Analysis

  • max time kernel
    651s
  • max time network
    630s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-04-2024 05:50

General

  • Target

    https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file

Score
10/10

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 9 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2936
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:780
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:572
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1340
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffebe29758,0x7fffebe29768,0x7fffebe29778
        2⤵
          PID:1704
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:2
          2⤵
            PID:2180
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
            2⤵
              PID:4632
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
              2⤵
                PID:4780
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:1
                2⤵
                  PID:4992
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:1
                  2⤵
                    PID:2200
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
                    2⤵
                      PID:756
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
                      2⤵
                        PID:4552
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
                        2⤵
                        • NTFS ADS
                        PID:1848
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5540 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:2
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1612
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:8
                        2⤵
                          PID:4704
                        • C:\Program Files\7-Zip\7zFM.exe
                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Ch3@t_Hub_New.rar"
                          2⤵
                          • NTFS ADS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:1412
                          • C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            PID:1856
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              4⤵
                                PID:568
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                4⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Suspicious behavior: EnumeratesProcesses
                                PID:768
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 524
                                  5⤵
                                  • Program crash
                                  PID:2500
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 516
                                  5⤵
                                  • Program crash
                                  PID:2112
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1008
                                4⤵
                                • Program crash
                                PID:4192
                            • C:\Users\Admin\AppData\Local\Temp\7zO4855D931\Setup.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zO4855D931\Setup.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:1672
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                4⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3308
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 520
                                  5⤵
                                  • Program crash
                                  PID:3400
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 516
                                  5⤵
                                  • Program crash
                                  PID:2944
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 988
                                4⤵
                                • Program crash
                                PID:2340
                            • C:\Users\Admin\AppData\Local\Temp\7zO485F2E11\Setup.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zO485F2E11\Setup.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:1476
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                4⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2996
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 520
                                  5⤵
                                  • Program crash
                                  PID:4872
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 524
                                  5⤵
                                  • Program crash
                                  PID:1140
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1020
                                4⤵
                                • Program crash
                                PID:1936
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:4968
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
                            1⤵
                              PID:3844
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 768 -ip 768
                              1⤵
                                PID:4836
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 768 -ip 768
                                1⤵
                                  PID:2160
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1672 -ip 1672
                                  1⤵
                                    PID:3876
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 3308
                                    1⤵
                                      PID:2008
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3308 -ip 3308
                                      1⤵
                                        PID:2732
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1476 -ip 1476
                                        1⤵
                                          PID:3420
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2996 -ip 2996
                                          1⤵
                                            PID:3112
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2996 -ip 2996
                                            1⤵
                                              PID:1888

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                              Filesize

                                              869B

                                              MD5

                                              ca6a22ff326d5eae006f5e8f3f601ed3

                                              SHA1

                                              740ddcf1158c9fe4f97aa188b767b62b5dc178a6

                                              SHA256

                                              d104876610960b5d2b0fb81e94a416e6956ffdb3dd266be7bc00025293ee7ae6

                                              SHA512

                                              302a761ffc702f3252390dc85fed50babefb50640676f05b8ca82cf52024b8ae2a00e5c2a099fdd86071439d06a401d744e61d03bd0684ac9fed3686a7555749

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                              Filesize

                                              369B

                                              MD5

                                              05850e20df4ff5cc9efe49d11b13a8b8

                                              SHA1

                                              0a9fb2967cf88f939c52fd7cafcac7a0b7fd592e

                                              SHA256

                                              f2e2fabeb9b2e7b65aac23720f0c7e23cd44378386d66d5175a0bab82c6198ca

                                              SHA512

                                              ef242f9e2fa21f3bf09ddf907f71f5377a9f3089c6004d4f2d6c2262988cc82a2a46e0f6dace4aab509a2dcef66c4b9ce71232a62649f8e3ee9de5a09f81e5c1

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              c9c1dd34c80b511e9dc16b96211b2366

                                              SHA1

                                              100fb255013bbd935b8eeeac04e93d57938140a0

                                              SHA256

                                              d7569bb2eb44b17d771fb02679aa4a084ce6709a4032ec257acd8d964b59582d

                                              SHA512

                                              857574fa0bf7555b8948a6f009954c884b32a9b41c69e41ca4a830baca2312fedb2daf6f0475e834f45b25fef9beb206e457d714564f4f6f4822dbe07bf12925

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              090cb22ac97e5db52e5aecc9d65fd973

                                              SHA1

                                              4685a919491f4714eda05668388764f2529d7e1c

                                              SHA256

                                              084dfa3b4f86641fccb3703dfe6411f0ee5ef4c9d6b457d54bb8de49c32d7866

                                              SHA512

                                              a6fb98e0f979b615b39a387fcf6bd4ba42d54d77c269884346c8d43a9609a88325c34395f1e8b1586518efa700c023fa1f774d0a85e78c4c5f1f28b26c390391

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              130KB

                                              MD5

                                              7f2122b9f98223dd16b8e45bf511d396

                                              SHA1

                                              9f18029a2fc217682f51915544b508b82f3d11cc

                                              SHA256

                                              b8da25736f586d449dd6fbdd2e4f1a1b6c8c6d4383b04f2f576db917ca654209

                                              SHA512

                                              514a00c2108017c7980c7a92dd4bfd1c9c0b67cb4139e08925d93d08203cb903e05ba0a065198cef71818dddc69d67efbe4b7f8cd7549dfb100908b28bb4e754

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                              Filesize

                                              107KB

                                              MD5

                                              040199fb507bb4f6dde27f8125cb904a

                                              SHA1

                                              ecb2de7935d3ae338fa68c63e0e5fb6d6e756e27

                                              SHA256

                                              a759fd6ff1fa5127b8a44d58f7eb3efe3e451fd50b01a6d0be3afcc4d05bad64

                                              SHA512

                                              646a128e035e8676f0244114c89debea15edd296eed3ebf8a89fe9b4d8e08fc049976cc8170989d44e90ffaf72530fb5bcbbc7f6fbaca035502144fcc4c4b746

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe60dde1.TMP

                                              Filesize

                                              98KB

                                              MD5

                                              1fc75115ca6c652c1e38b8c9552eb36f

                                              SHA1

                                              5ac2a785dac504a47cb4a4026820c4ba1351cf5a

                                              SHA256

                                              7a560bc6de925a78b136fd7a0149d898d29c49ee15a95994dd841fdcc26fbb96

                                              SHA512

                                              251936b3ba05c9781db7be41f68fd0decf3fb81235a66a7d033f952abd455a92c9b5975a3cc7e4f7a629bf8e2286f904956d45f2ee670899844aeea3e93bae1e

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                              Filesize

                                              2B

                                              MD5

                                              99914b932bd37a50b983c5e7c90ae93b

                                              SHA1

                                              bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                              SHA256

                                              44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                              SHA512

                                              27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            • C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe

                                              Filesize

                                              396KB

                                              MD5

                                              1cf11de39d55d71e8c978a3e5e96e9b4

                                              SHA1

                                              7e6a66d170b31db3699cc37082576d011680bdec

                                              SHA256

                                              8e735b709c11669e871dff87b16898292b71d95e40040b9a3bbd9fa3a57c39e9

                                              SHA512

                                              b1dec16ccbee6da03bb7279af4449d143e973675da5c241f5141444129914f31f82facec38b5c2a7f5f36612ee13616b4c33d369ba95333be4777bc1e2204340

                                            • C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe:Zone.Identifier

                                              Filesize

                                              282B

                                              MD5

                                              87e5d0f480797f40a0ce5ab2245eb8db

                                              SHA1

                                              4cb4218f737c723fbcc28469552d42db1795d494

                                              SHA256

                                              e31ad31c1096f6f3340fbc1099c981b13d9a3b952c330c178952060110669726

                                              SHA512

                                              c6639cb8f39f7a4c1fe3ac8f057f9251d4048dc51813370583af0da0b9a84842e15bb7c3d5991140ad589b96ddc93fab9ba29aeb525265680a21939ef0d248d5

                                            • C:\Users\Admin\Downloads\Ch3@t_Hub_New.rar

                                              Filesize

                                              24.7MB

                                              MD5

                                              6e82d8d3de3d6b07aad4de0c9ebec675

                                              SHA1

                                              fcdde25dfb0a0b13f7501271c640244d0c1f8b21

                                              SHA256

                                              b1cd278881261096529c02bcd5cb72caadd75433d0d73e07a94303597d40dd4a

                                              SHA512

                                              0c14a1bd600d7f1e82c187e79ebe3ae9f4be4cb2418219f785d30d89a71cd3c4459dc6294af840177551245db741ab311d2c2df6343e3fecc20788cceee4e989

                                            • C:\Users\Admin\Downloads\Ch3@t_Hub_New.rar:Zone.Identifier

                                              Filesize

                                              26B

                                              MD5

                                              fbccf14d504b7b2dbcb5a5bda75bd93b

                                              SHA1

                                              d59fc84cdd5217c6cf74785703655f78da6b582b

                                              SHA256

                                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                              SHA512

                                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                            • \??\pipe\crashpad_3980_JUMOFDMRAKDIQUJN

                                              MD5

                                              d41d8cd98f00b204e9800998ecf8427e

                                              SHA1

                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                              SHA256

                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                              SHA512

                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            • memory/572-201-0x0000000002310000-0x0000000002710000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/572-209-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/572-208-0x0000000002310000-0x0000000002710000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/572-205-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/572-206-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/572-202-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/572-203-0x0000000002310000-0x0000000002710000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/768-138-0x0000000000400000-0x000000000046D000-memory.dmp

                                              Filesize

                                              436KB

                                            • memory/768-158-0x0000000003A80000-0x0000000003E80000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/768-145-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/768-146-0x0000000003A80000-0x0000000003E80000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/768-148-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/768-135-0x0000000000400000-0x000000000046D000-memory.dmp

                                              Filesize

                                              436KB

                                            • memory/768-140-0x0000000000400000-0x000000000046D000-memory.dmp

                                              Filesize

                                              436KB

                                            • memory/768-144-0x0000000003A80000-0x0000000003E80000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/768-142-0x0000000003A80000-0x0000000003E80000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/780-157-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/780-152-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/780-156-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/780-159-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/780-160-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/780-149-0x0000000000450000-0x0000000000459000-memory.dmp

                                              Filesize

                                              36KB

                                            • memory/780-153-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/780-151-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/1340-251-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/1340-250-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/1340-255-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/1340-254-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/1340-252-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/1340-249-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/1340-258-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/1340-257-0x0000000002180000-0x0000000002580000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/1476-238-0x0000000002AF0000-0x0000000004AF0000-memory.dmp

                                              Filesize

                                              32.0MB

                                            • memory/1476-239-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1476-232-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1672-189-0x00000000026B0000-0x00000000046B0000-memory.dmp

                                              Filesize

                                              32.0MB

                                            • memory/1672-183-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1672-190-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1856-141-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1856-132-0x00000000742A0000-0x0000000074A51000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1856-139-0x0000000002580000-0x0000000004580000-memory.dmp

                                              Filesize

                                              32.0MB

                                            • memory/1856-131-0x00000000000A0000-0x0000000000104000-memory.dmp

                                              Filesize

                                              400KB

                                            • memory/2996-245-0x0000000004270000-0x0000000004670000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/2996-246-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/2996-243-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/2996-242-0x0000000004270000-0x0000000004670000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/2996-256-0x0000000004270000-0x0000000004670000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/3308-207-0x00000000037C0000-0x0000000003BC0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/3308-197-0x0000000076350000-0x00000000765A2000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/3308-196-0x00000000037C0000-0x0000000003BC0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/3308-194-0x00007FFFFAA00000-0x00007FFFFAC09000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/3308-192-0x00000000037C0000-0x0000000003BC0000-memory.dmp

                                              Filesize

                                              4.0MB

                                            • memory/3308-193-0x00000000037C0000-0x0000000003BC0000-memory.dmp

                                              Filesize

                                              4.0MB