Analysis

  • max time kernel
    128s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 19:36

General

  • Target

    03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe

  • Size

    4.8MB

  • MD5

    5d941d663aa77335eebfc3769cbbe12c

  • SHA1

    89aba2fe3c8c7b73d95bde2cc0191caf89471627

  • SHA256

    03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4

  • SHA512

    f1a7069425d51860f79587846f1d1870e3f3ccdba3fd39e549beea96b3b3e555f2522a08a6af1ebf2aa3263a1e61e2af1a1eca62af11e997c8cf42cb1f95f467

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

40

Botnet

916

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    916

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 10 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Nirsoft 1 IoCs
  • Vidar Stealer 1 IoCs
  • Blocklisted process makes network request 12 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 37 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2224
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Modifies registry class
          PID:1532
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          2⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          PID:2704
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 994576A8A734B14357B6B247514E7486 C
            3⤵
            • Loads dropped DLL
            PID:2772
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 33B19FA063565E8C7D125154C9C253A3
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:3028
          • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
            "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            PID:2232
            • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
              "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Modifies system certificate store
              PID:2300
              • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2532
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_9721.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
              4⤵
                PID:2576
        • C:\Users\Admin\AppData\Local\Temp\03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe
          "C:\Users\Admin\AppData\Local\Temp\03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe"
          1⤵
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
            "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
            2⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:1572
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 916
              3⤵
              • Loads dropped DLL
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              PID:2796
          • C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
            "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Users\Admin\AppData\Local\Temp\is-NJM0F.tmp\MediaBurner2.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-NJM0F.tmp\MediaBurner2.tmp" /SL5="$101AC,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:536
          • C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
            "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
            2⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:268
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im chrome.exe
              3⤵
                PID:368
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1428
                3⤵
                • Loads dropped DLL
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                PID:1892
            • C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
              "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Enumerates connected drives
              • Modifies system certificate store
              • Suspicious use of FindShellTrayWindow
              PID:860
              • C:\Windows\SysWOW64\msiexec.exe
                "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1640028793 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
                3⤵
                  PID:2900
              • C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
                "C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
                2⤵
                • Executes dropped EXE
                PID:1584
              • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                2⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                PID:820
              • C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
                "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1640
                • C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
                  "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
                  3⤵
                  • Executes dropped EXE
                  PID:1532
              • C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
                "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
                2⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:1624
                • C:\Users\Admin\Pictures\Adobe Films\9SMaaec49Qtp_MMitoUg46oK.exe
                  "C:\Users\Admin\Pictures\Adobe Films\9SMaaec49Qtp_MMitoUg46oK.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2520
                • C:\Users\Admin\Pictures\Adobe Films\1lGNeL_Xp5xj1TDSp2WAAXn1.exe
                  "C:\Users\Admin\Pictures\Adobe Films\1lGNeL_Xp5xj1TDSp2WAAXn1.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Modifies system certificate store
                  PID:2696
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                    4⤵
                    • Creates scheduled task(s)
                    PID:1464
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                    4⤵
                    • Creates scheduled task(s)
                    PID:868
                • C:\Users\Admin\Pictures\Adobe Films\t30D3kL6FkzgURc8MSHQ6sOu.exe
                  "C:\Users\Admin\Pictures\Adobe Films\t30D3kL6FkzgURc8MSHQ6sOu.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2812
                • C:\Users\Admin\Pictures\Adobe Films\J0FS5CAGJ6ylNaigIYrUDMct.exe
                  "C:\Users\Admin\Pictures\Adobe Films\J0FS5CAGJ6ylNaigIYrUDMct.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2808
                • C:\Users\Admin\Pictures\Adobe Films\_ZHsnD1LD7ZqaG61XY6kLSzz.exe
                  "C:\Users\Admin\Pictures\Adobe Films\_ZHsnD1LD7ZqaG61XY6kLSzz.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2116
                  • C:\Users\Admin\AppData\Local\Temp\7zS4692.tmp\Install.exe
                    .\Install.exe
                    4⤵
                      PID:1748
                  • C:\Users\Admin\Pictures\Adobe Films\3D56TGLOqxxNIsnTOEoPRgFi.exe
                    "C:\Users\Admin\Pictures\Adobe Films\3D56TGLOqxxNIsnTOEoPRgFi.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2096
                  • C:\Users\Admin\Pictures\Adobe Films\vb3KLfGty8KnpY5nhiH3MSFc.exe
                    "C:\Users\Admin\Pictures\Adobe Films\vb3KLfGty8KnpY5nhiH3MSFc.exe"
                    3⤵
                      PID:1908
                    • C:\Users\Admin\Pictures\Adobe Films\B5B4FRPbQXWyESwSgJgkD6Oy.exe
                      "C:\Users\Admin\Pictures\Adobe Films\B5B4FRPbQXWyESwSgJgkD6Oy.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:600
                    • C:\Users\Admin\Pictures\Adobe Films\lrkZahRLCP7ohqrTqcmoD5m3.exe
                      "C:\Users\Admin\Pictures\Adobe Films\lrkZahRLCP7ohqrTqcmoD5m3.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:1384
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        4⤵
                        • Executes dropped EXE
                        PID:2928
                    • C:\Users\Admin\Pictures\Adobe Films\tIBKM4o_NEGp3ywFdN7HlGOj.exe
                      "C:\Users\Admin\Pictures\Adobe Films\tIBKM4o_NEGp3ywFdN7HlGOj.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:696
                    • C:\Users\Admin\Pictures\Adobe Films\u2yv89iZ480Go4IJbf1BIfgf.exe
                      "C:\Users\Admin\Pictures\Adobe Films\u2yv89iZ480Go4IJbf1BIfgf.exe"
                      3⤵
                        PID:3016
                      • C:\Users\Admin\Pictures\Adobe Films\KcX0T_Gc_Mh87GmBLy8igT5b.exe
                        "C:\Users\Admin\Pictures\Adobe Films\KcX0T_Gc_Mh87GmBLy8igT5b.exe"
                        3⤵
                        • Executes dropped EXE
                        PID:3008
                      • C:\Users\Admin\Pictures\Adobe Films\V0jjhDkG88ZmE6YEVy8qSKt0.exe
                        "C:\Users\Admin\Pictures\Adobe Films\V0jjhDkG88ZmE6YEVy8qSKt0.exe"
                        3⤵
                          PID:2840
                        • C:\Users\Admin\Pictures\Adobe Films\ury1WSI0lVJnD91dQVc78hx6.exe
                          "C:\Users\Admin\Pictures\Adobe Films\ury1WSI0lVJnD91dQVc78hx6.exe"
                          3⤵
                            PID:2800
                          • C:\Users\Admin\Pictures\Adobe Films\RbVf9O9oevuSjzOyPHRRPmFu.exe
                            "C:\Users\Admin\Pictures\Adobe Films\RbVf9O9oevuSjzOyPHRRPmFu.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2980
                            • C:\Users\Public\Videos\hgfdfds.exe
                              "C:\Users\Public\Videos\hgfdfds.exe"
                              4⤵
                              • Executes dropped EXE
                              PID:2060
                          • C:\Users\Admin\Pictures\Adobe Films\XFweVYgMR1A2LH1D8oI0ZLm9.exe
                            "C:\Users\Admin\Pictures\Adobe Films\XFweVYgMR1A2LH1D8oI0ZLm9.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1700
                          • C:\Users\Admin\Pictures\Adobe Films\OH4QilRJcQTxfnhZHzMaSULN.exe
                            "C:\Users\Admin\Pictures\Adobe Films\OH4QilRJcQTxfnhZHzMaSULN.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1568
                          • C:\Users\Admin\Pictures\Adobe Films\09LAAj7_61Gsy2umKDku9zj4.exe
                            "C:\Users\Admin\Pictures\Adobe Films\09LAAj7_61Gsy2umKDku9zj4.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1712
                          • C:\Users\Admin\Pictures\Adobe Films\mSRdF8QekYjtWxDKuwkM1XBn.exe
                            "C:\Users\Admin\Pictures\Adobe Films\mSRdF8QekYjtWxDKuwkM1XBn.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2968
                          • C:\Users\Admin\Pictures\Adobe Films\1jt7rSVG5SZB6lUnVrDj4fby.exe
                            "C:\Users\Admin\Pictures\Adobe Films\1jt7rSVG5SZB6lUnVrDj4fby.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2932
                          • C:\Users\Admin\Pictures\Adobe Films\mZldEMfj7foiMCeDeYHi7CXV.exe
                            "C:\Users\Admin\Pictures\Adobe Films\mZldEMfj7foiMCeDeYHi7CXV.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2908
                          • C:\Users\Admin\Pictures\Adobe Films\7Y6e_DDRTVHCGt7AcNCVJzAr.exe
                            "C:\Users\Admin\Pictures\Adobe Films\7Y6e_DDRTVHCGt7AcNCVJzAr.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2764
                          • C:\Users\Admin\Pictures\Adobe Films\EPO4oNumvOwnPWdlWJmTI6QD.exe
                            "C:\Users\Admin\Pictures\Adobe Films\EPO4oNumvOwnPWdlWJmTI6QD.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2884
                          • C:\Users\Admin\Pictures\Adobe Films\VVoJT5cE0ECQXqqiwq4Kpe8B.exe
                            "C:\Users\Admin\Pictures\Adobe Films\VVoJT5cE0ECQXqqiwq4Kpe8B.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2388
                          • C:\Users\Admin\Pictures\Adobe Films\xiEntTGR95RIJgd7eED3Q_zy.exe
                            "C:\Users\Admin\Pictures\Adobe Films\xiEntTGR95RIJgd7eED3Q_zy.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1756
                          • C:\Users\Admin\Pictures\Adobe Films\AJcKN9CuK3tCH4vn6gqOWCEU.exe
                            "C:\Users\Admin\Pictures\Adobe Films\AJcKN9CuK3tCH4vn6gqOWCEU.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1724
                      • C:\Windows\system32\rUNdlL32.eXe
                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:772
                        • C:\Windows\SysWOW64\rundll32.exe
                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                          2⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:576

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/536-108-0x0000000000240000-0x0000000000241000-memory.dmp

                              Filesize

                              4KB

                            • memory/600-209-0x0000000074420000-0x000000007446A000-memory.dmp

                              Filesize

                              296KB

                            • memory/820-105-0x0000000000020000-0x0000000000023000-memory.dmp

                              Filesize

                              12KB

                            • memory/860-110-0x00000000726B1000-0x00000000726B3000-memory.dmp

                              Filesize

                              8KB

                            • memory/1088-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

                              Filesize

                              8KB

                            • memory/1532-123-0x0000000000060000-0x00000000000AC000-memory.dmp

                              Filesize

                              304KB

                            • memory/1572-60-0x00000000009D8000-0x0000000000A3D000-memory.dmp

                              Filesize

                              404KB

                            • memory/1572-107-0x0000000000400000-0x000000000094E000-memory.dmp

                              Filesize

                              5.3MB

                            • memory/1584-115-0x0000000000DC0000-0x0000000000DE4000-memory.dmp

                              Filesize

                              144KB

                            • memory/1584-127-0x00000000003D0000-0x00000000003EC000-memory.dmp

                              Filesize

                              112KB

                            • memory/1584-116-0x0000000000DC0000-0x0000000000DE4000-memory.dmp

                              Filesize

                              144KB

                            • memory/1756-202-0x0000000140000000-0x0000000140630400-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1756-215-0x0000000140000000-0x0000000140630400-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1756-218-0x0000000140000000-0x0000000140630400-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1892-81-0x0000000000400000-0x000000000046D000-memory.dmp

                              Filesize

                              436KB

                            • memory/2704-132-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

                              Filesize

                              8KB

                            • memory/2808-206-0x00000000010D0000-0x000000000111A000-memory.dmp

                              Filesize

                              296KB

                            • memory/2808-219-0x0000000000150000-0x0000000000156000-memory.dmp

                              Filesize

                              24KB

                            • memory/2808-211-0x00000000010D0000-0x000000000111A000-memory.dmp

                              Filesize

                              296KB

                            • memory/2928-214-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB