Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 21:29

General

  • Target

    2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe

  • Size

    24.3MB

  • MD5

    270476592fb19318a5c2318b87e6343a

  • SHA1

    322108da623c46196ae5aeb020d0d988e3fe1a1e

  • SHA256

    50acb50ae74f8a114683c14a5be3b90f7362d101dc3f778788487bc9e0ef7574

  • SHA512

    3d9678d50c36d19131b343f8fd441640fc128334f75a62d088daa8cb65092bd7354e25c5aab4c14a2090b3d96d43c9be4103b772e42a9ae2529bbd769f79d957

  • SSDEEP

    196608:KP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018Nsd/N:KPboGX8a/jWWu3cP2D/cWcls17dV

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4672
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:4832
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2872
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1656
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:560
    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:744
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4904
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3404
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:3600
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:3096
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:2364
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:4648
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1848
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:3956
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1784
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:4740
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:2324
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:404
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3248
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:3668
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:5052
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:3896
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
          2⤵
          • Modifies data under HKEY_USERS
          PID:1848
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

          Filesize

          2.2MB

          MD5

          38ac3810222de7790554554aca780470

          SHA1

          644c0a0bd9627449c46032b5145d11bec7a6fa8d

          SHA256

          419ec4e6a7a5a7c3c712c4c16a8ff8ffd9d777f36bd1c2e096a10219a7dd573b

          SHA512

          633fabf9e36d8973193e5ad74b89b97251f89c971d5ee8c80c5e39bed4946927121852e0afbcd7ede7ea6f1304a1fbdd7fe62c5381ee1c983f40ea42bb45c681

        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

          Filesize

          1.4MB

          MD5

          69e592c0c0d82cc3b27950477973a110

          SHA1

          fca61b2db84376ca937d41b24283ef1e7e9668dd

          SHA256

          5a1680c6862940962946e9e3ed7e371ed56ab3c19cb81f7783caee800d21f147

          SHA512

          7760eacb063bc018e31dbae3ea00e9299f61c0c8ccf26e5cfad49b5a30b9525f9fc9142c5a49e6db18e11f3e8a73f743ff4c0f90edaaa276ccdc986a6bec0ea0

        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

          Filesize

          1.4MB

          MD5

          fb284ce014113bc28301c85ddf354753

          SHA1

          69cf1d7a510f4dce950d2f55af561b0d33d2f5a4

          SHA256

          e6c3f32c06202fb892dda8a421b9943b26977d733ff783e0cbd069c36eb2a25a

          SHA512

          20cb7b54f387e2cd20a53adecf2c54b82752c2a8a5c272416e0c0b1fba8e51bfe96837894e95e24cf47523b125ab24fed448ff4099119d84cd8aeaba16a6c66e

        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

          Filesize

          2.1MB

          MD5

          04a43f0185243053802638aba4ee47b7

          SHA1

          2de7f87cc058ed0574bd6ad3b0ac9951579fc4e2

          SHA256

          41c75c39298f60443be957ab043551184e4635f95a1d6b8cf9f8659326901287

          SHA512

          34c7fa1687ef3be6e5a72ca9b72f25c6f5456b9abbb113cc3bbe98296ec1f07610796d27e531318919486a91b9834b4bed34deac7b3202e3ce5b7e374a7dad14

        • C:\Windows\SysWOW64\perfhost.exe

          Filesize

          1.2MB

          MD5

          347ff5cfd2069e4095e21cd96e594452

          SHA1

          28d79b67ed0c278a77793030a415d331697e5df5

          SHA256

          8f02db20dd69e669e455ff30373d8ed82f3d856d7f38fa2dacff4928598859a6

          SHA512

          124a6e30cf57ab829d3cc5b583d242945dfe9d7de27b0bf6a4e118383772290bd3745d1fbe616c7038f85bbe8b494614d54a923cdcdc02964f18d23c5eec1013

        • C:\Windows\System32\AgentService.exe

          Filesize

          1.7MB

          MD5

          3fcf4b0d05f66010ebd34a66d58221f0

          SHA1

          9ed254e08bcca861c613bb49b39c01a8a14dc4b0

          SHA256

          fb4cbb388a1b6a7cc6bd54869a0f7a1832b76970c812ba9f25b2a2e52fb136c1

          SHA512

          47113d161e2c70801056f57d5f55e7807474a3544998c255e1def4af72adc2c63397f06ca312c6c5719122f8d4a96145d7a9d7c237e3192f9ce5788294bcded8

        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

          Filesize

          1.3MB

          MD5

          a7ddfca95b563e9e271efe00bc36e551

          SHA1

          d381f06113337499da7a0decb794b1a6c374bd9c

          SHA256

          2ae441a0a27839a1691afcd257927f41696d0501b6d9303fb6292a5567f9faa3

          SHA512

          dc6f927320699b4308c1b778758350854141b10a7e638fcf49cacda44c126afdf71176f56edf1c57f41caefed26a01f0485bdb13365337a7d18df23125397369

        • C:\Windows\System32\FXSSVC.exe

          Filesize

          1.2MB

          MD5

          b6adb722ffd5dde5e0990fe39c058d8f

          SHA1

          3ce31104ab9d231d076f5f6b2630bdf598756b85

          SHA256

          4297ff56e6c24bc22583abfe14f705a35aad320ec0ff6fc6e795c0a418362dc0

          SHA512

          ca76d9076585667b67032f6b3e1588c923e187b66571226ddce6696819c264600823de78d5a6f4a7844496f9f8a34cb39b112ab51a2b2f027bb187398ac77c20

        • C:\Windows\System32\Locator.exe

          Filesize

          1.2MB

          MD5

          41a4918fdabf63971e7c0db71751e9af

          SHA1

          c5579e2268e5c476ede0c148b38cbb3fbfdb003c

          SHA256

          f98f1e1f6fc318098c48c5dea9e0124f0bc57bd9e889323e206a26ab2662aa7b

          SHA512

          010c853e2380ebebbe92a8c4f4d91ddc294d78252f960fe3298cccda1a8befb0fbf3e54ea0a84e142fa9f5ac47e105042c164b28cb2f13d3529b7b668b605fae

        • C:\Windows\System32\OpenSSH\ssh-agent.exe

          Filesize

          1.5MB

          MD5

          aec744d6dbacfa1fd6115da7035aa6d5

          SHA1

          9b8954029b321f3c1e15d632e48604dc648acf19

          SHA256

          009a5a1c905030d4ea7fe5cee335634d3073756548cde86677f149e89631aa53

          SHA512

          29eb0652882820e3fe59ea4c58f7cd84dc7ea202b23bc456117f69d9043039437cdf760a0a76fcebb7c5c49e51bddeceef8f62dcc82dcfe5085ed74ef03c1446

        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

          Filesize

          1.3MB

          MD5

          dac5848931cca17cb3e6850f463c787b

          SHA1

          44e382513130360fcac6474d1ea28d152c399d7a

          SHA256

          0b98fe1717cc91e6cc5cf526e77f294ed65cc74b2af058565ed52e04a41aa607

          SHA512

          7fe93534668ec31522b17352f14bea83523a6644907028417b68e60546d252d6e7abb3c36c8dc0860790c86f50fe4ea769a53d1017d6d9641b2c3430fa21c88b

        • C:\Windows\System32\SearchIndexer.exe

          Filesize

          1.4MB

          MD5

          1d540a2ea824fefbd7fafd9ae25438e6

          SHA1

          fabaa2df1423a1e1ee894c1a64181b468b10581f

          SHA256

          aefedf4e6a6e6cb951a73628f498fecb23ac3d56864869a6fa6cf999e1bbdb1f

          SHA512

          37d6202e7372803983ec11e755e44e2727a9d17b78457876c3c564d584aa4534e489688c4c2b72fa2cb95b8f9f6c126ae2746e1a3e416ed8ad90026f9a033e24

        • C:\Windows\System32\SensorDataService.exe

          Filesize

          1.8MB

          MD5

          715146e3c45a6c8ba9fb35cf9a9251c8

          SHA1

          48493d535682be952fe90d7fcb8c8ac1017a2822

          SHA256

          156fc0792414a704e71d634e86dc898d1afe26f011fdaeb36798f26d655707bb

          SHA512

          d2866f84172eb0210977c23a9f2c3c22a44d85525d349dceb9260455af807a7bc74304d38fd98f13fbac419ad00a55f4722c2f6ae5491948f84904f90b8f1197

        • C:\Windows\System32\Spectrum.exe

          Filesize

          1.4MB

          MD5

          67c7663edae98fa5a289ed56dcf72c18

          SHA1

          b998bf15e4952da9ad97043e29b0f0ccb378584f

          SHA256

          15e93fafb4e1bf0e37ff08cf13f387933afb9cfa9e1d5bf535ae6b393862e4ee

          SHA512

          5ceb7dee1082a07e3762101d9bc879b072c1b7ce936bc642d83198eef58074e14edbfad3b21c08280f5cea1d96b09ff221057f51754165f5e1f8e700735b4c7e

        • C:\Windows\System32\TieringEngineService.exe

          Filesize

          1.5MB

          MD5

          b6b6776befbde41b13acf3f0f80232ce

          SHA1

          4186e4c8653a919561e647e22f59d460ace70a58

          SHA256

          39f13df327b62f27c8dd316b54ed8c192c366aa50cdb92e02c8940fdd81a0383

          SHA512

          1f5120e575b94d2d5081a4042611e408e799c2642a50756f860f72e5a5005ddd10b6319c3bff4c9d988fc2064f4a37542c50ad4f01d557f41e8f765c0d1d2ecb

        • C:\Windows\System32\VSSVC.exe

          Filesize

          2.0MB

          MD5

          d7680a9fd703354695f48c824b8b3188

          SHA1

          3e04952e5546f4ea43afc23a08bef4e0a80a6b89

          SHA256

          bf855684792050bd2992e0f6cb461d108b12ee98ab4e096032e0ee46787986fb

          SHA512

          67c2d2a0dc307edb75fc9df3dc780e23423ad70c6e7399b08d646c44d1769f9e53fae675691c1ff0770da72edf6c0468737d09880dcb3482188091c11bd43fc0

        • C:\Windows\System32\alg.exe

          Filesize

          1.3MB

          MD5

          3c6f35e472729e604232b410611b824b

          SHA1

          5380063e3de5da5dd71d0e31fd497d951d9386ec

          SHA256

          c9fd29f9a48d96465e9f4d214e85bbdcd3e76a49e9a69f72db595d9591162ad3

          SHA512

          63bd47f36b7fe686221c7d1790c0127ebd433905d0b6a2e73b920a3978cffcee4bf42cfe1b4b628c011e517d6adaf9e067d5143c77947173b7fb9d91fa90a12b

        • C:\Windows\System32\msdtc.exe

          Filesize

          1.3MB

          MD5

          9dc397779c94931d46c715a141d5d3fc

          SHA1

          0ec4bb686088598ee7ad16f2afb6dfe5cee159d5

          SHA256

          d9e6b9be619719bf4b03d8a2058c715796054aca16fb1b011f6f39986389580b

          SHA512

          90138ef547717194df3d7a4221677cfabb8e68602723e1d5e55b81a9067d3acf251e33265a3d79b4951bc889bec0ce1036e48b388d0778d34e236b942fa9b2fa

        • C:\Windows\System32\snmptrap.exe

          Filesize

          1.2MB

          MD5

          2b9432af7323d806a9d211d7e741df74

          SHA1

          e51680374565db0ee1c8ab44e95044a0763375c8

          SHA256

          51c269c38ac00f3d1730c8eef93e748d3806e4bb271714ac68b850f66030ab65

          SHA512

          fe9651511d0822f66a6f23be2c9192c8de68bbc5e5abef73da837e7d24116a0b727f95a87a2c834f6c6253699ed1eeb876fe4c573188442dd55c42b00858d0a3

        • C:\Windows\System32\vds.exe

          Filesize

          1.3MB

          MD5

          39785e38b6b87a2256a13315142a2999

          SHA1

          35707ce1b82e43fb5d04aacb892b908bb08677b7

          SHA256

          5923ff10e6edd028100d32ee716b7bdee00d3e75b50cf072b54323dc636b833e

          SHA512

          10f1928718c7ee2a06cc538cf8240e6f57a876782f3753381cf2d0f4c1c74e9307a28ae4425e2c4a40f65bf9eeb81587fc91fe5cb979e533b48a1003ccfbe604

        • C:\Windows\System32\wbem\WmiApSrv.exe

          Filesize

          1.4MB

          MD5

          c56ccedda579e2cbad6e8d063eed361a

          SHA1

          b72523e8b62d9c06edd28adfc8c04658fb79accf

          SHA256

          bba70c1041596f5389796449362e69847de1f76c5af5ac2b8d0e6ce674393f62

          SHA512

          70ee944454460500717e968f44c6820c9e898a7ce8d2f64231d5a7d3f2384b720cf4b236411f2c82e23c1abcb93185b875435c8acbe8ffa5c9b72469b2a6fefe

        • C:\Windows\System32\wbengine.exe

          Filesize

          2.1MB

          MD5

          5d444df52debcc1300114783d2a8a2e4

          SHA1

          d14a4103737dfa24cc686e0a1d1ff2fe40171d18

          SHA256

          bb5a5d980d62315a684864122ac4fa8d2c27e7b00704b8f521d43125b13f9300

          SHA512

          21cbb7c9da69e13646647c99a2be76bd91818d36d2bc431ea2ea313cb4ea98e8e746cc08843219e2955d1a059252b5755b76c481ba31f94208957c7c3f13ce8f

        • memory/404-146-0x0000000140000000-0x0000000140182000-memory.dmp

          Filesize

          1.5MB

        • memory/404-259-0x0000000140000000-0x0000000140182000-memory.dmp

          Filesize

          1.5MB

        • memory/560-41-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/560-33-0x0000000000D50000-0x0000000000DB0000-memory.dmp

          Filesize

          384KB

        • memory/560-38-0x0000000000D50000-0x0000000000DB0000-memory.dmp

          Filesize

          384KB

        • memory/560-117-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/744-52-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

        • memory/744-44-0x0000000000990000-0x00000000009F0000-memory.dmp

          Filesize

          384KB

        • memory/744-50-0x0000000000990000-0x00000000009F0000-memory.dmp

          Filesize

          384KB

        • memory/744-121-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

        • memory/1308-171-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

        • memory/1308-334-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

        • memory/1536-331-0x0000000140000000-0x0000000140216000-memory.dmp

          Filesize

          2.1MB

        • memory/1536-162-0x0000000140000000-0x0000000140216000-memory.dmp

          Filesize

          2.1MB

        • memory/1784-220-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

        • memory/1784-122-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

        • memory/1848-113-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

        • memory/1848-167-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

        • memory/2364-101-0x00000000005C0000-0x0000000000627000-memory.dmp

          Filesize

          412KB

        • memory/2364-97-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2364-105-0x00000000005C0000-0x0000000000627000-memory.dmp

          Filesize

          412KB

        • memory/2364-161-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2428-316-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

        • memory/2428-158-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

        • memory/2872-24-0x0000000140000000-0x0000000140149000-memory.dmp

          Filesize

          1.3MB

        • memory/2872-22-0x00000000004C0000-0x0000000000520000-memory.dmp

          Filesize

          384KB

        • memory/2872-16-0x00000000004C0000-0x0000000000520000-memory.dmp

          Filesize

          384KB

        • memory/3096-93-0x0000000000BF0000-0x0000000000C50000-memory.dmp

          Filesize

          384KB

        • memory/3096-86-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

        • memory/3096-87-0x0000000000BF0000-0x0000000000C50000-memory.dmp

          Filesize

          384KB

        • memory/3096-157-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

        • memory/3248-149-0x0000000140000000-0x00000001401C0000-memory.dmp

          Filesize

          1.8MB

        • memory/3248-150-0x0000000140000000-0x00000001401C0000-memory.dmp

          Filesize

          1.8MB

        • memory/3404-70-0x0000000140000000-0x0000000140159000-memory.dmp

          Filesize

          1.3MB

        • memory/3404-145-0x0000000140000000-0x0000000140159000-memory.dmp

          Filesize

          1.3MB

        • memory/3600-74-0x0000000140000000-0x0000000140170000-memory.dmp

          Filesize

          1.4MB

        • memory/3600-75-0x0000000000420000-0x0000000000480000-memory.dmp

          Filesize

          384KB

        • memory/3600-153-0x0000000140000000-0x0000000140170000-memory.dmp

          Filesize

          1.4MB

        • memory/3600-81-0x0000000000420000-0x0000000000480000-memory.dmp

          Filesize

          384KB

        • memory/3668-298-0x0000000140000000-0x0000000140147000-memory.dmp

          Filesize

          1.3MB

        • memory/3668-154-0x0000000140000000-0x0000000140147000-memory.dmp

          Filesize

          1.3MB

        • memory/3956-215-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

        • memory/3956-118-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

        • memory/4648-110-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

        • memory/4648-165-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

        • memory/4672-40-0x0000000000400000-0x0000000001EFA000-memory.dmp

          Filesize

          27.0MB

        • memory/4672-1-0x0000000003D40000-0x0000000003DA7000-memory.dmp

          Filesize

          412KB

        • memory/4672-6-0x0000000003D40000-0x0000000003DA7000-memory.dmp

          Filesize

          412KB

        • memory/4672-7-0x0000000003D40000-0x0000000003DA7000-memory.dmp

          Filesize

          412KB

        • memory/4672-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

          Filesize

          27.0MB

        • memory/4740-231-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/4740-134-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/4832-12-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

        • memory/4832-85-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

        • memory/4904-55-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/4904-65-0x0000000002240000-0x00000000022A0000-memory.dmp

          Filesize

          384KB

        • memory/4904-56-0x0000000002240000-0x00000000022A0000-memory.dmp

          Filesize

          384KB

        • memory/4904-62-0x0000000002240000-0x00000000022A0000-memory.dmp

          Filesize

          384KB

        • memory/4904-67-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/5052-333-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/5052-166-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/5108-28-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

        • memory/5108-30-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB