb0b.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1904
                          • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat1296f0ebf057bb0b.exe
                            Sat1296f0ebf057bb0b.exe
                            5⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Loads dropped DLL
                            PID:300
                            • C:\Users\Admin\Pictures\Adobe Films\unG8AFk0cHP_xMT6Y702MS1C.exe
                              "C:\Users\Admin\Pictures\Adobe Films\unG8AFk0cHP_xMT6Y702MS1C.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:2968
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 1296
                              6⤵
                              • Program crash
                              PID:2384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat126518fd66e0120.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1696
                          • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat126518fd66e0120.exe
                            Sat126518fd66e0120.exe
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1048
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat127b52b8f420b.exe
                          4⤵
                            PID:1728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat125bf3a6108a6f5e.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1992
                            • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat125bf3a6108a6f5e.exe
                              Sat125bf3a6108a6f5e.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:2000
                              • C:\Windows\SysWOW64\regsvr32.exe
                                "C:\Windows\System32\regsvr32.exe" /U QHCb.Lp0 /s
                                6⤵
                                • Loads dropped DLL
                                PID:2344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat12b734b9ff65fd19.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1168
                            • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12b734b9ff65fd19.exe
                              Sat12b734b9ff65fd19.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              PID:1936
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat12d67b11255d.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1984
                            • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12d67b11255d.exe
                              Sat12d67b11255d.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              PID:1896
                              • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12d67b11255d.exe
                                C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12d67b11255d.exe
                                6⤵
                                • Executes dropped EXE
                                PID:1468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat12285b225fb.exe /mixtwo
                            4⤵
                            • Loads dropped DLL
                            PID:740
                            • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12285b225fb.exe
                              Sat12285b225fb.exe /mixtwo
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              PID:1020
                              • C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12285b225fb.exe
                                Sat12285b225fb.exe /mixtwo
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:1100
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat12285b225fb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC8270316\Sat12285b225fb.exe" & exit
                                  7⤵
                                    PID:652
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im "Sat12285b225fb.exe" /f
                                      8⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1176
                      • C:\Windows\system32\rundll32.exe
                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                        1⤵
                        • Process spawned unexpected child process
                        PID:2484
                        • C:\Windows\SysWOW64\rundll32.exe
                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                          2⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2532

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/300-240-0x0000000003B10000-0x0000000003C5E000-memory.dmp

                              Filesize

                              1.3MB

                            • memory/576-276-0x00000000002F0000-0x0000000000335000-memory.dmp

                              Filesize

                              276KB

                            • memory/612-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

                              Filesize

                              8KB

                            • memory/856-253-0x0000000001F50000-0x0000000002B9A000-memory.dmp

                              Filesize

                              12.3MB

                            • memory/856-243-0x0000000001F50000-0x0000000002B9A000-memory.dmp

                              Filesize

                              12.3MB

                            • memory/856-224-0x0000000001F50000-0x0000000002B9A000-memory.dmp

                              Filesize

                              12.3MB

                            • memory/868-236-0x0000000002380000-0x00000000023F2000-memory.dmp

                              Filesize

                              456KB

                            • memory/868-235-0x0000000000800000-0x000000000084D000-memory.dmp

                              Filesize

                              308KB

                            • memory/1048-220-0x0000000000640000-0x0000000000642000-memory.dmp

                              Filesize

                              8KB

                            • memory/1048-196-0x00000000009F0000-0x00000000009F1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1100-201-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                            • memory/1100-197-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                            • memory/1100-195-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                            • memory/1100-203-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                            • memory/1212-210-0x0000000001DE0000-0x0000000001DF4000-memory.dmp

                              Filesize

                              80KB

                            • memory/1212-209-0x000000001AC90000-0x000000001AC92000-memory.dmp

                              Filesize

                              8KB

                            • memory/1212-206-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1212-219-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1212-202-0x00000000002A0000-0x00000000002A1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1380-212-0x0000000002600000-0x0000000002616000-memory.dmp

                              Filesize

                              88KB

                            • memory/1396-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                              Filesize

                              572KB

                            • memory/1396-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/1396-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/1396-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/1396-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                              Filesize

                              572KB

                            • memory/1396-93-0x0000000064940000-0x0000000064959000-memory.dmp

                              Filesize

                              100KB

                            • memory/1396-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/1396-91-0x0000000064940000-0x0000000064959000-memory.dmp

                              Filesize

                              100KB

                            • memory/1396-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

                              Filesize

                              572KB

                            • memory/1396-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                              Filesize

                              152KB

                            • memory/1396-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

                              Filesize

                              572KB

                            • memory/1396-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

                              Filesize

                              152KB

                            • memory/1396-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                              Filesize

                              1.5MB

                            • memory/1396-95-0x0000000064940000-0x0000000064959000-memory.dmp

                              Filesize

                              100KB

                            • memory/1396-87-0x0000000064940000-0x0000000064959000-memory.dmp

                              Filesize

                              100KB

                            • memory/1604-218-0x0000000000400000-0x000000000053A000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/1604-217-0x0000000000B60000-0x0000000000C9A000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/1604-216-0x00000000006B0000-0x000000000072D000-memory.dmp

                              Filesize

                              500KB

                            • memory/1736-241-0x0000000003DF0000-0x0000000003F3E000-memory.dmp

                              Filesize

                              1.3MB

                            • memory/1896-231-0x0000000000010000-0x0000000000011000-memory.dmp

                              Filesize

                              4KB

                            • memory/1896-246-0x0000000000230000-0x00000000002BA000-memory.dmp

                              Filesize

                              552KB

                            • memory/1896-245-0x0000000005430000-0x0000000005431000-memory.dmp

                              Filesize

                              4KB

                            • memory/1936-207-0x0000000000340000-0x0000000000349000-memory.dmp

                              Filesize

                              36KB

                            • memory/1936-205-0x00000000006C0000-0x00000000006D1000-memory.dmp

                              Filesize

                              68KB

                            • memory/1936-208-0x0000000000400000-0x00000000004CE000-memory.dmp

                              Filesize

                              824KB

                            • memory/1972-299-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/2060-254-0x0000000000F90000-0x0000000000F91000-memory.dmp

                              Filesize

                              4KB

                            • memory/2152-262-0x00000000002B0000-0x000000000047F000-memory.dmp

                              Filesize

                              1.8MB

                            • memory/2384-320-0x0000000000720000-0x0000000000780000-memory.dmp

                              Filesize

                              384KB

                            • memory/2444-321-0x0000000001F10000-0x0000000001F34000-memory.dmp

                              Filesize

                              144KB

                            • memory/2532-233-0x0000000000880000-0x0000000000981000-memory.dmp

                              Filesize

                              1.0MB

                            • memory/2532-234-0x0000000000240000-0x000000000029D000-memory.dmp

                              Filesize

                              372KB

                            • memory/2664-239-0x00000000004D0000-0x0000000000542000-memory.dmp

                              Filesize

                              456KB

                            • memory/2664-290-0x0000000003360000-0x0000000003465000-memory.dmp

                              Filesize

                              1.0MB

                            • memory/2664-289-0x0000000000490000-0x00000000004B9000-memory.dmp

                              Filesize

                              164KB

                            • memory/2664-286-0x0000000000460000-0x000000000047B000-memory.dmp

                              Filesize

                              108KB

                            • memory/2664-237-0x00000000000E0000-0x000000000012D000-memory.dmp

                              Filesize

                              308KB

                            • memory/3020-271-0x0000000004A20000-0x0000000004A21000-memory.dmp

                              Filesize

                              4KB

                            • memory/3020-250-0x0000000000830000-0x0000000000831000-memory.dmp

                              Filesize

                              4KB