arkei | 64fb4e1e41bf9ae4718f58c61cbe994a3ebd64e5aeced84f196ff392ffbe35db

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-en-20211014
submitted
19-11-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8dc8e4b914e931ccf2217f143553559.exe
Size

160KB
MD5

e8dc8e4b914e931ccf2217f143553559
SHA1

f2797a12055c0bfc7c4fad3ba9388e15d77f9859
SHA256

64fb4e1e41bf9ae4718f58c61cbe994a3ebd64e5aeced84f196ff392ffbe35db
SHA512

195d11de811b2fd2e047aa5a37cb4ddef21bc51762e5994f3294f46b4b2f98140391a321039326428b128c10911d0d7abd5f10d9f511c70034ddfdcc8cd14f2d

Score

10^/10

arkei raccoon redline smokeloader ddf183af4241e3172885cf1b2c4c1fb4ee03d05a default backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-80-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1948-81-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1948-82-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1948-83-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1948-85-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1692-113-0x00000000002D0000-0x00000000002F1000-memory.dmp	family_arkei
behavioral1/memory/1692-114-0x0000000000400000-0x000000000043B000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

D633.exeD633.exeEDAA.exeEDAA.exe456.exe2233.exe2D4C.exe44F1.exe

pid process

624 D633.exe
412 D633.exe
1816 EDAA.exe
1948 EDAA.exe
1028 456.exe
888 2233.exe
1704 2D4C.exe
1692 44F1.exe

pid	process
624	D633.exe
412	D633.exe
1816	EDAA.exe
1948	EDAA.exe
1028	456.exe
888	2233.exe
1704	2D4C.exe
1692	44F1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2D4C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2D4C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2D4C.exe

Deletes itself 1 IoCs

Processes:

pid process

1268
Loads dropped DLL 2 IoCs

Processes:

D633.exeEDAA.exe

pid process

624 D633.exe
1816 EDAA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1268

pid	process
624	D633.exe
1816	EDAA.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2D4C.exe	themida
behavioral1/memory/1704-101-0x0000000000F70000-0x0000000000F71000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2D4C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2D4C.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2D4C.exe

pid process

1704 2D4C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2D4C.exe

pid	process
1704	2D4C.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e8dc8e4b914e931ccf2217f143553559.exeD633.exeEDAA.exe

description	pid	process	target process
PID 956 set thread context of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 624 set thread context of 412	624	D633.exe	D633.exe
PID 1816 set thread context of 1948	1816	EDAA.exe	EDAA.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2233.exeD633.exee8dc8e4b914e931ccf2217f143553559.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2233.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D633.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2233.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8dc8e4b914e931ccf2217f143553559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D633.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D633.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2233.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8dc8e4b914e931ccf2217f143553559.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e8dc8e4b914e931ccf2217f143553559.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e8dc8e4b914e931ccf2217f143553559.exe

pid	process
800	e8dc8e4b914e931ccf2217f143553559.exe
800	e8dc8e4b914e931ccf2217f143553559.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

e8dc8e4b914e931ccf2217f143553559.exeD633.exe2233.exe

pid process

800 e8dc8e4b914e931ccf2217f143553559.exe
412 D633.exe
888 2233.exe

pid	process
1268

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

EDAA.exe2D4C.exe

description	pid	process
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	1948	EDAA.exe
Token: SeDebugPrivilege	1704	2D4C.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1268
1268
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1268
1268

pid	process
1268
1268

pid	process
1268
1268

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

e8dc8e4b914e931ccf2217f143553559.exeD633.exeEDAA.exe

description	pid	process	target process
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 956 wrote to memory of 800	956	e8dc8e4b914e931ccf2217f143553559.exe	e8dc8e4b914e931ccf2217f143553559.exe
PID 1268 wrote to memory of 624	1268		D633.exe
PID 1268 wrote to memory of 624	1268		D633.exe
PID 1268 wrote to memory of 624	1268		D633.exe
PID 1268 wrote to memory of 624	1268		D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 624 wrote to memory of 412	624	D633.exe	D633.exe
PID 1268 wrote to memory of 1816	1268		EDAA.exe
PID 1268 wrote to memory of 1816	1268		EDAA.exe
PID 1268 wrote to memory of 1816	1268		EDAA.exe
PID 1268 wrote to memory of 1816	1268		EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1816 wrote to memory of 1948	1816	EDAA.exe	EDAA.exe
PID 1268 wrote to memory of 1028	1268		456.exe
PID 1268 wrote to memory of 1028	1268		456.exe
PID 1268 wrote to memory of 1028	1268		456.exe
PID 1268 wrote to memory of 1028	1268		456.exe
PID 1268 wrote to memory of 888	1268		2233.exe
PID 1268 wrote to memory of 888	1268		2233.exe
PID 1268 wrote to memory of 888	1268		2233.exe
PID 1268 wrote to memory of 888	1268		2233.exe
PID 1268 wrote to memory of 1704	1268		2D4C.exe
PID 1268 wrote to memory of 1704	1268		2D4C.exe
PID 1268 wrote to memory of 1704	1268		2D4C.exe
PID 1268 wrote to memory of 1704	1268		2D4C.exe
PID 1268 wrote to memory of 1692	1268		44F1.exe
PID 1268 wrote to memory of 1692	1268		44F1.exe
PID 1268 wrote to memory of 1692	1268		44F1.exe
PID 1268 wrote to memory of 1692	1268		44F1.exe

C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe
"C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe
"C:\Users\Admin\AppData\Local\Temp\e8dc8e4b914e931ccf2217f143553559.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:800

C:\Users\Admin\AppData\Local\Temp\D633.exe
C:\Users\Admin\AppData\Local\Temp\D633.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\D633.exe
C:\Users\Admin\AppData\Local\Temp\D633.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:412

C:\Users\Admin\AppData\Local\Temp\EDAA.exe
C:\Users\Admin\AppData\Local\Temp\EDAA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\EDAA.exe
C:\Users\Admin\AppData\Local\Temp\EDAA.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\456.exe
C:\Users\Admin\AppData\Local\Temp\456.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\2233.exe
C:\Users\Admin\AppData\Local\Temp\2233.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:888

C:\Users\Admin\AppData\Local\Temp\2D4C.exe
C:\Users\Admin\AppData\Local\Temp\2D4C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\AppData\Local\Temp\44F1.exe
C:\Users\Admin\AppData\Local\Temp\44F1.exe
1⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2233.exe
MD5
03651bfa0fa57d86e5a612e0cc81bc09

SHA1
67738024bea02128f0d7a9939e193dc706bcd0d8

SHA256
48183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b

SHA512
b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D4C.exe
MD5
c8d5fdc4a0e45f4ea541aa74ffa7e1f5

SHA1
1e5fc15f69d2d81e46b52c91b771348fcd15d4ab

SHA256
b38413496a5a7dd3c1d596ae8ced753cbe96568b713c4e4570e16285d9c6b3bb

SHA512
a1e94c80e2fdcc3d00a65d924758c78ca0ca7056bf9397a8a2fb77cfea4839120550448a0aee41e2bc23afa9cdf64d6671c03db1d1f6e0aa18aa0da31f1183ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\44F1.exe
MD5
0adbcb0e3f47a2c1d2ff1b7fa4de1774

SHA1
b194cba5e8502e846806208056079872ff79290f

SHA256
fc8529e123690f3fd209b2aa5fe9f301a4feee94ba9d1ec052bfe5de7be8c235

SHA512
5ace16a284e1215477f20839125f286b7bfe2a0103151adea7ccbfe3bfe1a1df4337625cfb52a4aaad4143fe5d4ce0894dc96b3f3408222ea6e5041d6f48c753

Download Submit
C:\Users\Admin\AppData\Local\Temp\456.exe
MD5
a93ee3be032ac2a200af6f5673ecc492

SHA1
a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c

SHA256
f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d

SHA512
d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\D633.exe
MD5
a8dd6ce53e82adb45fd6e0d779d1ed12

SHA1
50d09ebbfa56320b22de6b8746e54280e1c9d1a2

SHA256
9d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc

SHA512
9d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D633.exe
MD5
a8dd6ce53e82adb45fd6e0d779d1ed12

SHA1
50d09ebbfa56320b22de6b8746e54280e1c9d1a2

SHA256
9d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc

SHA512
9d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D633.exe
MD5
a8dd6ce53e82adb45fd6e0d779d1ed12

SHA1
50d09ebbfa56320b22de6b8746e54280e1c9d1a2

SHA256
9d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc

SHA512
9d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAA.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAA.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAA.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
\Users\Admin\AppData\Local\Temp\D633.exe
MD5
a8dd6ce53e82adb45fd6e0d779d1ed12

SHA1
50d09ebbfa56320b22de6b8746e54280e1c9d1a2

SHA256
9d81e1969c48dc374442810ab6b517f06aaba4a2c17bb7749c411d1245727edc

SHA512
9d23c10a2d632f66258fcdb866a909fae7afa19ccdc0569d4399b37c8fbd62e3fc583622f4f8298541ffd13ba315b5036ee12be1083e47744d94c4282379592d

Download Submit
\Users\Admin\AppData\Local\Temp\EDAA.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
memory/412-66-0x0000000000402DD8-mapping.dmp

Download
memory/624-69-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/624-61-0x0000000000000000-mapping.dmp

Download
memory/800-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/800-57-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/800-56-0x0000000000402DD8-mapping.dmp

Download
memory/888-106-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/888-103-0x00000000011AB000-0x00000000011BC000-memory.dmp

Filesize
68KB

Download
memory/888-94-0x0000000000000000-mapping.dmp

Download
memory/888-107-0x0000000000400000-0x0000000001085000-memory.dmp

Filesize
12.5MB

Download
memory/956-59-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/956-58-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1028-92-0x0000000001C40000-0x0000000001CCF000-memory.dmp

Filesize
572KB

Download
memory/1028-88-0x0000000000000000-mapping.dmp

Download
memory/1028-91-0x00000000001B0000-0x00000000001FF000-memory.dmp

Filesize
316KB

Download
memory/1028-93-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1268-60-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/1268-75-0x0000000002B90000-0x0000000002BA6000-memory.dmp

Filesize
88KB

Download
memory/1268-110-0x0000000003E30000-0x0000000003E46000-memory.dmp

Filesize
88KB

Download
memory/1692-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-112-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1692-108-0x0000000000000000-mapping.dmp

Download
memory/1692-113-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/1704-96-0x0000000000000000-mapping.dmp

Download
memory/1704-101-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1704-105-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1816-76-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1816-70-0x0000000000000000-mapping.dmp

Download
memory/1816-73-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1948-81-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-87-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1948-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-83-0x0000000000418EEA-mapping.dmp

Download
memory/1948-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download