lokibot | 34d0f98cec02e36273e2e3fadfc535875acf7df8dc8e68b5a9b10ab74300cde9

Analysis

max time kernel
129s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a7ad2ace11903c9d16a6c8660631de.rtf
Size

42KB
MD5

50a7ad2ace11903c9d16a6c8660631de
SHA1

d67e713c65195405dd9a97034d15c7d8fa3b37bb
SHA256

34d0f98cec02e36273e2e3fadfc535875acf7df8dc8e68b5a9b10ab74300cde9
SHA512

be37c692d197263b425745077c743b91e2dd90fa1e2ac531b8d00d904012df52928d5638733de1be2556dc78ab01b2dbd2020d9e36c4281c67f46068bdff3fd0
SSDEEP

768:MFx0XaIsnPRIa4fwJMAUZCdpcWyxGPnSCX4gApJ43XvtcB62anYp:Mf0Xvx3EMAUCTcWyxGPdvnvtcBHanYp

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://185.246.220.60/official/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 2856 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

sebobbytofj67937817.exe

pid process

2948 sebobbytofj67937817.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2856 EQNEDT32.EXE

flow	pid	process
3	2856	EQNEDT32.EXE

pid	process
2948	sebobbytofj67937817.exe

pid	process
2856	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Caspol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sebobbytofj67937817.exe

description pid process target process

PID 2948 set thread context of 2692 2948 sebobbytofj67937817.exe Caspol.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2856 EQNEDT32.EXE

description	pid	process	target process
PID 2948 set thread context of 2692	2948	sebobbytofj67937817.exe	Caspol.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2856	EQNEDT32.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

sebobbytofj67937817.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sebobbytofj67937817.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sebobbytofj67937817.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sebobbytofj67937817.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sebobbytofj67937817.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2424 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sebobbytofj67937817.exeCaspol.exe

description pid process

Token: SeDebugPrivilege 2948 sebobbytofj67937817.exe
Token: SeDebugPrivilege 2692 Caspol.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2424 WINWORD.EXE
2424 WINWORD.EXE

pid	process
2424	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2948	sebobbytofj67937817.exe
Token: SeDebugPrivilege	2692	Caspol.exe

pid	process
2424	WINWORD.EXE
2424	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EQNEDT32.EXEsebobbytofj67937817.exeWINWORD.EXE

description	pid	process	target process
PID 2856 wrote to memory of 2948	2856	EQNEDT32.EXE	sebobbytofj67937817.exe
PID 2856 wrote to memory of 2948	2856	EQNEDT32.EXE	sebobbytofj67937817.exe
PID 2856 wrote to memory of 2948	2856	EQNEDT32.EXE	sebobbytofj67937817.exe
PID 2856 wrote to memory of 2948	2856	EQNEDT32.EXE	sebobbytofj67937817.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2948 wrote to memory of 2692	2948	sebobbytofj67937817.exe	Caspol.exe
PID 2424 wrote to memory of 2392	2424	WINWORD.EXE	splwow64.exe
PID 2424 wrote to memory of 2392	2424	WINWORD.EXE	splwow64.exe
PID 2424 wrote to memory of 2392	2424	WINWORD.EXE	splwow64.exe
PID 2424 wrote to memory of 2392	2424	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

Caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Caspol.exe

outlook_win_path 1 IoCs

Processes:

Caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Caspol.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\50a7ad2ace11903c9d16a6c8660631de.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2392

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe
"C:\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
942d1246688d75f3a741f9beac171c39

SHA1
2c9b92466059078fd6072452f71c125997787140

SHA256
34fc9379582fce49f883f7647123e9d9d682eef905d8f5d1a3c520c8193ad454

SHA512
01c405baf80f7dd073d1b2dbaff32d2246b98e2c1a646f144ebf3cf1a235c708e5f8f804dc6941e1a2e8ec7e8fcd6ff409b5883e1c53ae02f98724df52f74eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8587.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8876.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
ef66647d68f1c1f5d4371e7c3807f2dc

SHA1
a2a2d4a07d8125a02d9ee79e27508a6a377d72dc

SHA256
e9b4dc1fc9e1064103979f0ba18760d54b1dc917220de6d60abac4df690e80d5

SHA512
5c6094921d6de5922f765f5d39b4766fd6589a0db8e998ac2af0c79a37569e03f3e5439434bf5d7b7c53836c98ab5fab2e2035d0e49249111e60875ecbc5de8e

Download Submit
C:\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe

Filesize
174KB

MD5
b05e3ab4699177f4dcad8e34ceda8efb

SHA1
568e2932d120af816e13060d006d713b494c7790

SHA256
3f48c70b0b15437fcbc386995c3c13cc62a2193b42ff8ecb7db4aff28cec9254

SHA512
a0d8680e20496e13cc29012a32c9c72b4678f16bd86b20bd87c4081c0e05b86f4fe123b1176a140da6435fbc166390e1be1782becc2f6a9208bcd2abe631d386

Download Submit
C:\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe

Filesize
174KB

MD5
b05e3ab4699177f4dcad8e34ceda8efb

SHA1
568e2932d120af816e13060d006d713b494c7790

SHA256
3f48c70b0b15437fcbc386995c3c13cc62a2193b42ff8ecb7db4aff28cec9254

SHA512
a0d8680e20496e13cc29012a32c9c72b4678f16bd86b20bd87c4081c0e05b86f4fe123b1176a140da6435fbc166390e1be1782becc2f6a9208bcd2abe631d386

Download Submit
C:\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe

Filesize
174KB

MD5
b05e3ab4699177f4dcad8e34ceda8efb

SHA1
568e2932d120af816e13060d006d713b494c7790

SHA256
3f48c70b0b15437fcbc386995c3c13cc62a2193b42ff8ecb7db4aff28cec9254

SHA512
a0d8680e20496e13cc29012a32c9c72b4678f16bd86b20bd87c4081c0e05b86f4fe123b1176a140da6435fbc166390e1be1782becc2f6a9208bcd2abe631d386

Download Submit
\Users\Admin\AppData\Roaming\sebobbytofj67937817.exe

Filesize
174KB

MD5
b05e3ab4699177f4dcad8e34ceda8efb

SHA1
568e2932d120af816e13060d006d713b494c7790

SHA256
3f48c70b0b15437fcbc386995c3c13cc62a2193b42ff8ecb7db4aff28cec9254

SHA512
a0d8680e20496e13cc29012a32c9c72b4678f16bd86b20bd87c4081c0e05b86f4fe123b1176a140da6435fbc166390e1be1782becc2f6a9208bcd2abe631d386

Download Submit
memory/2424-208-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2424-209-0x000000007128D000-0x0000000071298000-memory.dmp

Filesize
44KB

Download
memory/2424-56-0x000000007128D000-0x0000000071298000-memory.dmp

Filesize
44KB

Download
memory/2424-180-0x000000007128D000-0x0000000071298000-memory.dmp

Filesize
44KB

Download
memory/2424-179-0x000000002F030000-0x000000002F18D000-memory.dmp

Filesize
1.4MB

Download
memory/2424-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2424-54-0x000000002F030000-0x000000002F18D000-memory.dmp

Filesize
1.4MB

Download
memory/2692-150-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-189-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-154-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-155-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-153-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-158-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-151-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-149-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-177-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2692-148-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2948-157-0x000000006AED0000-0x000000006B5BE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-147-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2948-71-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2948-70-0x000000006AED0000-0x000000006B5BE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-69-0x0000000000B80000-0x0000000000BB4000-memory.dmp

Filesize
208KB

Download