Overview

overview

10

Static

static

872db16f20...fa.exe

windows7_x64

10

872db16f20...fa.exe

windows7_x64

10

872db16f20...fa.exe

windows7_x64

10

872db16f20...fa.exe

windows11_x64

10

872db16f20...fa.exe

windows10_x64

10

872db16f20...fa.exe

windows10_x64

10

872db16f20...fa.exe

windows10_x64

10

Resubmissions

03-11-2021 07:43

211103-jka41addb2 10

03-11-2021 07:28

211103-jaq3gaaebm 10

Analysis

  • max time kernel
    1811s
  • max time network
    1571s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    03-11-2021 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa.exe

  • Size

    289KB

  • MD5

    cba7a4e1465fdeae3b5d68020233de6e

  • SHA1

    079519332561557fa958d460d6d9fdcdba6f6c7a

  • SHA256

    872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa

  • SHA512

    bca58bad3a9702885f489b7b7131734f5fb8b51dbfdb18e81131afcd8be167ff574e46f6f0735991209a73fab1168ed5f3584b7a819bb401c8c9f442222fb1ea

Score
10/10
arkeiicedidredlinesmokeloadertofsee101superstar3022016856backdoorbankerdiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://honawey70.top/

http://wijibui00.top/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

45.147.231.161:38637

Extracted

Family

icedid

Campaign

3022016856

C2

actuallyobligat.info

Extracted

Family

redline

Botnet

SuperStar

C2

185.215.113.29:36224

Extracted

Family

redline

Botnet

101

C2

185.92.73.142:52097

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Core1 .NET packer 1 IoCs

    Detects packer/loader used by .NET malware.

  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 37 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa.exe
    "C:\Users\Admin\AppData\Local\Temp\872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Users\Admin\AppData\Local\Temp\872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa.exe
      "C:\Users\Admin\AppData\Local\Temp\872db16f209592c4074cd122f51967bf9c2a37b913dcbd4e79e409c87a4459fa.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4220
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe afb82988f16e7c0162b21508dc9ed45e NxvWSanJNk6YGYbyE6hnZQ.0.1.0.3.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1612
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2364
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      2⤵
        PID:2984
      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        2⤵
          PID:1612
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe afb82988f16e7c0162b21508dc9ed45e NxvWSanJNk6YGYbyE6hnZQ.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1608
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe afb82988f16e7c0162b21508dc9ed45e NxvWSanJNk6YGYbyE6hnZQ.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:2432
      • C:\Users\Admin\AppData\Local\Temp\A9BE.exe
        C:\Users\Admin\AppData\Local\Temp\A9BE.exe
        1⤵
        • Executes dropped EXE
        PID:5100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 292
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5100 -ip 5100
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:2672
      • C:\Users\Admin\AppData\Local\Temp\FE38.exe
        C:\Users\Admin\AppData\Local\Temp\FE38.exe
        1⤵
        • Executes dropped EXE
        PID:2184
      • C:\Users\Admin\AppData\Local\Temp\FFCF.exe
        C:\Users\Admin\AppData\Local\Temp\FFCF.exe
        1⤵
        • Executes dropped EXE
        PID:1596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 236
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:1468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1596 -ip 1596
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:4016
      • C:\Users\Admin\AppData\Local\Temp\53EB.exe
        C:\Users\Admin\AppData\Local\Temp\53EB.exe
        1⤵
        • Executes dropped EXE
        PID:1700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 276
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:3304
      • C:\Users\Admin\AppData\Local\Temp\55D1.exe
        C:\Users\Admin\AppData\Local\Temp\55D1.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\Temp\55D1.exe
          C:\Users\Admin\AppData\Local\Temp\55D1.exe
          2⤵
          • Executes dropped EXE
          PID:3764
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1700 -ip 1700
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:1976
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5B50.dll
        1⤵
        • Loads dropped DLL
        PID:1016
      • C:\Users\Admin\AppData\Local\Temp\5CC8.exe
        C:\Users\Admin\AppData\Local\Temp\5CC8.exe
        1⤵
        • Executes dropped EXE
        PID:4636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 292
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4972
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4636 -ip 4636
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:2840
      • C:\Users\Admin\AppData\Local\Temp\AF42.exe
        C:\Users\Admin\AppData\Local\Temp\AF42.exe
        1⤵
        • Executes dropped EXE
        PID:2896
      • C:\Users\Admin\AppData\Local\Temp\5D4.exe
        C:\Users\Admin\AppData\Local\Temp\5D4.exe
        1⤵
        • Executes dropped EXE
        PID:444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 296
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 444 -ip 444
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:3092

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      4
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\53EB.exe
        MD5

        aa274b420a15cdb8384906a3c45a6d22

        SHA1

        99bc08e28683f4b07f0c168facce2d529a08d0fa

        SHA256

        b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754

        SHA512

        1012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\53EB.exe
        MD5

        aa274b420a15cdb8384906a3c45a6d22

        SHA1

        99bc08e28683f4b07f0c168facce2d529a08d0fa

        SHA256

        b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754

        SHA512

        1012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\55D1.exe
        MD5

        83ae8211d7a716ca53a2b7e51868009b

        SHA1

        909de09eaecd7edeb85941a1e413fe8b42cb6fdc

        SHA256

        95fbfa4c2148dd1ef7975dbf556919f2588c36d4f3b37d0072e690a2694c0d15

        SHA512

        37148b971be87e61e5eafd160aa0a893503c2f8953130770c8100fd8fee2c2f715c100b2442e0704034656cba11523b2f2d9a451c3c5d20b4a09b6bdca8eefb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\55D1.exe
        MD5

        83ae8211d7a716ca53a2b7e51868009b

        SHA1

        909de09eaecd7edeb85941a1e413fe8b42cb6fdc

        SHA256

        95fbfa4c2148dd1ef7975dbf556919f2588c36d4f3b37d0072e690a2694c0d15

        SHA512

        37148b971be87e61e5eafd160aa0a893503c2f8953130770c8100fd8fee2c2f715c100b2442e0704034656cba11523b2f2d9a451c3c5d20b4a09b6bdca8eefb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\55D1.exe
        MD5

        83ae8211d7a716ca53a2b7e51868009b

        SHA1

        909de09eaecd7edeb85941a1e413fe8b42cb6fdc

        SHA256

        95fbfa4c2148dd1ef7975dbf556919f2588c36d4f3b37d0072e690a2694c0d15

        SHA512

        37148b971be87e61e5eafd160aa0a893503c2f8953130770c8100fd8fee2c2f715c100b2442e0704034656cba11523b2f2d9a451c3c5d20b4a09b6bdca8eefb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5B50.dll
        MD5

        628b068ebb6c34efd8b4d21d4f4c7723

        SHA1

        957bb67a89b7009539ecf2ac61ce83daf497a464

        SHA256

        04d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881

        SHA512

        93870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5B50.dll
        MD5

        628b068ebb6c34efd8b4d21d4f4c7723

        SHA1

        957bb67a89b7009539ecf2ac61ce83daf497a464

        SHA256

        04d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881

        SHA512

        93870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5CC8.exe
        MD5

        738f696f228f13c18454c013926b38b2

        SHA1

        04c1ea711ed7077cee2b67c33577caadc24b97e8

        SHA256

        0fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f

        SHA512

        dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5CC8.exe
        MD5

        738f696f228f13c18454c013926b38b2

        SHA1

        04c1ea711ed7077cee2b67c33577caadc24b97e8

        SHA256

        0fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f

        SHA512

        dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5D4.exe
        MD5

        44d57bd9b9006ac10bdf35f7d347037f

        SHA1

        7a4e7d527f0dd67d00b38c4893800998ed2ca4df

        SHA256

        515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

        SHA512

        4183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5D4.exe
        MD5

        44d57bd9b9006ac10bdf35f7d347037f

        SHA1

        7a4e7d527f0dd67d00b38c4893800998ed2ca4df

        SHA256

        515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

        SHA512

        4183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\A9BE.exe
        MD5

        537cde5b14a29b97576f3d7e62c651d8

        SHA1

        8e64a6c09949ce519acc87c17ea5458485375fa7

        SHA256

        ec013210fe7be183315cd371fb3ca19c39431f68bd323a7cafef835463f00361

        SHA512

        a9ccebdf0f466e810291c0b54b5ff8d9ecd6b90214a0ec46bedddc4fd4ef03cce69916d8b315d63a3054ce948c20001ba73bfc1fc2445c04888a4794811d15c2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\A9BE.exe
        MD5

        537cde5b14a29b97576f3d7e62c651d8

        SHA1

        8e64a6c09949ce519acc87c17ea5458485375fa7

        SHA256

        ec013210fe7be183315cd371fb3ca19c39431f68bd323a7cafef835463f00361

        SHA512

        a9ccebdf0f466e810291c0b54b5ff8d9ecd6b90214a0ec46bedddc4fd4ef03cce69916d8b315d63a3054ce948c20001ba73bfc1fc2445c04888a4794811d15c2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\AF42.exe
        MD5

        1bef6a1a0d0cdcb868aaa9fffd513f25

        SHA1

        769fce57adacbfca686118f9a45fce099abf2a20

        SHA256

        a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

        SHA512

        9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\AF42.exe
        MD5

        1bef6a1a0d0cdcb868aaa9fffd513f25

        SHA1

        769fce57adacbfca686118f9a45fce099abf2a20

        SHA256

        a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

        SHA512

        9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FE38.exe
        MD5

        a55b2ebe63ac0e6111edb879d7beee08

        SHA1

        04e9a7a5934103d6d78962fa8515b27763a3b707

        SHA256

        4bf6dc98acb84cd572bc44f590b3660107869e2acb0fe6431fd908863d186e84

        SHA512

        5c6f735d8b48377fc67614ad4f01eeb0cc409e1e929ee3f3a94da2238c89ac782f617f7f1c95fe3d1185c3b2bdfc12b3b98a7d7ae7321214194db9ddeaaa42bb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FE38.exe
        MD5

        a55b2ebe63ac0e6111edb879d7beee08

        SHA1

        04e9a7a5934103d6d78962fa8515b27763a3b707

        SHA256

        4bf6dc98acb84cd572bc44f590b3660107869e2acb0fe6431fd908863d186e84

        SHA512

        5c6f735d8b48377fc67614ad4f01eeb0cc409e1e929ee3f3a94da2238c89ac782f617f7f1c95fe3d1185c3b2bdfc12b3b98a7d7ae7321214194db9ddeaaa42bb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FFCF.exe
        MD5

        cd9451e417835fa1447aff560ee9da73

        SHA1

        51e2c4483795c7717f342556f6f23d1567b614a2

        SHA256

        70616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7

        SHA512

        bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FFCF.exe
        MD5

        cd9451e417835fa1447aff560ee9da73

        SHA1

        51e2c4483795c7717f342556f6f23d1567b614a2

        SHA256

        70616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7

        SHA512

        bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78

        Download Submit
      • memory/444-263-0x00000000024B0000-0x00000000024D1000-memory.dmp
        Filesize

        132KB

        Download
      • memory/444-259-0x0000000000000000-mapping.dmp
        Download
      • memory/1016-199-0x0000000000000000-mapping.dmp
        Download
      • memory/1016-205-0x0000000002940000-0x00000000029A3000-memory.dmp
        Filesize

        396KB

        Download
      • memory/1596-173-0x0000000000000000-mapping.dmp
        Download
      • memory/1596-181-0x00000000005D0000-0x00000000005D8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1596-182-0x00000000005E0000-0x00000000005E9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1612-236-0x0000000000000000-mapping.dmp
        Download
      • memory/1700-197-0x0000000000710000-0x0000000000718000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1700-198-0x0000000000720000-0x0000000000729000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1700-191-0x0000000000000000-mapping.dmp
        Download
      • memory/2184-171-0x0000000005720000-0x0000000005721000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-164-0x0000000000000000-mapping.dmp
        Download
      • memory/2184-179-0x00000000059A0000-0x00000000059A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-180-0x00000000055A0000-0x0000000005BB8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2184-177-0x00000000061E0000-0x00000000061E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-176-0x0000000005650000-0x0000000005651000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-183-0x00000000064F0000-0x00000000064F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-184-0x0000000006610000-0x0000000006611000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-185-0x0000000006C60000-0x0000000006C61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-186-0x00000000068B0000-0x00000000068B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-187-0x0000000006A50000-0x0000000006A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-188-0x0000000007620000-0x0000000007621000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-189-0x0000000007D20000-0x0000000007D21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-190-0x00000000075C0000-0x00000000075C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-172-0x0000000005830000-0x0000000005831000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-178-0x0000000005930000-0x0000000005931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-170-0x00000000055F0000-0x00000000055F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-169-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2184-167-0x0000000000B90000-0x0000000000B91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-151-0x0000021121B20000-0x0000021121B30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2364-152-0x0000021121BA0000-0x0000021121BB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2364-240-0x0000021124170000-0x0000021124171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-158-0x0000021124CE0000-0x0000021124CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-238-0x00000211241B0000-0x00000211241B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-157-0x0000021124CF0000-0x0000021124CF4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2364-237-0x0000021124290000-0x0000021124294000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2364-155-0x00000211243F0000-0x00000211243F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-153-0x0000021124270000-0x0000021124274000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2364-154-0x0000021124750000-0x0000021124754000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2868-221-0x00000000025E0000-0x0000000002610000-memory.dmp
        Filesize

        192KB

        Download
      • memory/2868-194-0x0000000000000000-mapping.dmp
        Download
      • memory/2868-206-0x0000000000A8C000-0x0000000000AAE000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2896-247-0x0000000000D20000-0x0000000000D50000-memory.dmp
        Filesize

        192KB

        Download
      • memory/2896-251-0x000000001C360000-0x000000001C361000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-241-0x0000000000000000-mapping.dmp
        Download
      • memory/2896-244-0x00000000003F0000-0x00000000003F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-258-0x000000001C4C2000-0x000000001C4C4000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2896-255-0x000000001F750000-0x000000001F751000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-254-0x0000000001570000-0x0000000001571000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-253-0x000000001E550000-0x000000001E551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-252-0x000000001C4C0000-0x000000001C4C2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2896-246-0x0000000000CE0000-0x0000000000D20000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2896-250-0x0000000001550000-0x0000000001551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-249-0x000000001E5E0000-0x000000001E5E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2896-248-0x0000000000D50000-0x0000000000D6B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2984-156-0x0000000000000000-mapping.dmp
        Download
      • memory/3208-150-0x0000000002E20000-0x0000000002E36000-memory.dmp
        Filesize

        88KB

        Download
      • memory/3632-146-0x00000000009BC000-0x00000000009CC000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3632-149-0x00000000025B0000-0x00000000025B9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/3764-226-0x00000000024F4000-0x00000000024F6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3764-225-0x00000000024F3000-0x00000000024F4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3764-212-0x0000000002500000-0x000000000251B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/3764-220-0x0000000005E20000-0x0000000005E21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3764-208-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3764-207-0x0000000000000000-mapping.dmp
        Download
      • memory/3764-222-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3764-223-0x00000000024F0000-0x00000000024F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3764-210-0x0000000002150000-0x000000000216C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/3764-224-0x00000000024F2000-0x00000000024F3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4220-148-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/4220-147-0x0000000000000000-mapping.dmp
        Download
      • memory/4636-227-0x0000000000C2C000-0x0000000000C63000-memory.dmp
        Filesize

        220KB

        Download
      • memory/4636-228-0x0000000000B60000-0x0000000000BAF000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4636-202-0x0000000000000000-mapping.dmp
        Download
      • memory/5100-162-0x00000000009CD000-0x00000000009DD000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5100-163-0x00000000025B0000-0x00000000025C3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/5100-159-0x0000000000000000-mapping.dmp
        Download