Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2023, 11:55

General

  • Target

    Purchase Order 202319876.exe

  • Size

    1.5MB

  • MD5

    b3b47f7fd1fad3e0d79c8d20a5bd57b0

  • SHA1

    dcb8e21d45e9b6a1b9408b67866f79c191e0122c

  • SHA256

    df2a21acbf5abb55445a48a442b6245205ec80e36bb861aadd47ee18e4d132f2

  • SHA512

    3e711ff9895ee2f627c79ef089ff9955c5b73ba3fc05787e66fb635159e7737d95c67b79606a5d8cea7e0f37962989f8332221aec79d08a64564ce4d3a0b9226

  • SSDEEP

    24576:eTJyekkXDVzThJ68yj42MiIsMcGOKJvADSiBHYcOvCedKERBx4HoHvguqT+z:YjXRf76hsZiZGFJ4DSImvC3ERBZv5pz

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
      2⤵
        PID:2420
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
        2⤵
          PID:728
        • C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
          "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
          2⤵
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2768
      • C:\Windows\System32\alg.exe
        C:\Windows\System32\alg.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2512
      • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        1⤵
        • Executes dropped EXE
        PID:2156
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
        1⤵
          PID:4736
        • C:\Windows\system32\fxssvc.exe
          C:\Windows\system32\fxssvc.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:672
        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
          1⤵
          • Executes dropped EXE
          PID:4392
        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
          1⤵
          • Executes dropped EXE
          PID:1336
        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
          "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:3488
        • C:\Windows\System32\msdtc.exe
          C:\Windows\System32\msdtc.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:3448
        • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
          "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
          1⤵
          • Executes dropped EXE
          PID:4264
        • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
          C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
          1⤵
          • Executes dropped EXE
          PID:5020
        • C:\Windows\SysWow64\perfhost.exe
          C:\Windows\SysWow64\perfhost.exe
          1⤵
          • Executes dropped EXE
          PID:2032
        • C:\Windows\system32\locator.exe
          C:\Windows\system32\locator.exe
          1⤵
          • Executes dropped EXE
          PID:3792
        • C:\Windows\System32\SensorDataService.exe
          C:\Windows\System32\SensorDataService.exe
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:1980
        • C:\Windows\System32\snmptrap.exe
          C:\Windows\System32\snmptrap.exe
          1⤵
          • Executes dropped EXE
          PID:1772
        • C:\Windows\system32\spectrum.exe
          C:\Windows\system32\spectrum.exe
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3652
        • C:\Windows\System32\OpenSSH\ssh-agent.exe
          C:\Windows\System32\OpenSSH\ssh-agent.exe
          1⤵
          • Executes dropped EXE
          PID:3756
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
          1⤵
            PID:4128
          • C:\Windows\system32\TieringEngineService.exe
            C:\Windows\system32\TieringEngineService.exe
            1⤵
            • Executes dropped EXE
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:3192
          • C:\Windows\system32\AgentService.exe
            C:\Windows\system32\AgentService.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
            • Executes dropped EXE
            PID:3484
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3592
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:632
          • C:\Windows\system32\wbem\WmiApSrv.exe
            C:\Windows\system32\wbem\WmiApSrv.exe
            1⤵
            • Executes dropped EXE
            PID:1100
          • C:\Windows\system32\SearchIndexer.exe
            C:\Windows\system32\SearchIndexer.exe /Embedding
            1⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4336
            • C:\Windows\system32\SearchProtocolHost.exe
              "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
              2⤵
              • Modifies data under HKEY_USERS
              PID:4448
            • C:\Windows\system32\SearchFilterHost.exe
              "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
              2⤵
              • Modifies data under HKEY_USERS
              PID:2720

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                  Filesize

                  2.1MB

                  MD5

                  9a614f1a2fc5ef7839f5becdbc6a3c1a

                  SHA1

                  029c4e42118e56b729894416b06acaeafed43115

                  SHA256

                  c4054a8a89968ec98da72ca8656ee675e0f840e92b777f66d199fbc4d2cc54aa

                  SHA512

                  51b7646910aba0095b84fee8554b19eb2892a539a86ac92adec46f2aab4f7c51298f84e21a728860741adff213508a757cee432f267c46fda09a29fe189fffc7

                • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                  Filesize

                  1.4MB

                  MD5

                  a85b5c97d5850fc5ec1657349876b548

                  SHA1

                  82d0b6c8b569300b026969ac785ba1171d69ff9a

                  SHA256

                  08ad2cd28bd8659550ec9aa484278aa5e9dd73d1cddeb1cfabc94ea995618ac1

                  SHA512

                  b2dd98c0775cace8aea5d9bbaa8cfd37973bd67bbc7721b5a260be4356b8a8d342342f228bdf53c3a2d3764c1bc8bd1a32ce88e9e08365a157cf16361238c340

                • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                  Filesize

                  1.5MB

                  MD5

                  ec99b81d7d3197e4d7f8fa20f1b8c613

                  SHA1

                  0f36ae90e8ab65f4169c693f51fabafa16e1d736

                  SHA256

                  482db57bb12d4815f81a1caff91447b825be6827eced034d88ed1ae9a9584cc4

                  SHA512

                  8ec2765b212ea7d50d62f2c5df320317b44f3b7c4722245498584922aac138c71e05497c5bb27e58ad1aff01ad203fd12cb88112cdf19ac7aef39d8fe2267073

                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                  Filesize

                  2.1MB

                  MD5

                  c8073bc7ad810c28bb802e39ab73915b

                  SHA1

                  bcd3345ff3c9033a3f9c7f9d732806af4d030ae4

                  SHA256

                  d3a30517c85d2c61a15273688fd15bf47f8bccd21127937bc994c68678bc7251

                  SHA512

                  5d680ab59525959180d30ca5e7ab718d88d07579eb5ca7f9682a42a29264ed4a0093ba4daa7fb03134448025e4a4c3d7020f4db401629bca4031a05ab545e61f

                • C:\Windows\SysWOW64\perfhost.exe

                  Filesize

                  1.2MB

                  MD5

                  7d047f86a0d9ea2f34ac9451bee9010b

                  SHA1

                  b37084d9f342e70b2ba28a78bd2b3f6dba6fbb19

                  SHA256

                  1719c4babafde3747130a23aa9523e19b0ab74bff307af8e5a4a52feaef6ce1e

                  SHA512

                  3f735be0db8615e4479faf27d0662a4a0054c9d0a209e9f731652320fc7778d4bc1ea7118b3bbf0560ee6cb43601e135a5ada6d0f0784312bbb856fcdb6d8175

                • C:\Windows\System32\AgentService.exe

                  Filesize

                  1.7MB

                  MD5

                  3b1d8b61b4d5bf4b9568c9c921b4c75d

                  SHA1

                  076e619f038c0815342338739b759a64eb4a3cd2

                  SHA256

                  9fe14d62aba56c4428f95bd83575d3b4c74d47ed501d0c3611a794fd868fa852

                  SHA512

                  f7871b46d107867f7042b44e879068759d97001c049799bc929da978b268f42c1c072d2724265cf70dee663a747a1a4365ce110be9f40334d1c771d689a4195e

                • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                  Filesize

                  1.3MB

                  MD5

                  6863035026b6522cef81b2349798a0ce

                  SHA1

                  3c8d97dfd6e47513213907b6c9b354b13f3de166

                  SHA256

                  89d24eb9282e9d2ffb59a40c2204febca1efa4bb38ddd2b5880d088d8ea222f1

                  SHA512

                  904a5333ad795c6ea0d2f677c236b9073fe0d0f839909381bfd05d5f2a18a8667806cedd7f98c5144d12c8d4da01862eed722668736da5d72bbb053c52ad5c9e

                • C:\Windows\System32\FXSSVC.exe

                  Filesize

                  1.2MB

                  MD5

                  09d4036257c40bde3d30cc37461efdba

                  SHA1

                  28d14e050d1bd8bfe818fad2eadb3d61e873e139

                  SHA256

                  539fad92159cfb983e8cc56aa83b04bb7854d31fbdeb1fe85f66948a34029f25

                  SHA512

                  67906ec36ec57275cbf295bd6a8bc06a5e08e38b3011de06231adff902098ef5292dc71a75cec919b27383ea19189e9172ebed00c4bcc9f0e411bc3dc0b5fb4a

                • C:\Windows\System32\Locator.exe

                  Filesize

                  1.2MB

                  MD5

                  e69bed59ca73faf98194a26ff951ed8f

                  SHA1

                  dbdc6de7abcefacc83c309927e87592e0ca26ea1

                  SHA256

                  2f7879f3ff71b5d349625c6b3013c1741a1250ab78d8cd553fea1f512464d119

                  SHA512

                  f8b1b771b53373460307c708f2b52d3309cb476b82dc830fac89a7fc22cd43f1a6dd6ca5d22413151dbea1a19c095beaf76ba8a9b21ba8ef924379b4cbd4f540

                • C:\Windows\System32\OpenSSH\ssh-agent.exe

                  Filesize

                  1.6MB

                  MD5

                  f8bbe6757c54ee3d29e4131d37c2edf4

                  SHA1

                  58ae9a360a3abbdbeaec47672ee2e2d8de7de866

                  SHA256

                  c55efa83980bd90f2c9b0f1721392a690b286c03ae26cd3a78c6680e31ce7812

                  SHA512

                  513851f28c67457642603dff61397c4aeee98d5f9ca1977868e068d1d9af67294b3b6e1173bd98b52765a32e0d6e67db0d1aeb83c77b864ba822a2db9dc38e09

                • C:\Windows\System32\OpenSSH\ssh-agent.exe

                  Filesize

                  1.6MB

                  MD5

                  f8bbe6757c54ee3d29e4131d37c2edf4

                  SHA1

                  58ae9a360a3abbdbeaec47672ee2e2d8de7de866

                  SHA256

                  c55efa83980bd90f2c9b0f1721392a690b286c03ae26cd3a78c6680e31ce7812

                  SHA512

                  513851f28c67457642603dff61397c4aeee98d5f9ca1977868e068d1d9af67294b3b6e1173bd98b52765a32e0d6e67db0d1aeb83c77b864ba822a2db9dc38e09

                • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                  Filesize

                  1.3MB

                  MD5

                  adf3ce14cb89bc6cbc96532d21cf2ad4

                  SHA1

                  66d4bf7cad62287ec17a38557a23daf362b8511b

                  SHA256

                  54660ab1ddd1555c79b5858001a410985c7b7915e0df596c30b8bd310c45bc93

                  SHA512

                  25d2e462f08927a5e01646e6e45fd091d29e8f3d8dd10fb3f6caabf94a61e72979dfcf95495555b869ad99593587b7beaf3b44bf0b8a73818dfdb2944aab0967

                • C:\Windows\System32\SearchIndexer.exe

                  Filesize

                  1.4MB

                  MD5

                  8cf95c2d01377dcb931efa9218faf180

                  SHA1

                  592b808748a1f374bdc9bf29bf014e52c4870154

                  SHA256

                  7ad78b30003fa1466af8c3edc32cc161d87b6719199360ec3417e7cf8ee8d658

                  SHA512

                  9574bc6ae2e41eba20321533f05849535edbdd142321b03e5135c61a58da7f811608fdda32e340dd8bb7b814dae97d0bfa316f6722fd401cfa3bc3d9e66f1288

                • C:\Windows\System32\SensorDataService.exe

                  Filesize

                  1.8MB

                  MD5

                  725183e126588c1de3efe6cedfb27689

                  SHA1

                  f9e98b964ce2e08455a6c68c9f76a95d091b08d8

                  SHA256

                  f4b5fbd0a010aced5cdb8fe00c658327738affc8ae19a3eaf2a0b74db81ff2f6

                  SHA512

                  47ea6844f7dc21173f9f9d3055d7b8aec65d1be8f1b252d39466feccc2116824ee73781b27e5c62fbad131bd6222ba487eee58de4fb2c5e2b40378f90c969ec8

                • C:\Windows\System32\Spectrum.exe

                  Filesize

                  1.4MB

                  MD5

                  76691b56eb59173df91eadac312f2a28

                  SHA1

                  b34c23a8e3faa7115ec23c0f904d62c0f018d75d

                  SHA256

                  11ec235c905a1c1cd078f61f40c87866f87f07ce258f9b9fd52e92fb49e43002

                  SHA512

                  d3b371b24bac31755b281d0d53f0948f3f785ea3fe84482bfc3607f7b4830a6a580916fbed86f01f6fa68b9f0da06757e7672193a611c2446a392e53f5e78b31

                • C:\Windows\System32\TieringEngineService.exe

                  Filesize

                  1.5MB

                  MD5

                  9e3b210389c184f139c3dca846fb22f4

                  SHA1

                  1c67499f8d1020a56454a585ecbfbd250afcd07a

                  SHA256

                  77d8a165d9fbb66c22bfc485b579b7a21989e5afa964d8079ef68d2d2aadf085

                  SHA512

                  4e784801fdd38c0ec3f6b88c0db7f4e1802dac355db86664251efd2e9a3ce6af612330cd1d667489ef21f7e0fdedbcad7cec8e82baf215b257e9bcd2d13d741a

                • C:\Windows\System32\VSSVC.exe

                  Filesize

                  2.0MB

                  MD5

                  cea109f394459de729501b368853167c

                  SHA1

                  b865de4f867ec3fc4fddab405c671f0ff977942c

                  SHA256

                  fdf23eca6ebb4ffe0f6389df0f7b0cbfd05a8dd5b88ce41a3c3201a1f1d0fe6e

                  SHA512

                  2ca0e4aa75b17ced54e99d91097605429c9fd6d60fda0db623dcc6233386468da4325736a06e29f1d7a4241b425a5192f4708bf64f9cd4f858a08c17fae5e892

                • C:\Windows\System32\alg.exe

                  Filesize

                  1.3MB

                  MD5

                  2560f3082cacd83143b2333a01c89d6e

                  SHA1

                  3ddda3a1972048044c7f87934c2f9351c9b2a9c1

                  SHA256

                  6a2067a3ee7d7d8653faf224f3c834340b910c57d8c1246ed2f46279168ebff5

                  SHA512

                  3c9aa4769f967e45b2cbe46583467c3b05761ac0d8084ade7f6c8538e5d74f85bad1b7e3c459772727d91c37a30392093d6844c4d9247a369f763fe184f6c238

                • C:\Windows\System32\msdtc.exe

                  Filesize

                  1.4MB

                  MD5

                  261183529dda4f83247af8c9a89aafea

                  SHA1

                  bcd7afdaf4b96049a9c095d7bd349faedf378ba5

                  SHA256

                  e99dc6f3f48981899d4b13a8a8973507a184aa4860c843cb24e8e1b22e3eb63a

                  SHA512

                  fe7fb714e10b6089b912304a250be870459cc5d7d0dd58f03d45a5cde4154b135f801812252bd239e234fe2dcd92545677bef70a6a1a5c45035bd286e7399832

                • C:\Windows\System32\snmptrap.exe

                  Filesize

                  1.2MB

                  MD5

                  959bfe425d6c45ce99349a3b7978af0b

                  SHA1

                  2cac49fec0a5f76b909a2782a688992d9651cd3a

                  SHA256

                  d0aac24a64dc4345bcc829ad2f2b509a56f5825ca57971995e0ef18b04812d1f

                  SHA512

                  7eeea7e9ea45aa84ac1e69e8e8b54145a15f4b341ae13a379d7c2549f7420cd5f12ad27647ecce614ea3c9dc8f10452897795fb453004d2610ad033166307952

                • C:\Windows\System32\vds.exe

                  Filesize

                  1.3MB

                  MD5

                  15c7919d587d1b37842e2d6607035bdb

                  SHA1

                  e00ff9e8d1a8f854feb4bd1859f73e0e9aaec923

                  SHA256

                  42792d2abfbcaf74b0494bebcebad705f8370bcb9bdfb1639a40dbea9d7d8968

                  SHA512

                  aacd62b85d569b85f6d93d0f473f1622e2b7b61970585b08413c5ba91088fd8c6f7f3a57a23a2aa0ad72e39010f4bd8dd1cdd9d1a747f0659601195c09705a30

                • C:\Windows\System32\wbem\WmiApSrv.exe

                  Filesize

                  1.4MB

                  MD5

                  96b5ce3ad00f3c33c978d6baa0296ddc

                  SHA1

                  60ef74a4c2f1ecf5c8fab0b466679c1350b9ab12

                  SHA256

                  16904731c8f852d69ab50fe8ad69e7aa35261019cf4e28fc31621db52fce3f18

                  SHA512

                  f067cbf47ff91a7eae5c93de78d4a87955cdf8384d3a20215c4ad51dd58fcd989bf2f3988071b3854b4476e47fbf49d3e72ac06f57b69f1b2d0661d21f408a18

                • C:\Windows\System32\wbengine.exe

                  Filesize

                  2.1MB

                  MD5

                  8e96cbff95fbafa748ae27d723517be9

                  SHA1

                  078e53d2e6702a939931b628aad42bab0f8c640e

                  SHA256

                  a86391753a7cf544041915967378b7dafe2c3e84aef1dbc0441bb60b81e68403

                  SHA512

                  1aeca7561091c22feb0f6f9a7a3e540af639f5323aba6676aa3e58921f587230c405b93f5ddb7c51bc4f2b7a8c4ac57714632b5ee93f67c7c150da81ca64b3ea

                • memory/632-400-0x0000000140000000-0x0000000140216000-memory.dmp

                  Filesize

                  2.1MB

                • memory/672-181-0x0000000000A10000-0x0000000000A70000-memory.dmp

                  Filesize

                  384KB

                • memory/672-187-0x0000000000A10000-0x0000000000A70000-memory.dmp

                  Filesize

                  384KB

                • memory/672-190-0x0000000000A10000-0x0000000000A70000-memory.dmp

                  Filesize

                  384KB

                • memory/672-193-0x0000000140000000-0x0000000140135000-memory.dmp

                  Filesize

                  1.2MB

                • memory/1100-662-0x0000000140000000-0x000000014021D000-memory.dmp

                  Filesize

                  2.1MB

                • memory/1100-403-0x0000000140000000-0x000000014021D000-memory.dmp

                  Filesize

                  2.1MB

                • memory/1336-205-0x0000000000190000-0x00000000001F0000-memory.dmp

                  Filesize

                  384KB

                • memory/1336-211-0x0000000000190000-0x00000000001F0000-memory.dmp

                  Filesize

                  384KB

                • memory/1336-213-0x0000000140000000-0x000000014022B000-memory.dmp

                  Filesize

                  2.2MB

                • memory/1336-358-0x0000000140000000-0x000000014022B000-memory.dmp

                  Filesize

                  2.2MB

                • memory/1772-591-0x0000000140000000-0x00000001401ED000-memory.dmp

                  Filesize

                  1.9MB

                • memory/1772-310-0x0000000140000000-0x00000001401ED000-memory.dmp

                  Filesize

                  1.9MB

                • memory/1980-553-0x0000000140000000-0x00000001401D7000-memory.dmp

                  Filesize

                  1.8MB

                • memory/1980-309-0x0000000140000000-0x00000001401D7000-memory.dmp

                  Filesize

                  1.8MB

                • memory/2032-287-0x0000000000400000-0x00000000005EE000-memory.dmp

                  Filesize

                  1.9MB

                • memory/2156-169-0x00000000006E0000-0x0000000000740000-memory.dmp

                  Filesize

                  384KB

                • memory/2156-175-0x00000000006E0000-0x0000000000740000-memory.dmp

                  Filesize

                  384KB

                • memory/2156-179-0x0000000140000000-0x0000000140200000-memory.dmp

                  Filesize

                  2.0MB

                • memory/2512-157-0x0000000000640000-0x00000000006A0000-memory.dmp

                  Filesize

                  384KB

                • memory/2512-163-0x0000000000640000-0x00000000006A0000-memory.dmp

                  Filesize

                  384KB

                • memory/2512-178-0x0000000140000000-0x0000000140201000-memory.dmp

                  Filesize

                  2.0MB

                • memory/2720-707-0x00000192555F0000-0x0000019255600000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-755-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-594-0x00000192552E0000-0x00000192552F0000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-789-0x00000192555F0000-0x0000019255600000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-790-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-787-0x00000192555F0000-0x0000019255600000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-788-0x00000192555F0000-0x0000019255600000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-768-0x0000019255520000-0x0000019255530000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-767-0x0000019255520000-0x0000019255530000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-764-0x0000019255520000-0x0000019255530000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-763-0x00000192552C0000-0x00000192552C1000-memory.dmp

                  Filesize

                  4KB

                • memory/2720-709-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-754-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-753-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-752-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-751-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-711-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-629-0x0000019255520000-0x0000019255530000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-592-0x00000192552C0000-0x00000192552C1000-memory.dmp

                  Filesize

                  4KB

                • memory/2720-710-0x0000019255670000-0x0000019255680000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-663-0x0000019255520000-0x0000019255530000-memory.dmp

                  Filesize

                  64KB

                • memory/2720-708-0x00000192555F0000-0x0000019255600000-memory.dmp

                  Filesize

                  64KB

                • memory/2768-154-0x0000000000400000-0x000000000065B000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2768-143-0x0000000000400000-0x000000000065B000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2768-144-0x00000000016A0000-0x0000000001706000-memory.dmp

                  Filesize

                  408KB

                • memory/2768-140-0x0000000000400000-0x000000000065B000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2768-285-0x0000000000400000-0x000000000065B000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2768-149-0x00000000016A0000-0x0000000001706000-memory.dmp

                  Filesize

                  408KB

                • memory/3192-360-0x0000000140000000-0x0000000140239000-memory.dmp

                  Filesize

                  2.2MB

                • memory/3304-136-0x0000000005350000-0x000000000535A000-memory.dmp

                  Filesize

                  40KB

                • memory/3304-137-0x0000000005570000-0x0000000005580000-memory.dmp

                  Filesize

                  64KB

                • memory/3304-134-0x00000000058C0000-0x0000000005E64000-memory.dmp

                  Filesize

                  5.6MB

                • memory/3304-133-0x0000000000950000-0x0000000000ACC000-memory.dmp

                  Filesize

                  1.5MB

                • memory/3304-135-0x00000000053B0000-0x0000000005442000-memory.dmp

                  Filesize

                  584KB

                • memory/3304-138-0x0000000005570000-0x0000000005580000-memory.dmp

                  Filesize

                  64KB

                • memory/3304-139-0x000000000AD30000-0x000000000ADCC000-memory.dmp

                  Filesize

                  624KB

                • memory/3448-456-0x0000000140000000-0x0000000140210000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3448-232-0x00000000007D0000-0x0000000000830000-memory.dmp

                  Filesize

                  384KB

                • memory/3448-231-0x0000000140000000-0x0000000140210000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3484-372-0x0000000140000000-0x0000000140147000-memory.dmp

                  Filesize

                  1.3MB

                • memory/3488-223-0x0000000002050000-0x00000000020B0000-memory.dmp

                  Filesize

                  384KB

                • memory/3488-228-0x0000000140000000-0x0000000140221000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3488-217-0x0000000140000000-0x0000000140221000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3488-216-0x0000000002050000-0x00000000020B0000-memory.dmp

                  Filesize

                  384KB

                • memory/3488-226-0x0000000002050000-0x00000000020B0000-memory.dmp

                  Filesize

                  384KB

                • memory/3592-373-0x0000000140000000-0x00000001401FC000-memory.dmp

                  Filesize

                  2.0MB

                • memory/3592-628-0x0000000140000000-0x00000001401FC000-memory.dmp

                  Filesize

                  2.0MB

                • memory/3652-599-0x0000000140000000-0x0000000140169000-memory.dmp

                  Filesize

                  1.4MB

                • memory/3652-330-0x0000000140000000-0x0000000140169000-memory.dmp

                  Filesize

                  1.4MB

                • memory/3756-601-0x0000000140000000-0x0000000140259000-memory.dmp

                  Filesize

                  2.3MB

                • memory/3756-332-0x0000000140000000-0x0000000140259000-memory.dmp

                  Filesize

                  2.3MB

                • memory/3792-288-0x0000000140000000-0x00000001401EC000-memory.dmp

                  Filesize

                  1.9MB

                • memory/4264-254-0x0000000140000000-0x0000000140226000-memory.dmp

                  Filesize

                  2.1MB

                • memory/4336-706-0x0000000140000000-0x0000000140179000-memory.dmp

                  Filesize

                  1.5MB

                • memory/4336-457-0x0000000140000000-0x0000000140179000-memory.dmp

                  Filesize

                  1.5MB

                • memory/4392-328-0x0000000140000000-0x0000000140237000-memory.dmp

                  Filesize

                  2.2MB

                • memory/4392-200-0x0000000000C30000-0x0000000000C90000-memory.dmp

                  Filesize

                  384KB

                • memory/4392-194-0x0000000000C30000-0x0000000000C90000-memory.dmp

                  Filesize

                  384KB

                • memory/4392-203-0x0000000140000000-0x0000000140237000-memory.dmp

                  Filesize

                  2.2MB

                • memory/5020-286-0x0000000140000000-0x0000000140202000-memory.dmp

                  Filesize

                  2.0MB

                • memory/5024-359-0x0000000140000000-0x00000001401C0000-memory.dmp

                  Filesize

                  1.8MB