Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-10-2022 10:27

General

  • Target

    3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3.exe

  • Size

    146KB

  • MD5

    f882f6c0b8bd0ed1fda637d8f314d255

  • SHA1

    981f1105ccbbc303c400a006b851122dbca74241

  • SHA256

    3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3

  • SHA512

    fbe43b35efa4fed01bcce9ce4475fcff22bebf1ac49a18d9d6b3581c95ce8ea16ee78c4d6b634b04a74fdf88a32726a393854ba467014064a7d35b7f2eb2d99c

  • SSDEEP

    3072:mdtX6r5bx/RnCa58nh0JlSI7FqdrCREk1:YqrJTCqfSiFqdrCOk1

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
  • auth_value

    7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

sadcgvc.duckdns.org:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Async RAT payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3.exe
    "C:\Users\Admin\AppData\Local\Temp\3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2364
  • C:\Users\Admin\AppData\Local\Temp\1EB3.exe
    C:\Users\Admin\AppData\Local\Temp\1EB3.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4864
  • C:\Users\Admin\AppData\Local\Temp\2200.exe
    C:\Users\Admin\AppData\Local\Temp\2200.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
    • C:\Users\Admin\AppData\Local\Temp\2200.exe
      C:\Users\Admin\AppData\Local\Temp\2200.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
  • C:\Users\Admin\AppData\Local\Temp\46CF.exe
    C:\Users\Admin\AppData\Local\Temp\46CF.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      PID:1160
  • C:\Users\Admin\AppData\Local\Temp\57D7.exe
    C:\Users\Admin\AppData\Local\Temp\57D7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4252
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:1020
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:876
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:2748
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:3268
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:4932
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:5088
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:3924
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:4768
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:736
                      • C:\Users\Admin\AppData\Roaming\cjttbtu
                        C:\Users\Admin\AppData\Roaming\cjttbtu
                        1⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        PID:3768

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Execution

                      Scripting

                      1
                      T1064

                      Defense Evasion

                      Scripting

                      1
                      T1064

                      Credential Access

                      Credentials in Files

                      2
                      T1081

                      Discovery

                      Query Registry

                      2
                      T1012

                      System Information Discovery

                      2
                      T1082

                      Peripheral Device Discovery

                      1
                      T1120

                      Collection

                      Data from Local System

                      2
                      T1005

                      Command and Control

                      Web Service

                      1
                      T1102

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2200.exe.log
                        Filesize

                        1KB

                        MD5

                        5c01a57bb6376dc958d99ed7a67870ff

                        SHA1

                        d092c7dfd148ac12b086049d215e6b00bd78628d

                        SHA256

                        cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

                        SHA512

                        e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

                      • C:\Users\Admin\AppData\Local\Temp\1EB3.exe
                        Filesize

                        431KB

                        MD5

                        5a9fd5240f5f626063abda8b483bd429

                        SHA1

                        476d48e02c8a80bd0cdfae683d25fdeeb100b19a

                        SHA256

                        df55c7b69820c19f1d89fab1a87d4aca1b2210cb8534e5c895f7e3bc56133a3f

                        SHA512

                        cf21686d583274d45410e6a3219a7bbe9a9bb0ad0f05e04ec02dd0815ed5c8f35633d48db5bf5f6b3c1f1c3606218821d9ad1a100a09149b71130a63794e831d

                      • C:\Users\Admin\AppData\Local\Temp\1EB3.exe
                        Filesize

                        431KB

                        MD5

                        5a9fd5240f5f626063abda8b483bd429

                        SHA1

                        476d48e02c8a80bd0cdfae683d25fdeeb100b19a

                        SHA256

                        df55c7b69820c19f1d89fab1a87d4aca1b2210cb8534e5c895f7e3bc56133a3f

                        SHA512

                        cf21686d583274d45410e6a3219a7bbe9a9bb0ad0f05e04ec02dd0815ed5c8f35633d48db5bf5f6b3c1f1c3606218821d9ad1a100a09149b71130a63794e831d

                      • C:\Users\Admin\AppData\Local\Temp\2200.exe
                        Filesize

                        699KB

                        MD5

                        c6f4ffde851054ec2871e72833cd9d59

                        SHA1

                        e688103c4fa3ca815732f0f70f37d11f69232e04

                        SHA256

                        25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

                        SHA512

                        47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

                      • C:\Users\Admin\AppData\Local\Temp\2200.exe
                        Filesize

                        699KB

                        MD5

                        c6f4ffde851054ec2871e72833cd9d59

                        SHA1

                        e688103c4fa3ca815732f0f70f37d11f69232e04

                        SHA256

                        25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

                        SHA512

                        47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

                      • C:\Users\Admin\AppData\Local\Temp\2200.exe
                        Filesize

                        699KB

                        MD5

                        c6f4ffde851054ec2871e72833cd9d59

                        SHA1

                        e688103c4fa3ca815732f0f70f37d11f69232e04

                        SHA256

                        25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

                        SHA512

                        47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

                      • C:\Users\Admin\AppData\Local\Temp\46CF.exe
                        Filesize

                        466KB

                        MD5

                        2955a7fdcda8c0768d106b135a352173

                        SHA1

                        1de1f74183421d4f811af2dc469840c8d266eec9

                        SHA256

                        3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

                        SHA512

                        c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

                      • C:\Users\Admin\AppData\Local\Temp\46CF.exe
                        Filesize

                        466KB

                        MD5

                        2955a7fdcda8c0768d106b135a352173

                        SHA1

                        1de1f74183421d4f811af2dc469840c8d266eec9

                        SHA256

                        3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

                        SHA512

                        c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

                      • C:\Users\Admin\AppData\Local\Temp\57D7.exe
                        Filesize

                        9KB

                        MD5

                        ebccd7e671ccb6332de6f8aac12e06d0

                        SHA1

                        62e6c24486244f9ff3bfd1c06b3cea83b84accdc

                        SHA256

                        a3c30f369a5d59b6204c371d46ac70be94a6bc72cdbc1e767c01734e43cf7f76

                        SHA512

                        892b5530f9c55e518188abda4b55e19995e59cd8e3b1cde64c2d81deae2e171a6d47f4a7557f36249f3a66c9f99b887f846e222ad26a5640f0115db99308f7d8

                      • C:\Users\Admin\AppData\Local\Temp\57D7.exe
                        Filesize

                        9KB

                        MD5

                        ebccd7e671ccb6332de6f8aac12e06d0

                        SHA1

                        62e6c24486244f9ff3bfd1c06b3cea83b84accdc

                        SHA256

                        a3c30f369a5d59b6204c371d46ac70be94a6bc72cdbc1e767c01734e43cf7f76

                        SHA512

                        892b5530f9c55e518188abda4b55e19995e59cd8e3b1cde64c2d81deae2e171a6d47f4a7557f36249f3a66c9f99b887f846e222ad26a5640f0115db99308f7d8

                      • C:\Users\Admin\AppData\Roaming\cjttbtu
                        Filesize

                        146KB

                        MD5

                        f882f6c0b8bd0ed1fda637d8f314d255

                        SHA1

                        981f1105ccbbc303c400a006b851122dbca74241

                        SHA256

                        3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3

                        SHA512

                        fbe43b35efa4fed01bcce9ce4475fcff22bebf1ac49a18d9d6b3581c95ce8ea16ee78c4d6b634b04a74fdf88a32726a393854ba467014064a7d35b7f2eb2d99c

                      • C:\Users\Admin\AppData\Roaming\cjttbtu
                        Filesize

                        146KB

                        MD5

                        f882f6c0b8bd0ed1fda637d8f314d255

                        SHA1

                        981f1105ccbbc303c400a006b851122dbca74241

                        SHA256

                        3e7038e7051f91070da933aba39a0d70b6d4ec0805f4fd4adb2222f46aab39c3

                        SHA512

                        fbe43b35efa4fed01bcce9ce4475fcff22bebf1ac49a18d9d6b3581c95ce8ea16ee78c4d6b634b04a74fdf88a32726a393854ba467014064a7d35b7f2eb2d99c

                      • C:\Windows\Temp\1.exe
                        Filesize

                        369KB

                        MD5

                        4a32a16c5a3c79ade487c098ee71a2be

                        SHA1

                        414b203eeb20ac7e74316fd2877ca4ebf52193df

                        SHA256

                        61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

                        SHA512

                        6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

                      • C:\Windows\Temp\1.exe
                        Filesize

                        369KB

                        MD5

                        4a32a16c5a3c79ade487c098ee71a2be

                        SHA1

                        414b203eeb20ac7e74316fd2877ca4ebf52193df

                        SHA256

                        61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

                        SHA512

                        6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

                      • memory/736-714-0x0000000000000000-mapping.dmp
                      • memory/736-961-0x00000000001C0000-0x00000000001CB000-memory.dmp
                        Filesize

                        44KB

                      • memory/736-960-0x00000000001D0000-0x00000000001D8000-memory.dmp
                        Filesize

                        32KB

                      • memory/876-866-0x0000000000AF0000-0x0000000000AF9000-memory.dmp
                        Filesize

                        36KB

                      • memory/876-459-0x0000000000AF0000-0x0000000000AF9000-memory.dmp
                        Filesize

                        36KB

                      • memory/876-446-0x0000000000000000-mapping.dmp
                      • memory/876-464-0x0000000000AE0000-0x0000000000AEF000-memory.dmp
                        Filesize

                        60KB

                      • memory/1020-736-0x00000000009D0000-0x00000000009DB000-memory.dmp
                        Filesize

                        44KB

                      • memory/1020-414-0x0000000000000000-mapping.dmp
                      • memory/1020-689-0x00000000009E0000-0x00000000009E7000-memory.dmp
                        Filesize

                        28KB

                      • memory/1020-986-0x00000000009E0000-0x00000000009E7000-memory.dmp
                        Filesize

                        28KB

                      • memory/1160-429-0x0000000000000000-mapping.dmp
                      • memory/1532-925-0x0000000005980000-0x0000000005A1C000-memory.dmp
                        Filesize

                        624KB

                      • memory/1532-901-0x0000000004F20000-0x0000000004F30000-memory.dmp
                        Filesize

                        64KB

                      • memory/1532-515-0x0000000000630000-0x0000000000638000-memory.dmp
                        Filesize

                        32KB

                      • memory/1532-381-0x0000000000000000-mapping.dmp
                      • memory/1752-270-0x0000000000000000-mapping.dmp
                      • memory/2364-142-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-132-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-154-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-155-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-156-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-157-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-158-0x0000000000400000-0x0000000000581000-memory.dmp
                        Filesize

                        1.5MB

                      • memory/2364-152-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-151-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-150-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-147-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-149-0x0000000000400000-0x0000000000581000-memory.dmp
                        Filesize

                        1.5MB

                      • memory/2364-121-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-122-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-123-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-148-0x00000000005F0000-0x000000000073A000-memory.dmp
                        Filesize

                        1.3MB

                      • memory/2364-146-0x00000000005F0000-0x000000000073A000-memory.dmp
                        Filesize

                        1.3MB

                      • memory/2364-145-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-144-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-124-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-143-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-125-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-120-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-140-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-139-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-126-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-127-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-138-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-137-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-128-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-129-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-136-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-130-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-131-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-153-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-133-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-134-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2364-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/2748-780-0x00000000008D0000-0x00000000008D5000-memory.dmp
                        Filesize

                        20KB

                      • memory/2748-1017-0x00000000008D0000-0x00000000008D5000-memory.dmp
                        Filesize

                        20KB

                      • memory/2748-486-0x0000000000000000-mapping.dmp
                      • memory/2748-785-0x00000000008C0000-0x00000000008C9000-memory.dmp
                        Filesize

                        36KB

                      • memory/3268-958-0x0000000000330000-0x0000000000336000-memory.dmp
                        Filesize

                        24KB

                      • memory/3268-541-0x0000000000320000-0x000000000032C000-memory.dmp
                        Filesize

                        48KB

                      • memory/3268-527-0x0000000000000000-mapping.dmp
                      • memory/3268-537-0x0000000000330000-0x0000000000336000-memory.dmp
                        Filesize

                        24KB

                      • memory/3924-637-0x0000000000000000-mapping.dmp
                      • memory/3924-920-0x0000000000350000-0x0000000000356000-memory.dmp
                        Filesize

                        24KB

                      • memory/3924-923-0x0000000000340000-0x000000000034B000-memory.dmp
                        Filesize

                        44KB

                      • memory/4332-1063-0x000000000042211A-mapping.dmp
                      • memory/4768-675-0x0000000000000000-mapping.dmp
                      • memory/4768-698-0x0000000000800000-0x000000000080D000-memory.dmp
                        Filesize

                        52KB

                      • memory/4768-693-0x0000000000810000-0x0000000000817000-memory.dmp
                        Filesize

                        28KB

                      • memory/4768-997-0x0000000000810000-0x0000000000817000-memory.dmp
                        Filesize

                        28KB

                      • memory/4864-259-0x00000000008C0000-0x00000000008F8000-memory.dmp
                        Filesize

                        224KB

                      • memory/4864-1003-0x0000000000400000-0x0000000000470000-memory.dmp
                        Filesize

                        448KB

                      • memory/4864-280-0x0000000004AF0000-0x0000000004FEE000-memory.dmp
                        Filesize

                        5.0MB

                      • memory/4864-341-0x0000000005600000-0x0000000005C06000-memory.dmp
                        Filesize

                        6.0MB

                      • memory/4864-342-0x0000000005020000-0x0000000005032000-memory.dmp
                        Filesize

                        72KB

                      • memory/4864-159-0x0000000000000000-mapping.dmp
                      • memory/4864-345-0x0000000005050000-0x000000000515A000-memory.dmp
                        Filesize

                        1.0MB

                      • memory/4864-353-0x0000000005180000-0x00000000051BE000-memory.dmp
                        Filesize

                        248KB

                      • memory/4864-379-0x00000000051F0000-0x000000000523B000-memory.dmp
                        Filesize

                        300KB

                      • memory/4864-161-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-263-0x0000000002440000-0x0000000002470000-memory.dmp
                        Filesize

                        192KB

                      • memory/4864-262-0x0000000000400000-0x0000000000470000-memory.dmp
                        Filesize

                        448KB

                      • memory/4864-257-0x00000000005C0000-0x000000000070A000-memory.dmp
                        Filesize

                        1.3MB

                      • memory/4864-162-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-163-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-164-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-454-0x0000000005490000-0x00000000054F6000-memory.dmp
                        Filesize

                        408KB

                      • memory/4864-165-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-167-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-921-0x0000000007760000-0x00000000077B0000-memory.dmp
                        Filesize

                        320KB

                      • memory/4864-998-0x0000000006E00000-0x0000000006E1E000-memory.dmp
                        Filesize

                        120KB

                      • memory/4864-166-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-179-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-181-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-186-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-188-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-175-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-174-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-583-0x00000000005C0000-0x000000000070A000-memory.dmp
                        Filesize

                        1.3MB

                      • memory/4864-177-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-623-0x0000000006140000-0x00000000061D2000-memory.dmp
                        Filesize

                        584KB

                      • memory/4864-172-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-636-0x0000000006200000-0x00000000063C2000-memory.dmp
                        Filesize

                        1.8MB

                      • memory/4864-653-0x00000000063E0000-0x000000000690C000-memory.dmp
                        Filesize

                        5.2MB

                      • memory/4864-192-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-194-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4864-283-0x00000000049D0000-0x00000000049FE000-memory.dmp
                        Filesize

                        184KB

                      • memory/4864-190-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-193-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-245-0x00000000056A0000-0x0000000005732000-memory.dmp
                        Filesize

                        584KB

                      • memory/4884-183-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-182-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-265-0x00000000057D0000-0x0000000005B20000-memory.dmp
                        Filesize

                        3.3MB

                      • memory/4884-253-0x00000000057A0000-0x00000000057C2000-memory.dmp
                        Filesize

                        136KB

                      • memory/4884-180-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-171-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-223-0x0000000000D10000-0x0000000000DC0000-memory.dmp
                        Filesize

                        704KB

                      • memory/4884-185-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-178-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-168-0x0000000000000000-mapping.dmp
                      • memory/4884-230-0x0000000005580000-0x000000000562E000-memory.dmp
                        Filesize

                        696KB

                      • memory/4884-187-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-191-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-173-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-176-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4884-189-0x0000000077D40000-0x0000000077ECE000-memory.dmp
                        Filesize

                        1.6MB

                      • memory/4932-567-0x0000000000000000-mapping.dmp
                      • memory/4932-1043-0x00000000004E0000-0x0000000000502000-memory.dmp
                        Filesize

                        136KB

                      • memory/4932-876-0x00000000004B0000-0x00000000004D7000-memory.dmp
                        Filesize

                        156KB

                      • memory/4932-872-0x00000000004E0000-0x0000000000502000-memory.dmp
                        Filesize

                        136KB

                      • memory/5012-935-0x000000000040C73E-mapping.dmp
                      • memory/5012-979-0x0000000000400000-0x0000000000412000-memory.dmp
                        Filesize

                        72KB

                      • memory/5068-887-0x00000000084C0000-0x0000000008536000-memory.dmp
                        Filesize

                        472KB

                      • memory/5068-492-0x0000000007160000-0x0000000007788000-memory.dmp
                        Filesize

                        6.2MB

                      • memory/5068-985-0x00000000092A0000-0x00000000092BA000-memory.dmp
                        Filesize

                        104KB

                      • memory/5068-469-0x0000000004A80000-0x0000000004AB6000-memory.dmp
                        Filesize

                        216KB

                      • memory/5068-984-0x0000000009920000-0x0000000009F98000-memory.dmp
                        Filesize

                        6.5MB

                      • memory/5068-845-0x0000000006E10000-0x0000000006E2C000-memory.dmp
                        Filesize

                        112KB

                      • memory/5068-817-0x0000000007DD0000-0x0000000007E36000-memory.dmp
                        Filesize

                        408KB

                      • memory/5068-346-0x0000000000000000-mapping.dmp
                      • memory/5088-604-0x0000000000000000-mapping.dmp
                      • memory/5088-1044-0x0000000002EC0000-0x0000000002EC5000-memory.dmp
                        Filesize

                        20KB

                      • memory/5088-916-0x0000000002EB0000-0x0000000002EB9000-memory.dmp
                        Filesize

                        36KB

                      • memory/5088-914-0x0000000002EC0000-0x0000000002EC5000-memory.dmp
                        Filesize

                        20KB