badrabbit | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@SE2011.exe
Size

2.4MB
MD5

02f471d1fefbdc07af5555dbfd6ea918
SHA1

2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256

36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512

287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Score

10^/10

badrabbit evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SE2010.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Essentials 2011\\SE2010.exe\" /hide"	SE2010.exe

Executes dropped EXE 2 IoCs

Processes:

SE2010.exe4DE.tmp

pid process

3872 SE2010.exe
3028 4DE.tmp
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ApproveRedo.tiff rundll32.exe
Deletes itself 1 IoCs

Processes:

SE2010.exe

pid process

3872 SE2010.exe

pid	process
3872	SE2010.exe
3028	4DE.tmp

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveRedo.tiff	rundll32.exe

pid	process
3872	SE2010.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Endermanch@SE2011.exeSE2010.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	Endermanch@SE2011.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SE2010.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SE2010.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	SE2010.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatesst = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Essentials 2011\\SE2010.exe\""	SE2010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exe

pid process

580 Endermanch@SE2011.exe
3872 SE2010.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\4DE.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

716 580 WerFault.exe Endermanch@SE2011.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4012 schtasks.exe
2124 schtasks.exe

pid	pid_target	process	target process
716	580	WerFault.exe	Endermanch@SE2011.exe

pid	process
4012	schtasks.exe
2124	schtasks.exe

Modifies registry class 20 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	Endermanch@SE2011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@SE2011.DocHostUIHandler	Endermanch@SE2011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@SE2011.DocHostUIHandler\Clsid	Endermanch@SE2011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	SE2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler	SE2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\ = "Implements DocHostUIHandler"	SE2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	SE2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	Endermanch@SE2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SECURI~1\\SE2010.exe"	SE2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\Clsid	SE2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	SE2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	SE2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	SE2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "SE2010.DocHostUIHandler"	SE2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	Endermanch@SE2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@SE2011.DocHostUIHandler\ = "Implements DocHostUIHandler"	Endermanch@SE2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@SE2011.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	Endermanch@SE2011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	Endermanch@SE2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "Endermanch@SE2011.DocHostUIHandler"	Endermanch@SE2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@SE2011.exe"	Endermanch@SE2011.exe

Suspicious behavior: EnumeratesProcesses 711 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exeWerFault.exe

pid	process
580	Endermanch@SE2011.exe
580	Endermanch@SE2011.exe
3872	SE2010.exe
3872	SE2010.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
716	WerFault.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe
3872	SE2010.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeAUDIODG.EXErundll32.exe4DE.tmp

description	pid	process
Token: SeRestorePrivilege	716	WerFault.exe
Token: SeBackupPrivilege	716	WerFault.exe
Token: SeDebugPrivilege	716	WerFault.exe
Token: 33	3752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3752	AUDIODG.EXE
Token: SeShutdownPrivilege	3432	rundll32.exe
Token: SeDebugPrivilege	3432	rundll32.exe
Token: SeTcbPrivilege	3432	rundll32.exe
Token: SeDebugPrivilege	3028	4DE.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exe

pid process

580 Endermanch@SE2011.exe
580 Endermanch@SE2011.exe
3872 SE2010.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exe

pid process

580 Endermanch@SE2011.exe
580 Endermanch@SE2011.exe
3872 SE2010.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Endermanch@SE2011.exeSE2010.exe

pid process

580 Endermanch@SE2011.exe
580 Endermanch@SE2011.exe
3872 SE2010.exe
3872 SE2010.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Endermanch@SE2011.exerundll32.exerundll32.execmd.execmd.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 3872	580	Endermanch@SE2011.exe	SE2010.exe
PID 580 wrote to memory of 3872	580	Endermanch@SE2011.exe	SE2010.exe
PID 580 wrote to memory of 3872	580	Endermanch@SE2011.exe	SE2010.exe
PID 500 wrote to memory of 3432	500	rundll32.exe	rundll32.exe
PID 500 wrote to memory of 3432	500	rundll32.exe	rundll32.exe
PID 500 wrote to memory of 3432	500	rundll32.exe	rundll32.exe
PID 3432 wrote to memory of 3056	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 3056	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 3056	3432	rundll32.exe	cmd.exe
PID 3056 wrote to memory of 1308	3056	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 1308	3056	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 1308	3056	cmd.exe	schtasks.exe
PID 3432 wrote to memory of 764	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 764	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 764	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 1920	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 1920	3432	rundll32.exe	cmd.exe
PID 3432 wrote to memory of 1920	3432	rundll32.exe	cmd.exe
PID 764 wrote to memory of 4012	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 4012	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 4012	764	cmd.exe	schtasks.exe
PID 3432 wrote to memory of 3028	3432	rundll32.exe	4DE.tmp
PID 3432 wrote to memory of 3028	3432	rundll32.exe	4DE.tmp
PID 1920 wrote to memory of 2124	1920	cmd.exe	schtasks.exe
PID 1920 wrote to memory of 2124	1920	cmd.exe	schtasks.exe
PID 1920 wrote to memory of 2124	1920	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe
"C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe" DELC:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 2072
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1887096183 && exit"
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1887096183 && exit"
4⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:00
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:00
4⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\4DE.tmp
"C:\Windows\4DE.tmp" \\.\pipe\{4071F97F-F301-4BEC-953A-E13B72C87D21}
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe
MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe
MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Windows\4DE.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\4DE.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
memory/580-38-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/580-45-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/580-8-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/580-40-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/580-10-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/580-11-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/580-12-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/580-13-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/580-14-0x0000000005520000-0x0000000005522000-memory.dmp

Filesize
8KB

Download
memory/580-15-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/580-16-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/580-17-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/580-18-0x00000000053D0000-0x00000000053D2000-memory.dmp

Filesize
8KB

Download
memory/580-19-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/580-20-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/580-21-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/580-22-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/580-23-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/580-24-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/580-26-0x0000000005690000-0x0000000005692000-memory.dmp

Filesize
8KB

Download
memory/580-25-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/580-28-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/580-27-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/580-29-0x0000000005640000-0x0000000005642000-memory.dmp

Filesize
8KB

Download
memory/580-30-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/580-31-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/580-32-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/580-33-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/580-34-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/580-35-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/580-36-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/580-37-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/580-127-0x0000000005560000-0x0000000005562000-memory.dmp

Filesize
8KB

Download
memory/580-39-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/580-9-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/580-41-0x0000000005490000-0x0000000005492000-memory.dmp

Filesize
8KB

Download
memory/580-5-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/580-42-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/580-44-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/580-43-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/580-46-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/580-48-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/580-47-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/580-49-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/580-50-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/580-51-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/580-53-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/580-52-0x00000000054A0000-0x00000000054A2000-memory.dmp

Filesize
8KB

Download
memory/580-54-0x00000000055C0000-0x00000000055C2000-memory.dmp

Filesize
8KB

Download
memory/580-55-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/580-56-0x00000000054C0000-0x00000000054C2000-memory.dmp

Filesize
8KB

Download
memory/580-57-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/580-61-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/580-60-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/580-59-0x0000000005550000-0x0000000005552000-memory.dmp

Filesize
8KB

Download
memory/580-58-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/580-68-0x0000000005670000-0x0000000005672000-memory.dmp

Filesize
8KB

Download
memory/580-66-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/580-3-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/580-4-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/716-70-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/716-71-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/764-140-0x0000000000000000-mapping.dmp

Download
memory/1308-139-0x0000000000000000-mapping.dmp

Download
memory/1920-141-0x0000000000000000-mapping.dmp

Download
memory/2124-146-0x0000000000000000-mapping.dmp

Download
memory/3028-143-0x0000000000000000-mapping.dmp

Download
memory/3056-138-0x0000000000000000-mapping.dmp

Download
memory/3432-137-0x0000000003160000-0x00000000031C8000-memory.dmp

Filesize
416KB

Download
memory/3432-136-0x0000000000000000-mapping.dmp

Download
memory/3872-74-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3872-81-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3872-84-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3872-83-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3872-85-0x0000000005530000-0x0000000005532000-memory.dmp

Filesize
8KB

Download
memory/3872-86-0x0000000005490000-0x0000000005492000-memory.dmp

Filesize
8KB

Download
memory/3872-87-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3872-88-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3872-89-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/3872-90-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3872-91-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3872-92-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3872-93-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3872-94-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3872-95-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3872-96-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3872-98-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3872-97-0x0000000005560000-0x0000000005562000-memory.dmp

Filesize
8KB

Download
memory/3872-99-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3872-100-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3872-101-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3872-102-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3872-103-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/3872-104-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3872-105-0x00000000053D0000-0x00000000053D2000-memory.dmp

Filesize
8KB

Download
memory/3872-106-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3872-108-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3872-107-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3872-109-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3872-110-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3872-111-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3872-112-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3872-113-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3872-114-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3872-115-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3872-116-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3872-117-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3872-119-0x0000000005640000-0x0000000005642000-memory.dmp

Filesize
8KB

Download
memory/3872-118-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3872-120-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3872-121-0x0000000005670000-0x0000000005672000-memory.dmp

Filesize
8KB

Download
memory/3872-122-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3872-123-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3872-124-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3872-125-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3872-126-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3872-82-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3872-128-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3872-130-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3872-129-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3872-131-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3872-132-0x00000000055C0000-0x00000000055C2000-memory.dmp

Filesize
8KB

Download
memory/3872-134-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3872-133-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3872-135-0x00000000054D0000-0x00000000054D2000-memory.dmp

Filesize
8KB

Download
memory/3872-80-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3872-78-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3872-79-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3872-77-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3872-76-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3872-75-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3872-73-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/3872-67-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3872-65-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3872-62-0x0000000000000000-mapping.dmp

Download
memory/4012-142-0x0000000000000000-mapping.dmp

Download