Analysis

  • max time kernel
    62s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:02

General

  • Target

    345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe

  • Size

    7.8MB

  • MD5

    bb627ed9b75d70e535ee848ce917aa65

  • SHA1

    7dc9b35117234134d910f53e2345d3157c25e8b2

  • SHA256

    345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b

  • SHA512

    acbac7166c809f43e50111bb118fac43d09f3219f1e15c593438ed5dc406e0100abf2fca68ba6c2e0545d49c853aeb75e71bf64f034dd0b13f5f48d61acbba67

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
    "C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
            PID:1280
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
                PID:984
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
                PID:1616
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                  5⤵
                    PID:1368
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Sat215d0254132.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1540
                  • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat215d0254132.exe
                    Sat215d0254132.exe
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1720
                    • C:\Users\Admin\Pictures\Adobe Films\mgh1k02gvUST3Jsb4LRXbKr6.exe
                      "C:\Users\Admin\Pictures\Adobe Films\mgh1k02gvUST3Jsb4LRXbKr6.exe"
                      6⤵
                        PID:516
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1488
                        6⤵
                        • Program crash
                        PID:2236
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat2186a2fe17bc3.exe /mixtwo
                    4⤵
                    • Loads dropped DLL
                    PID:2004
                    • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exe
                      Sat2186a2fe17bc3.exe /mixtwo
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      PID:1060
                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exe
                        Sat2186a2fe17bc3.exe /mixtwo
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1964
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat2186a2fe17bc3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exe" & exit
                          7⤵
                            PID:2208
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im "Sat2186a2fe17bc3.exe" /f
                              8⤵
                              • Kills process with taskkill
                              PID:2300
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat21a3a382cb.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1624
                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21a3a382cb.exe
                        Sat21a3a382cb.exe
                        5⤵
                        • Executes dropped EXE
                        PID:2240
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat214f898013408c.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1152
                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat214f898013408c.exe
                        Sat214f898013408c.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:1352
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat211f3dc0dc85a790.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1652
                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe
                        Sat211f3dc0dc85a790.exe
                        5⤵
                        • Executes dropped EXE
                        PID:900
                        • C:\Users\Admin\AppData\Local\Temp\is-6JGRS.tmp\Sat211f3dc0dc85a790.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-6JGRS.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$20164,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe"
                          6⤵
                            PID:2224
                            • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe" /SILENT
                              7⤵
                                PID:2284
                                • C:\Users\Admin\AppData\Local\Temp\is-BNSLE.tmp\Sat211f3dc0dc85a790.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-BNSLE.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$301EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe" /SILENT
                                  8⤵
                                    PID:2128
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat21331fd7d3.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1320
                            • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21331fd7d3.exe
                              Sat21331fd7d3.exe
                              5⤵
                              • Executes dropped EXE
                              PID:924
                              • C:\Windows\SysWOW64\control.exe
                                "C:\Windows\System32\control.exe" .\T2bGV.~
                                6⤵
                                  PID:2960
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~
                                    7⤵
                                      PID:3004
                                      • C:\Windows\system32\RunDll32.exe
                                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~
                                        8⤵
                                          PID:1668
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~
                                            9⤵
                                              PID:2448
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat21d2de5c9915e148.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1712
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21d2de5c9915e148.exe
                                      Sat21d2de5c9915e148.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:1896
                                      • C:\Users\Admin\AppData\Local\603ecca9-bf79-4ed8-a910-8f6afc7f7237.exe
                                        "C:\Users\Admin\AppData\Local\603ecca9-bf79-4ed8-a910-8f6afc7f7237.exe"
                                        6⤵
                                          PID:2988
                                        • C:\Users\Admin\AppData\Local\f168f0ef-7d2f-4ae2-bfd8-e0e50a53e52d.exe
                                          "C:\Users\Admin\AppData\Local\f168f0ef-7d2f-4ae2-bfd8-e0e50a53e52d.exe"
                                          6⤵
                                            PID:3024
                                            • C:\Users\Admin\AppData\Roaming\85598396\7480031185598252.exe
                                              "C:\Users\Admin\AppData\Roaming\85598396\7480031185598252.exe"
                                              7⤵
                                                PID:1088
                                            • C:\Users\Admin\AppData\Local\bc53aa3e-baa1-483d-9e2a-6ff2233452cb.exe
                                              "C:\Users\Admin\AppData\Local\bc53aa3e-baa1-483d-9e2a-6ff2233452cb.exe"
                                              6⤵
                                                PID:2740
                                              • C:\Users\Admin\AppData\Local\ec56be66-0dc6-4764-8793-0b290a9798e4.exe
                                                "C:\Users\Admin\AppData\Local\ec56be66-0dc6-4764-8793-0b290a9798e4.exe"
                                                6⤵
                                                  PID:3012
                                                • C:\Users\Admin\AppData\Local\68347cc1-6a79-4e18-abc2-d8ab9990fad9.exe
                                                  "C:\Users\Admin\AppData\Local\68347cc1-6a79-4e18-abc2-d8ab9990fad9.exe"
                                                  6⤵
                                                    PID:2732
                                                    • C:\Users\Admin\AppData\Roaming\2762339.exe
                                                      "C:\Users\Admin\AppData\Roaming\2762339.exe"
                                                      7⤵
                                                        PID:1712
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Sat2106af2f1b2e3716.exe
                                                  4⤵
                                                    PID:2028
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Sat2175f29e38b1.exe
                                                    4⤵
                                                    • Loads dropped DLL
                                                    PID:1608
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2175f29e38b1.exe
                                                      Sat2175f29e38b1.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:1496
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Sat21de94a76558.exe
                                                    4⤵
                                                    • Loads dropped DLL
                                                    PID:1736
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21de94a76558.exe
                                                      Sat21de94a76558.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      PID:872
                                                      • C:\Users\Admin\Pictures\Adobe Films\qHFqTJRLt27ASy0gcgVpn4BR.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\qHFqTJRLt27ASy0gcgVpn4BR.exe"
                                                        6⤵
                                                          PID:1364
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1548
                                                          6⤵
                                                          • Program crash
                                                          PID:1884
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Sat21e5d4a320d0.exe
                                                      4⤵
                                                      • Loads dropped DLL
                                                      PID:1096
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21e5d4a320d0.exe
                                                        Sat21e5d4a320d0.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:1840
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force
                                                          6⤵
                                                            PID:2852
                                                          • C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\AdvancedRun.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                            6⤵
                                                              PID:1776
                                                            • C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\dd5102ff-8339-4d43-822f-be1787e68975.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\dd5102ff-8339-4d43-822f-be1787e68975.exe" /o /c "Windows-Defender" /r
                                                              6⤵
                                                                PID:2536
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force
                                                                6⤵
                                                                  PID:2504
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21e5d4a320d0.exe" -Force
                                                                  6⤵
                                                                    PID:2636
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sat21fad2ad3b493fd4.exe
                                                                4⤵
                                                                • Loads dropped DLL
                                                                PID:1984
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21fad2ad3b493fd4.exe
                                                                  Sat21fad2ad3b493fd4.exe
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  PID:1500
                                                                  • C:\Windows\SysWOW64\control.exe
                                                                    "C:\Windows\System32\control.exe" .\T2bGV.~
                                                                    6⤵
                                                                      PID:2484
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~
                                                                        7⤵
                                                                          PID:2596
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c Sat21822ebb0e.exe
                                                                    4⤵
                                                                    • Loads dropped DLL
                                                                    PID:636
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exe
                                                                      Sat21822ebb0e.exe
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:960
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exe
                                                                        6⤵
                                                                          PID:2880
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c Sat21cab531e24c.exe
                                                                      4⤵
                                                                      • Loads dropped DLL
                                                                      PID:1704
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21cab531e24c.exe
                                                                        Sat21cab531e24c.exe
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        PID:1064
                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:2152
                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:2388
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c Sat2191af1420045d6af.exe
                                                                      4⤵
                                                                      • Loads dropped DLL
                                                                      PID:1084
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2191af1420045d6af.exe
                                                                        Sat2191af1420045d6af.exe
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Modifies system certificate store
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1348
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                                          6⤵
                                                                            PID:2716
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /f /im chrome.exe
                                                                              7⤵
                                                                              • Kills process with taskkill
                                                                              PID:2752
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c Sat2184c3c6c75ad8f83.exe
                                                                        4⤵
                                                                        • Loads dropped DLL
                                                                        PID:632
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exe
                                                                          Sat2184c3c6c75ad8f83.exe
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:1224
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exe" -u
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:540
                                                                • C:\Windows\system32\rundll32.exe
                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  PID:2864
                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                    2⤵
                                                                      PID:2904
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                    1⤵
                                                                      PID:3016

                                                                    Network

                                                                          MITRE ATT&CK Enterprise v6

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • memory/308-54-0x0000000076491000-0x0000000076493000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                          • memory/872-237-0x0000000003A80000-0x0000000003BCE000-memory.dmp

                                                                            Filesize

                                                                            1.3MB

                                                                          • memory/880-262-0x0000000001250000-0x00000000012C2000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                          • memory/880-259-0x0000000000960000-0x00000000009AD000-memory.dmp

                                                                            Filesize

                                                                            308KB

                                                                          • memory/900-263-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                            Filesize

                                                                            816KB

                                                                          • memory/960-284-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/960-287-0x0000000000340000-0x0000000000341000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/960-216-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/984-280-0x0000000002050000-0x0000000002C9A000-memory.dmp

                                                                            Filesize

                                                                            12.3MB

                                                                          • memory/984-238-0x0000000002050000-0x0000000002C9A000-memory.dmp

                                                                            Filesize

                                                                            12.3MB

                                                                          • memory/1088-372-0x000000001AC70000-0x000000001AC72000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                          • memory/1352-207-0x00000000005F0000-0x0000000000600000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/1352-209-0x0000000000240000-0x0000000000249000-memory.dmp

                                                                            Filesize

                                                                            36KB

                                                                          • memory/1352-210-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                            Filesize

                                                                            804KB

                                                                          • memory/1368-247-0x0000000002060000-0x0000000002CAA000-memory.dmp

                                                                            Filesize

                                                                            12.3MB

                                                                          • memory/1368-281-0x0000000002060000-0x0000000002CAA000-memory.dmp

                                                                            Filesize

                                                                            12.3MB

                                                                          • memory/1368-239-0x0000000002060000-0x0000000002CAA000-memory.dmp

                                                                            Filesize

                                                                            12.3MB

                                                                          • memory/1412-214-0x0000000002760000-0x0000000002776000-memory.dmp

                                                                            Filesize

                                                                            88KB

                                                                          • memory/1480-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                          • memory/1480-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                          • memory/1480-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                          • memory/1480-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                            Filesize

                                                                            152KB

                                                                          • memory/1480-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                            Filesize

                                                                            152KB

                                                                          • memory/1480-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                          • memory/1480-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                          • memory/1480-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                          • memory/1480-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                          • memory/1480-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                          • memory/1480-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                          • memory/1480-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                          • memory/1480-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                          • memory/1480-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                            Filesize

                                                                            100KB

                                                                          • memory/1480-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                            Filesize

                                                                            572KB

                                                                          • memory/1496-225-0x0000000000B60000-0x0000000000B61000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/1496-299-0x000000001B460000-0x000000001B462000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                          • memory/1720-236-0x0000000003C20000-0x0000000003DE4000-memory.dmp

                                                                            Filesize

                                                                            1.8MB

                                                                          • memory/1840-288-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/1840-215-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/1884-374-0x00000000006B0000-0x00000000006D4000-memory.dmp

                                                                            Filesize

                                                                            144KB

                                                                          • memory/1896-290-0x000000001B550000-0x000000001B552000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                          • memory/1896-224-0x0000000000020000-0x0000000000021000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/1964-193-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                          • memory/1964-183-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                          • memory/1964-179-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                          • memory/1964-178-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                          • memory/2128-282-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2152-221-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                          • memory/2224-270-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2236-376-0x0000000000320000-0x0000000000344000-memory.dmp

                                                                            Filesize

                                                                            144KB

                                                                          • memory/2284-276-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                            Filesize

                                                                            816KB

                                                                          • memory/2388-233-0x0000000000400000-0x000000000047C000-memory.dmp

                                                                            Filesize

                                                                            496KB

                                                                          • memory/2448-298-0x0000000000160000-0x0000000000161000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2448-300-0x00000000022B0000-0x0000000002367000-memory.dmp

                                                                            Filesize

                                                                            732KB

                                                                          • memory/2596-264-0x0000000000D10000-0x0000000000DC8000-memory.dmp

                                                                            Filesize

                                                                            736KB

                                                                          • memory/2596-248-0x0000000000660000-0x0000000000661000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2732-371-0x0000000000580000-0x0000000000581000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2740-331-0x0000000000480000-0x00000000004C5000-memory.dmp

                                                                            Filesize

                                                                            276KB

                                                                          • memory/2880-363-0x0000000004D90000-0x0000000004D91000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/2904-258-0x0000000000830000-0x000000000088D000-memory.dmp

                                                                            Filesize

                                                                            372KB

                                                                          • memory/2904-256-0x0000000000A90000-0x0000000000B91000-memory.dmp

                                                                            Filesize

                                                                            1.0MB

                                                                          • memory/2988-361-0x00000000028D0000-0x00000000028D1000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/3004-271-0x000000002D990000-0x000000002DA47000-memory.dmp

                                                                            Filesize

                                                                            732KB

                                                                          • memory/3004-268-0x0000000000110000-0x0000000000111000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                          • memory/3012-342-0x0000000000240000-0x0000000000285000-memory.dmp

                                                                            Filesize

                                                                            276KB

                                                                          • memory/3016-265-0x00000000004A0000-0x0000000000512000-memory.dmp

                                                                            Filesize

                                                                            456KB

                                                                          • memory/3016-375-0x0000000000200000-0x000000000021B000-memory.dmp

                                                                            Filesize

                                                                            108KB

                                                                          • memory/3016-377-0x0000000001CC0000-0x0000000001CE9000-memory.dmp

                                                                            Filesize

                                                                            164KB

                                                                          • memory/3016-378-0x0000000003260000-0x0000000003365000-memory.dmp

                                                                            Filesize

                                                                            1.0MB