Analysis

  • max time kernel
    294s
  • max time network
    281s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-12-2024 10:38

General

  • Target

    Trojan/Bolbi.vbs

  • Size

    45KB

  • MD5

    87b6ba186f30106ea2764c562dd83490

  • SHA1

    20baaeb5fd4750125f89eb34794f70e3f7fe8857

  • SHA256

    4ae645a52ba5daa6ea305ce0831292a70ad7ec8c12d458f7198bba697b099919

  • SHA512

    07402f02fd51a22a4ec86c6d7063b82d02a721a401aecfbcca5300f13857d0857bdf47490eed709f8d28c264752771bf81df3ce3f5fc476b6a002c953e2c1ec0

  • SSDEEP

    384:8CU32TsQ4YNy9NO4eBHuxk8H3KF2i6VDrWT:8CU3XUANO15ue8XVi65rWT

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables cmd.exe use via registry modification 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan\Bolbi.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan\Bolbi.vbs" /elevated
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3164
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
          4⤵
            PID:2308
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
            4⤵
            • Impair Defenses: Safe Mode Boot
            PID:3276
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
            4⤵
              PID:4704
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im explorer.exe
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2684
            • C:\Windows\explorer.exe
              explorer.exe
              4⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2996
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\System32\
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:2328
            • C:\Windows\system32\icacls.exe
              icacls C:\Windows\System32 /Grant Users:F
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2532
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:240
            • C:\Windows\system32\icacls.exe
              icacls C:\Windows\ /Grant Users:F
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:840
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2488
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4936
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1404
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5108
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4648
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1600
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4260
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2124
      • C:\Windows\System32\sihclient.exe
        C:\Windows\System32\sihclient.exe /cv Ja6QYj6COUKhikSakwKw9A.0.2
        1⤵
          PID:840
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:272
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of SendNotifyMessage
          PID:4268
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4708
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3692
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4140
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          PID:1204
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4328
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4624
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3224
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          PID:4332
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4852
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4632
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3700
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          PID:2464
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4256
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:240
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3984
        • C:\Windows\system32\wscript.exe
          wscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe
          1⤵
            PID:4560
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:384

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\USERS\ADMIN\DESKTOP\BOLBI.TXT

              Filesize

              29B

              MD5

              b37ed35ef479e43f406429bc36e68ec4

              SHA1

              5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

              SHA256

              cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

              SHA512

              d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

              Filesize

              414KB

              MD5

              ab79489e9704fc9cc9d8bee4f8e17ec5

              SHA1

              b2e19a89b43d537bb5b02ee9ca2418f027259c1e

              SHA256

              4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

              SHA512

              60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

              Filesize

              28KB

              MD5

              3cd2f838ca35d21de18d56bc869a6159

              SHA1

              e941bee208d979ea41168b798177c87060c6d87d

              SHA256

              830d3b7c9950a834c209b8d67e4c15096210940978ed7d54c9259b72f4b14d18

              SHA512

              720032e54c75222aa01996cf55722ab2e9cd44bddbf2a8fea1090fcd158986cca3fe0300bcad47b5746f2ea03cd82a6aca830753de74f3866cbc761bd14393b0

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

              Filesize

              2KB

              MD5

              1abda5595d74f5313748a342173ff66a

              SHA1

              a653c33830ca9c674ec31fb25568402f87ed4e1d

              SHA256

              4e98a8abe5a0469e6031be01eee019aad3d49d4388597ff5b820841713e09e20

              SHA512

              2083b3496a6bbd84847cbbd08f1eb67a3aeddce6a36e403fea7c39019a4a6c3ccba473752b3e31d29464ec4d9082b71a3631f25fddcd925d672fb662261f2116

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

              Filesize

              36KB

              MD5

              8aaad0f4eb7d3c65f81c6e6b496ba889

              SHA1

              231237a501b9433c292991e4ec200b25c1589050

              SHA256

              813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

              SHA512

              1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

              Filesize

              36KB

              MD5

              406347732c383e23c3b1af590a47bccd

              SHA1

              fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

              SHA256

              e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

              SHA512

              18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TD9A1703\microsoft.windows[1].xml

              Filesize

              96B

              MD5

              f2e16f95f5d0e6afdc08db7a1ed75fef

              SHA1

              b3d3a1f0fed3397475216a575bf7d8a47420b118

              SHA256

              6ec6c0a5e6d91fbc884cb3687a852d2f4b4172baa9b38d4827cb66eca246aae6

              SHA512

              ca807e03c20c4d5699305aa6c5288fa03983b00106d446a0466650750fb280ec4f4e64f56b321caef2499df1e12c0562422d0d13ff4676dbbb43ee6e43eb7731

            • C:\Users\Admin\Music\Slap1.vbs

              Filesize

              45KB

              MD5

              87b6ba186f30106ea2764c562dd83490

              SHA1

              20baaeb5fd4750125f89eb34794f70e3f7fe8857

              SHA256

              4ae645a52ba5daa6ea305ce0831292a70ad7ec8c12d458f7198bba697b099919

              SHA512

              07402f02fd51a22a4ec86c6d7063b82d02a721a401aecfbcca5300f13857d0857bdf47490eed709f8d28c264752771bf81df3ce3f5fc476b6a002c953e2c1ec0

            • C:\Users\Public\Ghostroot\KillDora.bat

              Filesize

              482B

              MD5

              4f08159f1d70d41bf975e23230033a0f

              SHA1

              ea88d6fbdcf218e0e04a650d947250d8a3dfad40

              SHA256

              d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

              SHA512

              958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

            • C:\Users\Public\ghostroot\Message.vbs

              Filesize

              55B

              MD5

              302e08c86880a39ca55f21cabfa7c5de

              SHA1

              58d56c0eb14fc0401cda7c48d6df9d23f6e9b7e3

              SHA256

              65cfb12baaa6f5891bcd7fda727933a4a12f6dbfa9a6717549eacc6dee9436c7

              SHA512

              9aac68a57cea3d00b956ff82ce443600a969dbc3e4eb2b7b12902f70e318c7dbbf7378b375dd28c0d3be0a0515c5c69d4dd5610d5778f22c4e33765d704f8ff7

            • memory/240-894-0x0000021AA0C10000-0x0000021AA0D10000-memory.dmp

              Filesize

              1024KB

            • memory/240-837-0x0000021A8E440000-0x0000021A8E460000-memory.dmp

              Filesize

              128KB

            • memory/240-2436-0x0000021AA09B0000-0x0000021AA0AB0000-memory.dmp

              Filesize

              1024KB

            • memory/240-838-0x0000021A8E420000-0x0000021A8E440000-memory.dmp

              Filesize

              128KB

            • memory/240-811-0x0000021A8E400000-0x0000021A8E420000-memory.dmp

              Filesize

              128KB

            • memory/240-768-0x0000021A8D300000-0x0000021A8D400000-memory.dmp

              Filesize

              1024KB

            • memory/1204-244-0x0000000003210000-0x0000000003211000-memory.dmp

              Filesize

              4KB

            • memory/1600-15-0x00000000031D0000-0x00000000031D1000-memory.dmp

              Filesize

              4KB

            • memory/2124-49-0x000001D59F810000-0x000001D59F830000-memory.dmp

              Filesize

              128KB

            • memory/2124-64-0x000001DDB9D30000-0x000001DDB9E30000-memory.dmp

              Filesize

              1024KB

            • memory/2124-35-0x000001DDA7CF0000-0x000001DDA7D10000-memory.dmp

              Filesize

              128KB

            • memory/2124-50-0x000001DDA7D10000-0x000001DDA7D30000-memory.dmp

              Filesize

              128KB

            • memory/2124-17-0x000001DDA6500000-0x000001DDA6600000-memory.dmp

              Filesize

              1024KB

            • memory/2464-661-0x0000000004970000-0x0000000004971000-memory.dmp

              Filesize

              4KB

            • memory/3692-236-0x0000026828E20000-0x0000026828F20000-memory.dmp

              Filesize

              1024KB

            • memory/3692-180-0x000002682A280000-0x000002682A380000-memory.dmp

              Filesize

              1024KB

            • memory/3692-166-0x0000026817100000-0x0000026817120000-memory.dmp

              Filesize

              128KB

            • memory/3692-147-0x00000268165D0000-0x00000268165F0000-memory.dmp

              Filesize

              128KB

            • memory/3692-163-0x0000026817120000-0x0000026817140000-memory.dmp

              Filesize

              128KB

            • memory/4268-130-0x0000000003680000-0x0000000003681000-memory.dmp

              Filesize

              4KB

            • memory/4332-353-0x00000000030F0000-0x00000000030F1000-memory.dmp

              Filesize

              4KB

            • memory/4624-294-0x00000197A3040000-0x00000197A3140000-memory.dmp

              Filesize

              1024KB

            • memory/4624-279-0x000001978FE70000-0x000001978FE90000-memory.dmp

              Filesize

              128KB

            • memory/4624-280-0x000001978FE50000-0x000001978FE70000-memory.dmp

              Filesize

              128KB

            • memory/4624-262-0x000001978FE30000-0x000001978FE50000-memory.dmp

              Filesize

              128KB

            • memory/4624-248-0x000001978E540000-0x000001978E640000-memory.dmp

              Filesize

              1024KB

            • memory/4632-403-0x0000016FF83F0000-0x0000016FF84F0000-memory.dmp

              Filesize

              1024KB

            • memory/4632-389-0x0000016FE5220000-0x0000016FE5240000-memory.dmp

              Filesize

              128KB

            • memory/4632-369-0x0000016FE5200000-0x0000016FE5220000-memory.dmp

              Filesize

              128KB

            • memory/4632-384-0x0000016FE5240000-0x0000016FE5260000-memory.dmp

              Filesize

              128KB

            • memory/4632-355-0x00000167E2D00000-0x00000167E2E00000-memory.dmp

              Filesize

              1024KB