Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2024 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a.exe

  • Size

    1.8MB

  • MD5

    b6042f0984c283f28b8b78cece2a1c54

  • SHA1

    867568b9bf1f2975516c88255386f3e1352a746d

  • SHA256

    285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a

  • SHA512

    e97d24e60777bbb84b8fd8617c331904dfa115fb5c01e317a8ce861a6b79b253b21c8adc7dec68e6af57b2e86d8a64b173cd31d9d9694385de8c4514a61c8520

  • SSDEEP

    49152:8huG/+Mn6MT7MNhe6lOiAt08q0Ur+djH:wuG/+o1aLxAtc+p

Score
10/10
amadeylummastealczgratdiscoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

lumma

C2

https://relevantvoicelesskw.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 3 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a.exe
    "C:\Users\Admin\AppData\Local\Temp\285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3320
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
      "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:4072
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1264
            4⤵
            • Program crash
            PID:364
      • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
        "C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Users\Admin\AppData\Local\Temp\u1s4.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u1s4.0.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2176
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFBKKFBAEG.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Users\Admin\AppData\Local\Temp\AFBKKFBAEG.exe
              "C:\Users\Admin\AppData\Local\Temp\AFBKKFBAEG.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5024
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AFBKKFBAEG.exe
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1232
                • C:\Windows\SysWOW64\PING.EXE
                  ping 2.2.2.2 -n 1 -w 3000
                  7⤵
                  • Runs ping.exe
                  PID:4852
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 2452
            4⤵
            • Program crash
            PID:2024
        • C:\Users\Admin\AppData\Local\Temp\u1s4.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u1s4.1.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4188
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1612
          3⤵
          • Program crash
          PID:4056
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            4⤵
              PID:4312
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
          2⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:2368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4072 -ip 4072
        1⤵
          PID:2024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2308 -ip 2308
          1⤵
            PID:2664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2176 -ip 2176
            1⤵
              PID:1336

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Are.docx
              Filesize

              11KB

              MD5

              a33e5b189842c5867f46566bdbf7a095

              SHA1

              e1c06359f6a76da90d19e8fd95e79c832edb3196

              SHA256

              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

              SHA512

              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

              Download Submit

            • C:\ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • C:\ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
              Filesize

              1.8MB

              MD5

              b6042f0984c283f28b8b78cece2a1c54

              SHA1

              867568b9bf1f2975516c88255386f3e1352a746d

              SHA256

              285601c9d8ba5030cb23a22f0f78ead412ce73b55ed978137a8f66015ea6278a

              SHA512

              e97d24e60777bbb84b8fd8617c331904dfa115fb5c01e317a8ce861a6b79b253b21c8adc7dec68e6af57b2e86d8a64b173cd31d9d9694385de8c4514a61c8520

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
              Filesize

              350KB

              MD5

              04df085b57814d1a1accead4e153909e

              SHA1

              6d277da314ef185ba9072a9b677b599b1f46c35b

              SHA256

              91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

              SHA512

              f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
              Filesize

              299KB

              MD5

              a2b161448fadc60d1be2f5e2e1e50851

              SHA1

              46703a8785f0685266cbd971440cee3240dcbb30

              SHA256

              2e66f1f05115b2b8d308a3273a38c5ee289d9ebb284fe20609c34c3e1c4d8f62

              SHA512

              e303435418b9e147f9ca03fdf8680e24933ade7ab4ee5c17c7af816be01c402c3856709698dc35904e0a1fcbf738e166190e289f3da0719c0487c7ebcd02af82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
              Filesize

              85KB

              MD5

              11a6fbce3e9242fcbc0bc75564ff4efc

              SHA1

              c757fe159a80b43bc8f7a29654fb06bcd201ed2c

              SHA256

              5794b9ce85d60509b64e94e07970dcd8fd0100b2d0c5c3a24e4942a6fd0b04b1

              SHA512

              be8b6925460374caac3e92fe2633ca041cdfa47568e5878bd80855392d2396cd67a2a9c2e674c84b51c17ec5d7ce306f1c17835e5eb4f1f6b113a3e0dd13e8ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
              Filesize

              25KB

              MD5

              bfa68a66095e8b33d0e90e964d9b3a99

              SHA1

              37ab809f1a184fe223cb7df74f4b23d23d0095ca

              SHA256

              5c0c146be2cecd9cc3f86e4581076ae6c3edb0125ec6f127884e2112baea9031

              SHA512

              f6ae6a29dcb3c2c7004fc2c6a3f2d965f8a0f863ac1913765a721f77383f954bcc23bf945f77ccdd498beed189d6420c829a03df6ed7b493c08bc2b9f92c5d82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AFBKKFBAEG.exe
              Filesize

              101KB

              MD5

              42b838cf8bdf67400525e128d917f6e0

              SHA1

              a578f6faec738912dba8c41e7abe1502c46d0cae

              SHA256

              0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

              SHA512

              f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bvcnonv.lzl.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
              Filesize

              2KB

              MD5

              aeb028b3fa826a5182af7aeec73f3cc7

              SHA1

              c69055ed3ad17edfc0164f201ab8021d92e2599d

              SHA256

              ea18218f4138ec0388c17b2ac8445cffd366124de77a75dda0027f3a4dde7027

              SHA512

              61d6047b301b66863a86ea02f10956c3f6db6009a9fdbb175b3611a83606370786e1095375a98e60bc0b81f4971d64ca7116e32791e675c31484911392e8867d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u1s4.0.exe
              Filesize

              261KB

              MD5

              369bcf5627230da1e49844148acf3fe1

              SHA1

              929b7947ca9e37b4b7f9e8c881ac31f86a6d29e3

              SHA256

              347ea599612fa73c1ad9b66eb576f6e74d4435bd1bdc4488f6d93e7564e3e1f4

              SHA512

              3274e4d9482b58eef43058ce6355db3b74f038f8af08bed04b0e86b5f5eb56ffbbe84c7b6cd4e0357d306069e30bc86de558f4e559c32a8a0bb9c8f040bbb490

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u1s4.0.exe
              Filesize

              240KB

              MD5

              ef80c08ab326ed351d465e4e6ae9c3bf

              SHA1

              84d16018c2fee326d1599c5e8860f97af0267564

              SHA256

              28cf98ce9806dafc20138b9ee6b75e88c782a36ed57af763e6a382646e3552c5

              SHA512

              54e8dceefc81e4808143e90d21464f748251659e37c14492f0f99c20bbdf4a3a5165c4ef1774c476f8727ad88ca320f49110162cdc691e6c7009cef366fd3613

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u1s4.1.exe
              Filesize

              2.6MB

              MD5

              0677f4c375a19ad442abab9133039c90

              SHA1

              a6a1548c9349b63a6cdb39e2be3d3b0ef6f96042

              SHA256

              1696811c588552f090fdeeeb0efb3b55bed77a29347a2c4177f70de1095e32d6

              SHA512

              940da7cf772e62526a9188f19c2a3ed471d3a93084f2b26af51bbd75e32327d3c4d5009b864ed7c593126796da1ab66523c84b022e6e3073bb18093f27dc4d72

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u1s4.1.exe
              Filesize

              2.9MB

              MD5

              68f9bc9923b79152210656edef39d178

              SHA1

              c2fcdb51d47df3ac6e5c70d2ac719b57117d177c

              SHA256

              de86b9b1343ef20ed842fb2c6ad1665510060fca405bac40db3ee8962c3ec1f5

              SHA512

              483642f8dbef00ef0c81308f7725c8065517876a9486a4be8cfe233071116c197ffd3b220e254e65008ab51f5aefd93356f712e0e2083bce41999c6cb597642c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\u1s4.1.exe
              Filesize

              2.1MB

              MD5

              2a9f0ded21b6dc8e4f2638160d2b9a4a

              SHA1

              a2a31b48ee56644f9acf10be07f378eaa4836f8a

              SHA256

              856f54fd2c9f9215ac4d8ed3362f780b0eada47fc0e03023469ac6dedcb2a578

              SHA512

              b1c3e47efa2b7ebda33317489a32668d82ea36660075d9448d04e46b873f15168ab148791b01adeee73768d70717766dca136242a8876d283f8176da06031744

              Download Submit

            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
              Filesize

              109KB

              MD5

              2afdbe3b99a4736083066a13e4b5d11a

              SHA1

              4d4856cf02b3123ac16e63d4a448cdbcb1633546

              SHA256

              8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

              SHA512

              d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

              Download Submit

            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
              Filesize

              1.2MB

              MD5

              92fbdfccf6a63acef2743631d16652a7

              SHA1

              971968b1378dd89d59d7f84bf92f16fc68664506

              SHA256

              b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

              SHA512

              b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

              Download Submit

            • memory/1776-221-0x00007FF98AF90000-0x00007FF98BA51000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1776-208-0x00007FF98AF90000-0x00007FF98BA51000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1776-203-0x000001F8CB640000-0x000001F8CB662000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1776-215-0x000001F8E3B70000-0x000001F8E3B7A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1776-209-0x000001F8E3B80000-0x000001F8E3B90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-210-0x000001F8E3B80000-0x000001F8E3B90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-214-0x000001F8E3CD0000-0x000001F8E3CE2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2176-94-0x0000000000650000-0x0000000000750000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2176-97-0x0000000000400000-0x000000000063B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2176-95-0x0000000002240000-0x0000000002267000-memory.dmp

              Filesize

              156KB

              Download

            • memory/2176-222-0x0000000000400000-0x000000000063B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2176-234-0x0000000000650000-0x0000000000750000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2176-116-0x0000000061E00000-0x0000000061EF3000-memory.dmp

              Filesize

              972KB

              Download

            • memory/2176-317-0x0000000000400000-0x000000000063B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2176-300-0x0000000000400000-0x000000000063B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2308-84-0x0000000000400000-0x000000000056B000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2308-82-0x00000000008B0000-0x00000000009B0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2308-122-0x0000000000400000-0x000000000056B000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2308-83-0x0000000000820000-0x000000000088F000-memory.dmp

              Filesize

              444KB

              Download

            • memory/2348-182-0x0000000002820000-0x0000000004820000-memory.dmp

              Filesize

              32.0MB

              Download

            • memory/2348-48-0x00000000004A0000-0x00000000004FE000-memory.dmp

              Filesize

              376KB

              Download

            • memory/2348-49-0x0000000072B60000-0x0000000073310000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2348-57-0x0000000072B60000-0x0000000073310000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2348-58-0x0000000002820000-0x0000000004820000-memory.dmp

              Filesize

              32.0MB

              Download

            • memory/3000-338-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-19-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-337-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-333-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-18-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-26-0x0000000004E70000-0x0000000004E71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-96-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-25-0x0000000004E20000-0x0000000004E21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-24-0x0000000004E30000-0x0000000004E31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-320-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-335-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-328-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-112-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-334-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-331-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-163-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-28-0x0000000004E90000-0x0000000004E91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-332-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-27-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-336-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-20-0x0000000004E50000-0x0000000004E51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-21-0x0000000004E40000-0x0000000004E41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-22-0x0000000004E80000-0x0000000004E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-23-0x0000000004E10000-0x0000000004E11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3000-323-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3000-232-0x0000000000470000-0x000000000092D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3320-4-0x0000000004E70000-0x0000000004E71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-3-0x0000000004E60000-0x0000000004E61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-8-0x0000000004E40000-0x0000000004E41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-7-0x0000000004E30000-0x0000000004E31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-2-0x0000000000490000-0x000000000094D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3320-6-0x0000000004E90000-0x0000000004E91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-1-0x0000000076F54000-0x0000000076F56000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3320-0-0x0000000000490000-0x000000000094D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3320-5-0x0000000004E50000-0x0000000004E51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-10-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-9-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3320-15-0x0000000000490000-0x000000000094D000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4072-109-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4072-64-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4072-52-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4072-55-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4072-59-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4072-60-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4072-61-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4072-63-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4072-62-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4188-244-0x0000022E5B970000-0x0000022E5B984000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4188-245-0x0000022E75BD0000-0x0000022E75BF4000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4188-240-0x0000022E75C10000-0x0000022E75C20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4188-239-0x0000022E57C30000-0x0000022E5B502000-memory.dmp

              Filesize

              56.8MB

              Download

            • memory/4188-238-0x00007FF98B460000-0x00007FF98BF21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4188-246-0x0000022E75BF0000-0x0000022E75BFA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4188-248-0x0000022E75C50000-0x0000022E75D02000-memory.dmp

              Filesize

              712KB

              Download

            • memory/4188-247-0x0000022E75C20000-0x0000022E75C4A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4188-242-0x0000022E5B9A0000-0x0000022E5B9B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4188-241-0x0000022E75E20000-0x0000022E75F2E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4188-243-0x0000022E75B80000-0x0000022E75B8C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4188-250-0x0000022E760F0000-0x0000022E76152000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4188-249-0x0000022E76070000-0x0000022E760EA000-memory.dmp

              Filesize

              488KB

              Download

            • memory/4912-113-0x00000000026A0000-0x00000000026A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4912-233-0x0000000000400000-0x00000000008AD000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4912-237-0x0000000000400000-0x00000000008AD000-memory.dmp

              Filesize

              4.7MB

              Download