redline | 212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

Analysis

max time kernel
45s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

230KB
MD5

5696e707bb2de303879e042ba9fb2681
SHA1

d31c6d321bcb949c8067b801f2565a73ad6b38a6
SHA256

212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c
SHA512

62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967
SSDEEP

3072:sGTO9LytnkyFI/Kvum8OJ0iv3TGoAbyxieCh4RSf1X7QP5IStpTG:W9LYFI/bmvJ0i/aouyxR69Sn

Score

10^/10

redline risepro smokeloader socks5systemz zgrat pub1 backdoor botnet evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3000-210-0x0000000000950000-0x00000000009F2000-memory.dmp	family_socks5systemz

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4680-149-0x0000000000400000-0x000000000046A000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4680-149-0x0000000000400000-0x000000000046A000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

F02E.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F02E.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	F02E.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1432-140-0x0000000004CC0000-0x0000000004D3C000-memory.dmp	net_reactor
behavioral2/memory/1432-145-0x0000000005350000-0x00000000053CA000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F02E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F02E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F02E.exe

Deletes itself 1 IoCs

Processes:

pid process

3392
Executes dropped EXE 5 IoCs

Processes:

A316.exeE9A5.exeF02E.exeF5CD.exeF5CD.tmp

pid process

2624 A316.exe
2220 E9A5.exe
5048 F02E.exe
3372 F5CD.exe
1600 F5CD.tmp
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

F02E.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine F02E.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F02E.exe

pid process

5048 F02E.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3668 2220 WerFault.exe E9A5.exe
2216 2220 WerFault.exe E9A5.exe

pid	process
3392

pid	process
2624	A316.exe
2220	E9A5.exe
5048	F02E.exe
3372	F5CD.exe
1600	F5CD.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine	F02E.exe

pid	process
5048	F02E.exe

pid	pid_target	process	target process
3668	2220	WerFault.exe	E9A5.exe
2216	2220	WerFault.exe	E9A5.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

A316.exefile.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A316.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A316.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A316.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1344	file.exe
1344	file.exe
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeA316.exe

pid process

1344 file.exe
2624 A316.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

F5CD.exe

description	pid	process	target process
PID 3392 wrote to memory of 2624	3392		A316.exe
PID 3392 wrote to memory of 2624	3392		A316.exe
PID 3392 wrote to memory of 2624	3392		A316.exe
PID 3392 wrote to memory of 2220	3392		E9A5.exe
PID 3392 wrote to memory of 2220	3392		E9A5.exe
PID 3392 wrote to memory of 2220	3392		E9A5.exe
PID 3392 wrote to memory of 5048	3392		F02E.exe
PID 3392 wrote to memory of 5048	3392		F02E.exe
PID 3392 wrote to memory of 5048	3392		F02E.exe
PID 3392 wrote to memory of 3372	3392		F5CD.exe
PID 3392 wrote to memory of 3372	3392		F5CD.exe
PID 3392 wrote to memory of 3372	3392		F5CD.exe
PID 3372 wrote to memory of 1600	3372	F5CD.exe	F5CD.tmp
PID 3372 wrote to memory of 1600	3372	F5CD.exe	F5CD.tmp
PID 3372 wrote to memory of 1600	3372	F5CD.exe	F5CD.tmp

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1344

C:\Users\Admin\AppData\Local\Temp\A316.exe
C:\Users\Admin\AppData\Local\Temp\A316.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2624

C:\Users\Admin\AppData\Local\Temp\E9A5.exe
C:\Users\Admin\AppData\Local\Temp\E9A5.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1048
2⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1052
2⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\F02E.exe
C:\Users\Admin\AppData\Local\Temp\F02E.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5048

C:\Users\Admin\AppData\Local\Temp\F5CD.exe
C:\Users\Admin\AppData\Local\Temp\F5CD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\is-IAJDN.tmp\F5CD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IAJDN.tmp\F5CD.tmp" /SL5="$A0040,6192182,54272,C:\Users\Admin\AppData\Local\Temp\F5CD.exe"
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
"C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe" -s
3⤵
PID:3000

C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
"C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe" -i
3⤵
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:4680

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
2⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\FABF.exe
C:\Users\Admin\AppData\Local\Temp\FABF.exe
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2220 -ip 2220
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2220 -ip 2220
1⤵
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
80KB

MD5
e904ffd2a125b340cba5970c7ef95e97

SHA1
ed3c518172eee9a5ee2a9f6ed9112600d53aefbb

SHA256
c5c0f1f6fc38e34e6b8b7e40d970e08cd13a139eb77c3ac78d83eec072f64010

SHA512
9a41e1f8736b272ea64e2046109e5197104873db7c8f12413e83c27879bc50de52df878627b97bc62f373c3fa43b153fbcee5733fe112fb6c331ee15fcbd91da

Download Submit
C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
290KB

MD5
13f6ba8258497e9ec45c9e0704ca1446

SHA1
934ad7c38437af9d535f1d14fe59072b6a8e01b3

SHA256
0a0173f4185b3fdedba171b6fa88495311774c5fe6abfeaa5782e4d31d4a25a4

SHA512
abe56b0cb16d6c9e542cabc79e7b160c53740d4c95e6820b6886aaecced2fcd4e8dd2cbd989f8d654204b85c2f0461a658973188c62a475ee1928563ee2a98a0

Download Submit
C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
107KB

MD5
dbe721adfc8f9570b45c1beec72f5b54

SHA1
007fb7e56eb089484ba378a358416a33938f9e62

SHA256
830410d46ca711240224d50ecde273bb44e69a70e5ff46e887cb584cc3598071

SHA512
3736a981aded2ef05c560cce75f148cd035f01ff36ac7b73698fbc5db05e99fad3cb272b3d9be03d5b262aab495c25c81422c4cc379ad9dbbc2d4cfc7dd18767

Download Submit
C:\Users\Admin\AppData\Local\Temp\A316.exe
Filesize
230KB

MD5
5696e707bb2de303879e042ba9fb2681

SHA1
d31c6d321bcb949c8067b801f2565a73ad6b38a6

SHA256
212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

SHA512
62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9A5.exe
Filesize
89KB

MD5
61966ca939020c898bbb4aa235c065cf

SHA1
b7685c10fb089e5d6570800ce0e0ce937d4897c5

SHA256
020b4467b0e824fcfc6f48a1f8c3e06ad1dd9889b26caf9a069e34f28717c766

SHA512
9bea0d459cb9f37e877020446e292536d043aaf8e7140c26b59d73ebd6e68a4039b10a42b749d127819636310e7623ecadd768b216a652c09020cd0aadc4aa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9A5.exe
Filesize
241KB

MD5
0b3ba37cabc6af116bdbc271ae8903d5

SHA1
78a41c7bff366acedebd1186c2f674cc1b57ce3a

SHA256
9c7966f10ec289ed8232052c8d37e8cb8107c160215e46fec90dd74467dcd5d6

SHA512
046cb14854f5589c8128b57886f0675ee6f670af0ec977e2d56c4117540c9e4a1e578bac671a9a6fb065dd370d794bac3ac45460725bde47198f0817434dbef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F02E.exe
Filesize
159KB

MD5
61db26d7e341b9e48a8a3fa390f6b9f5

SHA1
b66b31ef30f2ee0e1dfcccc66b33aa386314cbcd

SHA256
671dd509dbddf7ffc4a89f995066f5b7e8727592de31dce00d1d36b7ff76e443

SHA512
463d60b26acb12257c5cc638acca6c4350ac83bf83af9011e4d895556ed91dcf24d0e9e366b60a3a9fba4baa79fbd47de9984dc02fc2d9c8e2f26b78a953f422

Download Submit
C:\Users\Admin\AppData\Local\Temp\F02E.exe
Filesize
137KB

MD5
b72fc1e64d9750fed66e1011e4102dfe

SHA1
76e8eb2e3b19a44fc320169a9976399900587030

SHA256
c151b922db0743dfcee49f58d5046e9dbcccbf04d0de8d5b33aa661975913293

SHA512
931c4a71270b15d3fa210799f700ffa3182b126b26bb1a122a9bb4d747c2f3f6f8d09bf20c7e8c0b310f8c5c4b33218ecc331ea72b31fa049ae986c5b31781ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5CD.exe
Filesize
121KB

MD5
7ea4dd012bb0cca44e704a24668c519e

SHA1
3918df6f816d77db28604c73c0e6dfa330494d76

SHA256
51460a43c2280b1cec403da3a8bccdbe28bfd4d335098db58c49b3b25327241c

SHA512
85ed4f5e53e0f2021fe74cc85615858131633b64152779318cc4fde5056d8356a70692ebdd289dfd29e39526c2ca6ec56918dd231c5849fcceb1d668dfa9bea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5CD.exe
Filesize
185KB

MD5
ec33b716b2042f92077fd3e84e25811d

SHA1
c3ce7200b5ab3128e9963044f1ff84578ceb0497

SHA256
8ce2b9dcc228d5413488e4e229ceba7f83700cb2abcf8e8c4f8a18fcfad7ee34

SHA512
b4dc42ee1d88dcce462d1781bdece638e17fd3d92dad0e3aef17c0d890a82c5ff4ed81bd62a3499a3019e3f456b6a95a757dd0e6a82a51e5764dd826f5f117d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABF.exe
Filesize
42KB

MD5
92ac3e8b7e7d972a10f780d6928ffbcf

SHA1
b1473df8702f925bfd5727f6b76b8b0afcce38c0

SHA256
18496ff7a42110d77beecca094d2e191682236978fed4ce8dc5942e34fb46d94

SHA512
d9272e91db4c4c07c22051b88ed5b9736e042a67ec71325f07c3d3879aca04c298a1aa93aa064123ce2da848b7368c6b57eaa710915b098c1c4ab7ddb0bb0050

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABF.exe
Filesize
21KB

MD5
64086e747fc75ba8ad781131e59a2b81

SHA1
09e9e324323d384a0c9bac38a6cb66d857fc6ad3

SHA256
c42a014c25c2cccbb82a70864736ec62b462dea5826260a8b5a446a122009535

SHA512
79364abb19809335607ffc678bf78e79713d29eba5b0cb69b3a42ec2a92686ec17d4dc48cc0ee8020a731e63c10352fc05280d3bad56bfc56dbb16d3de6e4845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FR7L3.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAJDN.tmp\F5CD.tmp
Filesize
96KB

MD5
6fb860382d859b7714b7589f8d4a75d4

SHA1
a9bd67b9c8a29ab0bd7e77c7d043e783c4f1c926

SHA256
4e15144ebf87495f96a2c8f5f08ca7fcc0655c8138738668c0f77a7fef48baa0

SHA512
ae7d9d8bd71a5b244a580ef1ec044f85c7d8fd8f033818883631caa7faeb2870c99a02c5c4938cf98ca58f4113ddd4d45159a1fda54abd22a81bc2e8635faae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAJDN.tmp\F5CD.tmp
Filesize
138KB

MD5
712590132ca18e7c57816eb898046721

SHA1
8caf26cb0c04c9e65d2a09e0085d3ec55cee3683

SHA256
08403e227758f7bc8c4995115e9ab8d354c4ce0aaead21ad726024f7723c0a5f

SHA512
324caefdc4fd4912a4384114899c937ac54b22f55720834d11c9dfdba46a0a142d9ac9bde30cddd7835bce05ee68b905a97f560735e21128802cffe00f894248

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/8-121-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/8-122-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/8-125-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/8-124-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1344-2-0x00000000004D0000-0x00000000004DB000-memory.dmp

Filesize
44KB

Download
memory/1344-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1344-1-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/1344-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1432-154-0x00000000726D0000-0x0000000072E80000-memory.dmp

Filesize
7.7MB

Download
memory/1432-143-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/1432-144-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/1432-142-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/1432-145-0x0000000005350000-0x00000000053CA000-memory.dmp

Filesize
488KB

Download
memory/1432-152-0x0000000002880000-0x0000000004880000-memory.dmp

Filesize
32.0MB

Download
memory/1432-140-0x0000000004CC0000-0x0000000004D3C000-memory.dmp

Filesize
496KB

Download
memory/1432-141-0x00000000726D0000-0x0000000072E80000-memory.dmp

Filesize
7.7MB

Download
memory/1600-169-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1600-71-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1600-173-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2220-31-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-32-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-139-0x0000000001410000-0x0000000001442000-memory.dmp

Filesize
200KB

Download
memory/2220-134-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-29-0x0000000000450000-0x0000000000F64000-memory.dmp

Filesize
11.1MB

Download
memory/2220-137-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-25-0x0000000000450000-0x0000000000F64000-memory.dmp

Filesize
11.1MB

Download
memory/2220-35-0x0000000001410000-0x0000000001442000-memory.dmp

Filesize
200KB

Download
memory/2220-34-0x0000000001410000-0x0000000001442000-memory.dmp

Filesize
200KB

Download
memory/2220-33-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-138-0x0000000001410000-0x0000000001442000-memory.dmp

Filesize
200KB

Download
memory/2220-135-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2220-136-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2624-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2624-16-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2624-17-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3000-210-0x0000000000950000-0x00000000009F2000-memory.dmp

Filesize
648KB

Download
memory/3000-171-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-228-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-223-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-128-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-129-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-219-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-174-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-211-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-232-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-193-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-206-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-202-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3000-197-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/3372-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3372-157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3372-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3392-18-0x0000000002880000-0x0000000002896000-memory.dmp

Filesize
88KB

Download
memory/3392-4-0x00000000023F0000-0x0000000002406000-memory.dmp

Filesize
88KB

Download
memory/4048-187-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/4680-167-0x00000000084C0000-0x0000000008682000-memory.dmp

Filesize
1.8MB

Download
memory/4680-188-0x00000000726D0000-0x0000000072E80000-memory.dmp

Filesize
7.7MB

Download
memory/4680-161-0x00000000054A0000-0x00000000054EC000-memory.dmp

Filesize
304KB

Download
memory/4680-160-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/4680-158-0x0000000005560000-0x000000000566A000-memory.dmp

Filesize
1.0MB

Download
memory/4680-159-0x00000000726D0000-0x0000000072E80000-memory.dmp

Filesize
7.7MB

Download
memory/4680-156-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4680-162-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4680-163-0x0000000006310000-0x0000000006386000-memory.dmp

Filesize
472KB

Download
memory/4680-164-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/4680-165-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/4680-166-0x0000000007330000-0x0000000007380000-memory.dmp

Filesize
320KB

Download
memory/4680-153-0x0000000005A70000-0x0000000006088000-memory.dmp

Filesize
6.1MB

Download
memory/4680-168-0x0000000008BC0000-0x00000000090EC000-memory.dmp

Filesize
5.2MB

Download
memory/4680-149-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4680-155-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/5048-46-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-51-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/5048-43-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/5048-44-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/5048-146-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-170-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-190-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-47-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/5048-194-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-48-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/5048-199-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-50-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/5048-203-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-42-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/5048-207-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-49-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/5048-52-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/5048-216-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-53-0x0000000004EC0000-0x0000000004EC2000-memory.dmp

Filesize
8KB

Download
memory/5048-220-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-45-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/5048-225-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-41-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

Filesize
8KB

Download
memory/5048-229-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download
memory/5048-40-0x00000000001B0000-0x0000000000754000-memory.dmp

Filesize
5.6MB

Download