Analysis

  • max time kernel
    10s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 07:51

General

  • Target

    setup_installx86-x64.exe

  • Size

    7.1MB

  • MD5

    d06111bbd0a0f6349839b9797debc907

  • SHA1

    3fa1a7536f313f159eeedfa9d220eeae0a93c50e

  • SHA256

    f5554b622bea1b21acb4b2bb7b4355f20f4f05984c6fddad79b146d0a60fec3a

  • SHA512

    26518f831334fd1c17fdaa2c33b0714532381724554c2265c348a79ff5bdd66c14e6ff90f1b9c96904f3e177c2f927b5c1c61c2126f4e6563c05ecdc0cc07492

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 1 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 29 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installx86-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installx86-x64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
            PID:1900
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
                PID:1712
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
                PID:1668
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                  5⤵
                    PID:984
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Thu0730521211247da.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1636
                  • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0730521211247da.exe
                    Thu0730521211247da.exe
                    5⤵
                    • Executes dropped EXE
                    PID:1336
                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      6⤵
                        PID:2432
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        6⤵
                          PID:2684
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu070f7f2b1c41c43.exe /mixtwo
                      4⤵
                      • Loads dropped DLL
                      PID:1328
                      • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exe
                        Thu070f7f2b1c41c43.exe /mixtwo
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1284
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu0747267ec544d.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1532
                      • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0747267ec544d.exe
                        Thu0747267ec544d.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2024
                        • C:\Users\Admin\Pictures\Adobe Films\ljZFPBpBKzSG0yxzK6p_qJn1.exe
                          "C:\Users\Admin\Pictures\Adobe Films\ljZFPBpBKzSG0yxzK6p_qJn1.exe"
                          6⤵
                            PID:3056
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1496
                            6⤵
                            • Program crash
                            PID:1364
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu07d6a2267aa5.exe
                        4⤵
                        • Loads dropped DLL
                        PID:988
                        • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exe
                          Thu07d6a2267aa5.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:960
                          • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exe
                            6⤵
                              PID:3036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Thu07e0c0ba7cb480.exe
                          4⤵
                            PID:1016
                            • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe
                              Thu07e0c0ba7cb480.exe
                              5⤵
                                PID:588
                                • C:\Users\Admin\AppData\Local\Temp\is-OEGJ7.tmp\Thu07e0c0ba7cb480.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-OEGJ7.tmp\Thu07e0c0ba7cb480.tmp" /SL5="$70116,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe"
                                  6⤵
                                    PID:2068
                                    • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe" /SILENT
                                      7⤵
                                        PID:2188
                                        • C:\Users\Admin\AppData\Local\Temp\is-CPK5K.tmp\Thu07e0c0ba7cb480.tmp
                                          "C:\Users\Admin\AppData\Local\Temp\is-CPK5K.tmp\Thu07e0c0ba7cb480.tmp" /SL5="$80116,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe" /SILENT
                                          8⤵
                                            PID:2288
                                            • C:\Users\Admin\AppData\Local\Temp\is-MID62.tmp\windllhost.exe
                                              "C:\Users\Admin\AppData\Local\Temp\is-MID62.tmp\windllhost.exe" 77
                                              9⤵
                                                PID:2988
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Thu0778d670dee78.exe
                                      4⤵
                                        PID:1992
                                        • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0778d670dee78.exe
                                          Thu0778d670dee78.exe
                                          5⤵
                                            PID:1732
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd.exe /c taskkill /f /im chrome.exe
                                              6⤵
                                                PID:2576
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /f /im chrome.exe
                                                  7⤵
                                                  • Kills process with taskkill
                                                  PID:2628
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Thu0779f12e8f87b68dc.exe
                                            4⤵
                                              PID:864
                                              • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0779f12e8f87b68dc.exe
                                                Thu0779f12e8f87b68dc.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:1724
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Thu0799abc000783e72.exe
                                              4⤵
                                              • Loads dropped DLL
                                              PID:1964
                                              • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0799abc000783e72.exe
                                                Thu0799abc000783e72.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:860
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Thu07a42530f6.exe
                                              4⤵
                                                PID:1640
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Thu079dbbbe564.exe
                                                4⤵
                                                  PID:1608
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe
                                                    Thu079dbbbe564.exe
                                                    5⤵
                                                      PID:1584
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe
                                                        C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe
                                                        6⤵
                                                          PID:3044
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe
                                                          C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe
                                                          6⤵
                                                          • Loads dropped DLL
                                                          PID:864
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Thu07abc559d21e4.exe
                                                      4⤵
                                                        PID:932
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exe
                                                          Thu07abc559d21e4.exe
                                                          5⤵
                                                            PID:1240
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exe" -u
                                                              6⤵
                                                                PID:2004
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Thu07cf5c06233.exe
                                                            4⤵
                                                              PID:1924
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cf5c06233.exe
                                                                Thu07cf5c06233.exe
                                                                5⤵
                                                                  PID:2208
                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                    "C:\Windows\System32\msiexec.exe" /Y .\JaGbR.HX~
                                                                    6⤵
                                                                      PID:2924
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c Thu07801c76ea0b42113.exe
                                                                  4⤵
                                                                    PID:1404
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07801c76ea0b42113.exe
                                                                      Thu07801c76ea0b42113.exe
                                                                      5⤵
                                                                        PID:1160
                                                                        • C:\Users\Admin\AppData\Local\b21aeee9-b86f-47e6-ae70-bcc093c8e804.exe
                                                                          "C:\Users\Admin\AppData\Local\b21aeee9-b86f-47e6-ae70-bcc093c8e804.exe"
                                                                          6⤵
                                                                            PID:1044
                                                                          • C:\Users\Admin\AppData\Local\7c571f56-a1aa-4b8e-ad96-427e71ff65f1.exe
                                                                            "C:\Users\Admin\AppData\Local\7c571f56-a1aa-4b8e-ad96-427e71ff65f1.exe"
                                                                            6⤵
                                                                              PID:844
                                                                            • C:\Users\Admin\AppData\Local\f7ab225c-2ed6-4f16-9233-94487b9560ca.exe
                                                                              "C:\Users\Admin\AppData\Local\f7ab225c-2ed6-4f16-9233-94487b9560ca.exe"
                                                                              6⤵
                                                                                PID:2916
                                                                                • C:\Users\Admin\AppData\Roaming\2058811.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\2058811.exe"
                                                                                  7⤵
                                                                                    PID:2840
                                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                                      "C:\Windows\System32\msiexec.exe" /y .\N3RJBxU.i
                                                                                      8⤵
                                                                                        PID:2696
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c Thu070e73a5fc7b63.exe
                                                                                4⤵
                                                                                  PID:1560
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070e73a5fc7b63.exe
                                                                                    Thu070e73a5fc7b63.exe
                                                                                    5⤵
                                                                                      PID:1236
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Thu07cb54ae4c.exe
                                                                                    4⤵
                                                                                      PID:1676
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cb54ae4c.exe
                                                                                Thu07cb54ae4c.exe
                                                                                1⤵
                                                                                  PID:1700
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im Thu07cb54ae4c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cb54ae4c.exe" & del C:\ProgramData\*.dll & exit
                                                                                    2⤵
                                                                                      PID:1716
                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                        taskkill /im Thu07cb54ae4c.exe /f
                                                                                        3⤵
                                                                                        • Kills process with taskkill
                                                                                        PID:1260
                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                        timeout /t 6
                                                                                        3⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:2608
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exe
                                                                                    Thu070f7f2b1c41c43.exe /mixtwo
                                                                                    1⤵
                                                                                      PID:2100
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu070f7f2b1c41c43.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exe" & exit
                                                                                        2⤵
                                                                                          PID:2480
                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                            taskkill /im "Thu070f7f2b1c41c43.exe" /f
                                                                                            3⤵
                                                                                            • Kills process with taskkill
                                                                                            PID:2516
                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                        1⤵
                                                                                        • Process spawned unexpected child process
                                                                                        PID:2948
                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                          2⤵
                                                                                            PID:2968
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                          1⤵
                                                                                            PID:788

                                                                                          Network

                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • memory/588-206-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                  Filesize

                                                                                                  816KB

                                                                                                • memory/788-267-0x0000000000060000-0x00000000000AD000-memory.dmp

                                                                                                  Filesize

                                                                                                  308KB

                                                                                                • memory/788-269-0x0000000000500000-0x0000000000572000-memory.dmp

                                                                                                  Filesize

                                                                                                  456KB

                                                                                                • memory/844-301-0x0000000000190000-0x0000000000209000-memory.dmp

                                                                                                  Filesize

                                                                                                  484KB

                                                                                                • memory/860-207-0x0000000001040000-0x0000000001048000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/860-234-0x000000001B1A0000-0x000000001B1A2000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/860-199-0x0000000001040000-0x0000000001048000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/864-294-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/864-295-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/864-315-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/868-266-0x0000000001530000-0x00000000015A2000-memory.dmp

                                                                                                  Filesize

                                                                                                  456KB

                                                                                                • memory/868-265-0x00000000009B0000-0x00000000009FD000-memory.dmp

                                                                                                  Filesize

                                                                                                  308KB

                                                                                                • memory/960-183-0x0000000001020000-0x00000000010AC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/960-177-0x0000000001020000-0x00000000010AC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/960-241-0x0000000000250000-0x0000000000251000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/960-239-0x0000000000A30000-0x0000000000A31000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/984-214-0x0000000001F20000-0x0000000002B6A000-memory.dmp

                                                                                                  Filesize

                                                                                                  12.3MB

                                                                                                • memory/984-233-0x0000000001F20000-0x0000000002B6A000-memory.dmp

                                                                                                  Filesize

                                                                                                  12.3MB

                                                                                                • memory/1044-293-0x0000000000320000-0x0000000000326000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1044-296-0x0000000000B80000-0x0000000000BCE000-memory.dmp

                                                                                                  Filesize

                                                                                                  312KB

                                                                                                • memory/1044-283-0x00000000003B0000-0x00000000003FE000-memory.dmp

                                                                                                  Filesize

                                                                                                  312KB

                                                                                                • memory/1044-306-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1044-282-0x00000000003B0000-0x00000000003FE000-memory.dmp

                                                                                                  Filesize

                                                                                                  312KB

                                                                                                • memory/1044-297-0x0000000000380000-0x0000000000386000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1160-235-0x0000000000240000-0x0000000000246000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1160-254-0x0000000000250000-0x0000000000256000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1160-209-0x0000000000290000-0x00000000002DA000-memory.dmp

                                                                                                  Filesize

                                                                                                  296KB

                                                                                                • memory/1160-212-0x0000000000290000-0x00000000002DA000-memory.dmp

                                                                                                  Filesize

                                                                                                  296KB

                                                                                                • memory/1160-247-0x000000001AC90000-0x000000001AC92000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/1160-248-0x00000000003E0000-0x0000000000416000-memory.dmp

                                                                                                  Filesize

                                                                                                  216KB

                                                                                                • memory/1236-323-0x0000000000240000-0x0000000000248000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/1236-325-0x0000000000250000-0x0000000000259000-memory.dmp

                                                                                                  Filesize

                                                                                                  36KB

                                                                                                • memory/1364-320-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1496-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/1496-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/1496-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                  Filesize

                                                                                                  152KB

                                                                                                • memory/1496-95-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/1496-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/1496-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/1496-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                  Filesize

                                                                                                  152KB

                                                                                                • memory/1496-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/1496-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/1496-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/1496-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/1496-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/1496-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/1496-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/1496-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/1584-242-0x00000000003F0000-0x00000000003F1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1584-240-0x00000000009C0000-0x00000000009C1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1584-203-0x0000000000C60000-0x0000000000CEC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/1584-200-0x0000000000C60000-0x0000000000CEC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/1700-326-0x00000000002B0000-0x000000000032C000-memory.dmp

                                                                                                  Filesize

                                                                                                  496KB

                                                                                                • memory/1700-54-0x0000000076001000-0x0000000076003000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/1700-324-0x0000000002270000-0x0000000002345000-memory.dmp

                                                                                                  Filesize

                                                                                                  852KB

                                                                                                • memory/1712-216-0x0000000001F90000-0x0000000002BDA000-memory.dmp

                                                                                                  Filesize

                                                                                                  12.3MB

                                                                                                • memory/1712-232-0x0000000001F90000-0x0000000002BDA000-memory.dmp

                                                                                                  Filesize

                                                                                                  12.3MB

                                                                                                • memory/1712-222-0x0000000001F90000-0x0000000002BDA000-memory.dmp

                                                                                                  Filesize

                                                                                                  12.3MB

                                                                                                • memory/2024-261-0x0000000004020000-0x000000000416E000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                • memory/2068-225-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2100-215-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/2100-220-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/2100-223-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/2100-217-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/2188-227-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                  Filesize

                                                                                                  816KB

                                                                                                • memory/2288-231-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2432-238-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                  Filesize

                                                                                                  340KB

                                                                                                • memory/2684-256-0x0000000000400000-0x000000000047C000-memory.dmp

                                                                                                  Filesize

                                                                                                  496KB

                                                                                                • memory/2916-317-0x0000000000240000-0x0000000000274000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                • memory/2916-310-0x0000000000F40000-0x0000000000F88000-memory.dmp

                                                                                                  Filesize

                                                                                                  288KB

                                                                                                • memory/2916-316-0x0000000001230000-0x0000000001231000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2916-313-0x0000000000230000-0x0000000000236000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/2916-319-0x0000000000270000-0x0000000000276000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/2916-309-0x0000000000F40000-0x0000000000F88000-memory.dmp

                                                                                                  Filesize

                                                                                                  288KB

                                                                                                • memory/2968-263-0x0000000000AA0000-0x0000000000BA1000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.0MB

                                                                                                • memory/2968-264-0x0000000000880000-0x00000000008DD000-memory.dmp

                                                                                                  Filesize

                                                                                                  372KB

                                                                                                • memory/2988-260-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/3036-314-0x0000000000D00000-0x0000000000D01000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3036-270-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3036-280-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3036-281-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB