Analysis

  • max time kernel
    108s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 13:28

General

  • Target

    fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe

  • Size

    7.2MB

  • MD5

    8c58160ee123350f23b879bfc8493a4e

  • SHA1

    d37b113d7c41cff86f3b7b9caa8ec7a5d96cf19b

  • SHA256

    fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1

  • SHA512

    5c3e309a1d5820b5ee2f9aacd203c70e1cb3d6260f18ae61e22f6d507b23c43532064f4b4147bc59f56e2494ad11105b54617e505e591cefd6b226847a07f15f

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:880
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      2⤵
        PID:2528
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:2444
      • C:\Users\Admin\AppData\Local\Temp\fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe
        "C:\Users\Admin\AppData\Local\Temp\fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS466C6536\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:564
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
                PID:1364
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:972
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:1380
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2000
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Thu03812e8b6f95.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1952
                  • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03812e8b6f95.exe
                    Thu03812e8b6f95.exe
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:2032
                    • C:\Windows\SysWOW64\control.exe
                      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",
                      6⤵
                        PID:2588
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",
                          7⤵
                            PID:2636
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu03aa0b8bc75.exe
                      4⤵
                      • Loads dropped DLL
                      PID:956
                      • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03aa0b8bc75.exe
                        Thu03aa0b8bc75.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1372
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu03b281c30a.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1564
                      • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03b281c30a.exe
                        Thu03b281c30a.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Modifies system certificate store
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1692
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c taskkill /f /im chrome.exe
                          6⤵
                            PID:2772
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im chrome.exe
                              7⤵
                              • Kills process with taskkill
                              PID:2812
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu038a24d798.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1628
                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu038a24d798.exe
                          Thu038a24d798.exe
                          5⤵
                          • Executes dropped EXE
                          PID:756
                          • C:\Users\Admin\AppData\Local\e66c1bce-c5a0-48c4-baf2-cf29b0df5c79.exe
                            "C:\Users\Admin\AppData\Local\e66c1bce-c5a0-48c4-baf2-cf29b0df5c79.exe"
                            6⤵
                              PID:1536
                            • C:\Users\Admin\AppData\Local\7935c047-36f3-4dd4-bb2d-ce412776a5f2.exe
                              "C:\Users\Admin\AppData\Local\7935c047-36f3-4dd4-bb2d-ce412776a5f2.exe"
                              6⤵
                                PID:1008
                              • C:\Users\Admin\AppData\Local\1c489715-ef97-4778-bd05-3a294257f88f.exe
                                "C:\Users\Admin\AppData\Local\1c489715-ef97-4778-bd05-3a294257f88f.exe"
                                6⤵
                                  PID:524
                                  • C:\Users\Admin\AppData\Roaming\4382828.exe
                                    "C:\Users\Admin\AppData\Roaming\4382828.exe"
                                    7⤵
                                      PID:2924
                                      • C:\Windows\SysWOW64\control.exe
                                        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                        8⤵
                                          PID:2864
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                            9⤵
                                              PID:3016
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Thu03b32e8695.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:936
                                    • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03b32e8695.exe
                                      Thu03b32e8695.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1932
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Thu030f000c97b1a47cf.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1724
                                    • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu030f000c97b1a47cf.exe
                                      Thu030f000c97b1a47cf.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:596
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Thu0340c0ac45a.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1732
                                    • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0340c0ac45a.exe
                                      Thu0340c0ac45a.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1388
                                      • C:\Users\Admin\AppData\Local\Temp\is-0M5DE.tmp\Thu0340c0ac45a.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-0M5DE.tmp\Thu0340c0ac45a.tmp" /SL5="$F0152,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0340c0ac45a.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:1196
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0340c0ac45a.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0340c0ac45a.exe" /SILENT
                                          7⤵
                                          • Executes dropped EXE
                                          PID:1264
                                          • C:\Users\Admin\AppData\Local\Temp\is-510VT.tmp\Thu0340c0ac45a.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-510VT.tmp\Thu0340c0ac45a.tmp" /SL5="$20178,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0340c0ac45a.exe" /SILENT
                                            8⤵
                                            • Executes dropped EXE
                                            PID:660
                                            • C:\Users\Admin\AppData\Local\Temp\is-KGIFK.tmp\windllhost.exe
                                              "C:\Users\Admin\AppData\Local\Temp\is-KGIFK.tmp\windllhost.exe" 77
                                              9⤵
                                                PID:2700
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Thu0391445c068b.exe
                                      4⤵
                                      • Loads dropped DLL
                                      PID:568
                                      • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0391445c068b.exe
                                        Thu0391445c068b.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1492
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0391445c068b.exe
                                          C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0391445c068b.exe
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2896
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Thu0388d948c4d2.exe /mixtwo
                                      4⤵
                                      • Loads dropped DLL
                                      PID:1964
                                      • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0388d948c4d2.exe
                                        Thu0388d948c4d2.exe /mixtwo
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of SetThreadContext
                                        PID:1972
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0388d948c4d2.exe
                                          Thu0388d948c4d2.exe /mixtwo
                                          6⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:2012
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0388d948c4d2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0388d948c4d2.exe" & exit
                                            7⤵
                                              PID:1116
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /im "Thu0388d948c4d2.exe" /f
                                                8⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:976
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu03b1305321.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1516
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03b1305321.exe
                                          Thu03b1305321.exe
                                          5⤵
                                          • Executes dropped EXE
                                          PID:1096
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu03e3edb243781.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:996
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03e3edb243781.exe
                                          Thu03e3edb243781.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Checks SCSI registry key(s)
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          PID:1592
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu0362a57cb04.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1524
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0362a57cb04.exe
                                          Thu0362a57cb04.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:1684
                                          • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0362a57cb04.exe
                                            "C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0362a57cb04.exe" -u
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:1336
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu03b3d0969cddc22eb.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1168
                                        • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu03b3d0969cddc22eb.exe
                                          Thu03b3d0969cddc22eb.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:1160
                                          • C:\Windows\SysWOW64\control.exe
                                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",
                                            6⤵
                                              PID:440
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",
                                                7⤵
                                                  PID:2072
                                                  • C:\Windows\system32\RunDll32.exe
                                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",
                                                    8⤵
                                                      PID:2132
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Thu033002fdb13a8ca.exe
                                              4⤵
                                              • Loads dropped DLL
                                              PID:1720
                                              • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu033002fdb13a8ca.exe
                                                Thu033002fdb13a8ca.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:1584
                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:924
                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:1612
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Thu0368bfc54f5c0f8.exe
                                              4⤵
                                              • Loads dropped DLL
                                              PID:1608
                                              • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0368bfc54f5c0f8.exe
                                                Thu0368bfc54f5c0f8.exe
                                                5⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:932
                                                • C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0368bfc54f5c0f8.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7zS466C6536\Thu0368bfc54f5c0f8.exe
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:2888
                                      • C:\Windows\system32\rundll32.exe
                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2336
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2344

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/524-327-0x0000000000260000-0x0000000000266000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/524-324-0x0000000000C30000-0x0000000000C64000-memory.dmp

                                              Filesize

                                              208KB

                                            • memory/524-325-0x0000000000C30000-0x0000000000C64000-memory.dmp

                                              Filesize

                                              208KB

                                            • memory/564-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/564-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/564-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/564-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/564-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/564-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                              Filesize

                                              152KB

                                            • memory/564-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/564-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/564-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/564-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                              Filesize

                                              152KB

                                            • memory/564-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/564-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/564-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/564-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/564-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/660-246-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/756-278-0x0000000000350000-0x0000000000356000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/756-287-0x0000000000360000-0x0000000000366000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/756-230-0x0000000000D80000-0x0000000000DCA000-memory.dmp

                                              Filesize

                                              296KB

                                            • memory/756-280-0x0000000000400000-0x0000000000436000-memory.dmp

                                              Filesize

                                              216KB

                                            • memory/756-285-0x000000001AE00000-0x000000001AE02000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/756-234-0x0000000000D80000-0x0000000000DCA000-memory.dmp

                                              Filesize

                                              296KB

                                            • memory/880-268-0x00000000018C0000-0x0000000001932000-memory.dmp

                                              Filesize

                                              456KB

                                            • memory/880-265-0x0000000000AB0000-0x0000000000AFD000-memory.dmp

                                              Filesize

                                              308KB

                                            • memory/924-222-0x0000000000400000-0x0000000000455000-memory.dmp

                                              Filesize

                                              340KB

                                            • memory/932-216-0x0000000001360000-0x00000000013EC000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/932-219-0x0000000001360000-0x00000000013EC000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/932-247-0x00000000003F0000-0x000000000047C000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/932-243-0x0000000000770000-0x0000000000771000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/972-251-0x0000000002100000-0x0000000002D4A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/972-224-0x0000000002100000-0x0000000002D4A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/972-237-0x0000000002100000-0x0000000002D4A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1008-328-0x0000000000670000-0x00000000006B5000-memory.dmp

                                              Filesize

                                              276KB

                                            • memory/1096-231-0x00000000000F0000-0x00000000000F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1096-229-0x00000000000F0000-0x00000000000F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1096-284-0x000000001B5B0000-0x000000001B5B2000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1196-225-0x0000000000260000-0x0000000000261000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1248-262-0x0000000002990000-0x00000000029A6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/1264-238-0x0000000000400000-0x00000000004CC000-memory.dmp

                                              Filesize

                                              816KB

                                            • memory/1388-213-0x0000000000400000-0x00000000004CC000-memory.dmp

                                              Filesize

                                              816KB

                                            • memory/1492-245-0x00000000003F0000-0x00000000003F1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1492-218-0x0000000000F60000-0x0000000000FEC000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/1492-217-0x0000000000F60000-0x0000000000FEC000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/1492-244-0x0000000004F80000-0x0000000004F81000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1536-313-0x0000000000860000-0x00000000008AC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/1536-312-0x0000000000860000-0x00000000008AC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/1536-316-0x0000000000480000-0x0000000000486000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/1536-314-0x0000000000330000-0x0000000000336000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/1536-315-0x0000000000500000-0x000000000054E000-memory.dmp

                                              Filesize

                                              312KB

                                            • memory/1592-257-0x0000000000240000-0x0000000000248000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1592-259-0x0000000000400000-0x000000000083F000-memory.dmp

                                              Filesize

                                              4.2MB

                                            • memory/1592-258-0x0000000000250000-0x0000000000259000-memory.dmp

                                              Filesize

                                              36KB

                                            • memory/1612-250-0x0000000000400000-0x000000000047C000-memory.dmp

                                              Filesize

                                              496KB

                                            • memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1932-270-0x0000000000350000-0x00000000003CC000-memory.dmp

                                              Filesize

                                              496KB

                                            • memory/1932-271-0x0000000000DF0000-0x0000000000EC5000-memory.dmp

                                              Filesize

                                              852KB

                                            • memory/1932-272-0x0000000000400000-0x00000000008B2000-memory.dmp

                                              Filesize

                                              4.7MB

                                            • memory/2000-223-0x0000000001FE0000-0x0000000002C2A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/2000-239-0x0000000001FE0000-0x0000000002C2A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/2012-195-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/2012-194-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/2012-210-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/2012-206-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/2344-263-0x0000000000A00000-0x0000000000B01000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/2344-264-0x0000000000310000-0x000000000036D000-memory.dmp

                                              Filesize

                                              372KB

                                            • memory/2444-292-0x0000000001C60000-0x0000000001C89000-memory.dmp

                                              Filesize

                                              164KB

                                            • memory/2444-266-0x0000000000110000-0x000000000015D000-memory.dmp

                                              Filesize

                                              308KB

                                            • memory/2444-291-0x0000000000380000-0x000000000039B000-memory.dmp

                                              Filesize

                                              108KB

                                            • memory/2444-293-0x0000000003170000-0x0000000003275000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/2444-269-0x00000000004C0000-0x0000000000532000-memory.dmp

                                              Filesize

                                              456KB

                                            • memory/2636-288-0x0000000000190000-0x0000000000191000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2888-306-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/2888-309-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/2896-308-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/2896-333-0x0000000000680000-0x0000000000681000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2896-307-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB