Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5702ca39cbae587bbc6527d25d2f68d89ba7d7578ed61fd3cbbc1b69ec059d06.exe

  • Size

    1.8MB

  • MD5

    fdeec5e7b00bce6a700162078103ade1

  • SHA1

    5ef10c297c76892e09322186365e37de42329e7f

  • SHA256

    5702ca39cbae587bbc6527d25d2f68d89ba7d7578ed61fd3cbbc1b69ec059d06

  • SHA512

    8ddbb6d0afaa14a2d39130d4ede3fe32b67509552f03d0485ec1f2d0faf519af3e62e4fc7ce2eb64692216707c75b88fbf65e79b0fa3df3bc3f8d8d70783815e

  • SSDEEP

    24576:wGVxKlbeT6eP1CcTH3ochYdodfppWXfHYh8swCxI3TqgcUlRZczr77Qjf:NSbe2uRFTefH88swmI3TzlIX77m

Score
10/10
amadeyriseprosmokeloaderstealcpub1backdoordiscoveryevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5702ca39cbae587bbc6527d25d2f68d89ba7d7578ed61fd3cbbc1b69ec059d06.exe
    "C:\Users\Admin\AppData\Local\Temp\5702ca39cbae587bbc6527d25d2f68d89ba7d7578ed61fd3cbbc1b69ec059d06.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\1000022001\bef45c0a3f.exe
        "C:\Users\Admin\AppData\Local\Temp\1000022001\bef45c0a3f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        PID:3692
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
          4⤵
            PID:4524
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:2452
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
          3⤵
            PID:4304
          • C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
            "C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3144
      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1656
      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3088
      • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
        C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
          "C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe" /F
            3⤵
            • Creates scheduled task(s)
            PID:4424
          • C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe
            "C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4268
            • C:\Users\Admin\AppData\Local\Temp\u3ak.0.exe
              "C:\Users\Admin\AppData\Local\Temp\u3ak.0.exe"
              4⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:4680
            • C:\Users\Admin\AppData\Local\Temp\u3ak.1.exe
              "C:\Users\Admin\AppData\Local\Temp\u3ak.1.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:516
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1188
              4⤵
              • Program crash
              PID:4628
          • C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe
            "C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe"
            3⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:2624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4268 -ip 4268
        1⤵
          PID:3208

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Virtualization/Sandbox Evasion

        2
        T1497

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        7
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        5
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.8MB

          MD5

          fdeec5e7b00bce6a700162078103ade1

          SHA1

          5ef10c297c76892e09322186365e37de42329e7f

          SHA256

          5702ca39cbae587bbc6527d25d2f68d89ba7d7578ed61fd3cbbc1b69ec059d06

          SHA512

          8ddbb6d0afaa14a2d39130d4ede3fe32b67509552f03d0485ec1f2d0faf519af3e62e4fc7ce2eb64692216707c75b88fbf65e79b0fa3df3bc3f8d8d70783815e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.3MB

          MD5

          312b4f5303e2e2818c83be8b220c8c8a

          SHA1

          5091ba9a1a285ffb8c5abf5f15b1bc06a1d6d417

          SHA256

          b68f1341063216029203ebf63484d5438f9eefe90b2b59d43a69221e6e21d2bd

          SHA512

          2f305ae46e56db8c5afbf8b7c923543eb1b0e55bc1c426b24c78c05efda4176bbab677966ae038029f4575f0301ec247a2482a2d0b6ddc72c470bc169633db9a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.3MB

          MD5

          cbea4c549a2ce0d193ea871727151d81

          SHA1

          25655b112d0a3754a6060e22a2f7559dfee6b917

          SHA256

          fa390a41340f6ff8d5f27f7c67d3ca8b740c2b2be5b8ad7e07b5d0667c1b249b

          SHA512

          5303d05feb7e4b9db3b3c08526a78af4406abbf7604109b425d62e49858d27a761d4d0e3e3f3642924700ce8f99f5af26732e4153b30eb2bed894ed65e5e006b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.7MB

          MD5

          021ea2360b063310b335d3585ec129f9

          SHA1

          bfe2be8fea420cb8f8a75d8759175b0e1a97dc2a

          SHA256

          3ae709abd9258b4cd5848920865199e4d497e4052d6d34a2a32af4904afff276

          SHA512

          d087ad6e9cc13fd6aed67875c86e8b57545b8e0dd63f01d99c9f58319d4a8762950acad40caa72486585c29d22dd3cd59694ba49bed71b2b741f56a0fefaf74e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.4MB

          MD5

          79645ac674c0403f8a6b85c4b5f569f6

          SHA1

          e4f9da144f7b5ec53d9fdcf3fa8ce46e926aaf8b

          SHA256

          880de864b2d5c0357d394106fa3f049d8989a95d4ad8c387aae439ea5c500b91

          SHA512

          ebbc716d00383b34ccf6b2a3b364b7c6dd59a41c927c0df0faf448f24cb3e7e7dc8e7914aab442a73d441ed0f1d43e57cba72796b2bd9f7c11ad139d09dcbd2f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          Filesize

          1.4MB

          MD5

          42ff02a9b39497d21ec92f1a62d197b4

          SHA1

          ec9c8e4949698ac238bc20996b3bdec7caefcc43

          SHA256

          c90a09cdf55da37997745507a743502d3977e4dbdda58a86d5aa234a0d0c1650

          SHA512

          174fd49dbe2a1e690bf11ca5355fb716c61f0ee92a84f0742dd3393399e5b51bc33376c6e023a7595a651eca80d2dc122d63e638419fa12c159d7945c47db543

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000022001\bef45c0a3f.exe
          Filesize

          3.0MB

          MD5

          ebc21c25c1cc50f27b6f182c2b8170db

          SHA1

          1b11aa7be558dad1b02b33f5abbc516c685598ee

          SHA256

          73c63485e5db44dfa7d77a6862d24261b2e6a23a70d69715c049f5bcdcc085db

          SHA512

          82c54bcac1960e4c6be37f781478c74557ffcfe71436aa3b32dfe56430b7ce73d07a170ab22afbedf5a3dd305d83fbb22171b8c8dd953e2875fb57b034d51d3b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000022001\bef45c0a3f.exe
          Filesize

          1.3MB

          MD5

          11369dfdf2420fe8b17d3daea1eee48c

          SHA1

          09e59679f803175bca19ce5a1fa3ead01e685f00

          SHA256

          36801089cd8611ce5d606dc4f55d1d4cc212e757a616a107fc439a270f5b784e

          SHA512

          2866a136385107f8c29d7aecc343c43cabab5b2e78d4923f5ae1ec85b58fe36bcb7ccfe280f7420cf66b1728478d636b4266096f04de362ee7288ed8da2fee8a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000022001\bef45c0a3f.exe
          Filesize

          1.1MB

          MD5

          306c5f1c17195b3e2befc98eb716bbfb

          SHA1

          2913b71acd81006ea1759806b505fb00d908ccc6

          SHA256

          84285b15e5cf947cf3639af44e26b9f37ceb5eb7b6343057b13710493c51ba44

          SHA512

          8067b1045a900735c41e6688689c33e4c0fe395de471309fc1efdbdadc7b6483ff77ee4ea9397384a2e1d728afd4cf1a99d23343ae9b50e9af2320aed91ed00c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
          Filesize

          413KB

          MD5

          d467222c3bd563cb72fa49302f80b079

          SHA1

          9335e2a36abb8309d8a2075faf78d66b968b2a91

          SHA256

          fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

          SHA512

          484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
          Filesize

          418KB

          MD5

          0099a99f5ffb3c3ae78af0084136fab3

          SHA1

          0205a065728a9ec1133e8a372b1e3864df776e8c

          SHA256

          919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

          SHA512

          5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe
          Filesize

          443KB

          MD5

          f9a326be924c06ed9629a7ee3f4a1285

          SHA1

          6a880cb1e65cf267b81f67dc03641d14f8ce86f3

          SHA256

          a61fec43ebc4191c3c62278f5255585cf3e2c53b86f8be1c05514c60d328c240

          SHA512

          3294c9a5fca715ee0ca344ff11ec7cdc38a85e0242d6e205434bda48125b53d2ccfb5d3e614d67d4859fca03e4e147bc9e503da86ce31d663c7e596fe7fa44df

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe
          Filesize

          299KB

          MD5

          ae74721b00f375a92786771bc679ff83

          SHA1

          99be208e5bfc40d91bccfbad773cd7a203732c3b

          SHA256

          97cbe424b392124b7059e772604446f7ecc3a259e2aa8e4ea2cc1bb598b8e645

          SHA512

          a4b2cd1ccf4a193e4130ba30e6f6dd584c47904aeb3d421ca98fb2c07f5f975f1f58c75dbbcb1a7c95b6c95a9537062556673c3f7a4e2db334e7255e9b33d730

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\u3ak.0.exe
          Filesize

          299KB

          MD5

          bf81c7e629eaa2c4a995c9945b98a933

          SHA1

          145f783f7ea60f1a759dcd2fcc8cb501dac868df

          SHA256

          7ec38e1e46dbe3557ac9e7dadf0c1adf7e189f2ab820df7f6e08443b5333b1c5

          SHA512

          fcf7bd1ac1da2e3ce8199cfc462c589f5e303744dfa29eebf4a24e526db3a23221cc8d2198a33af7ab7115e9b5b00f11a6e33e889710536d9e1e4e15ac66d399

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\u3ak.1.exe
          Filesize

          1.7MB

          MD5

          eee5ddcffbed16222cac0a1b4e2e466e

          SHA1

          28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

          SHA256

          2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

          SHA512

          8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

          Download Submit
        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
          Filesize

          109KB

          MD5

          726cd06231883a159ec1ce28dd538699

          SHA1

          404897e6a133d255ad5a9c26ac6414d7134285a2

          SHA256

          12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

          SHA512

          9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

          Download Submit
        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
          Filesize

          736KB

          MD5

          96a86e8433777891641beed196db7954

          SHA1

          9121e015b7416b51b786e1ab70c2fed2e5b14bb6

          SHA256

          45843c356dbafa448b50b6297230d8f2d97d7bd6605c4c18cfddd6051f844fbe

          SHA512

          09168b99ad3951aab13683eb2b13246f95bf65810d38d30ca96b5e562bd0415d6d50e214cfae93ad5fd6e1362a7f04d71bdba1a1c1b6e703455c2a8326ca0b5c

          Download Submit
        • memory/516-235-0x0000000000A30000-0x0000000000A31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-234-0x0000000000400000-0x0000000000930000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/1380-24-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-111-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-27-0x00000000052E0000-0x00000000052E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-25-0x00000000052F0000-0x00000000052F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-22-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-33-0x0000000005340000-0x0000000005341000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-32-0x0000000005350000-0x0000000005351000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-92-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-162-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-30-0x00000000052D0000-0x00000000052D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-184-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-132-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-31-0x0000000005320000-0x0000000005321000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-29-0x00000000052C0000-0x00000000052C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-107-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-104-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-28-0x0000000005330000-0x0000000005331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-44-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-45-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-46-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-47-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-48-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-49-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-50-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-80-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1380-26-0x0000000005300000-0x0000000005301000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-54-0x00000000052C0000-0x00000000052C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-55-0x00000000052B0000-0x00000000052B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-53-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1656-56-0x00000000052F0000-0x00000000052F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-57-0x0000000005280000-0x0000000005281000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-59-0x0000000005290000-0x0000000005291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-58-0x00000000052A0000-0x00000000052A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-60-0x00000000052E0000-0x00000000052E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1656-61-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/1656-52-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/2624-203-0x0000000000C80000-0x0000000000D80000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2624-220-0x0000000000400000-0x0000000000AF5000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/2624-205-0x0000000000400000-0x0000000000AF5000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/2624-204-0x0000000000C60000-0x0000000000C6B000-memory.dmp
          Filesize

          44KB

          Download
        • memory/3088-139-0x0000000004F00000-0x0000000004F01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3088-138-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3088-143-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3088-144-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3088-142-0x0000000004F30000-0x0000000004F31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3088-137-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3088-140-0x0000000004F10000-0x0000000004F11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3088-145-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3088-141-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3364-219-0x0000000002570000-0x0000000002586000-memory.dmp
          Filesize

          88KB

          Download
        • memory/3692-108-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-112-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-106-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-82-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-133-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-105-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-163-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-202-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-93-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3692-81-0x00000000001C0000-0x0000000000563000-memory.dmp
          Filesize

          3.6MB

          Download
        • memory/3888-8-0x0000000005380000-0x0000000005381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-9-0x0000000005400000-0x0000000005401000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-0-0x0000000000F30000-0x00000000013E3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3888-6-0x0000000005370000-0x0000000005371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-4-0x00000000053B0000-0x00000000053B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-7-0x0000000005390000-0x0000000005391000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-2-0x0000000000F30000-0x00000000013E3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3888-5-0x00000000053D0000-0x00000000053D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-21-0x0000000000F30000-0x00000000013E3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/3888-3-0x00000000053A0000-0x00000000053A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3888-1-0x00000000772A4000-0x00000000772A6000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3888-10-0x00000000053F0000-0x00000000053F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-37-0x00000000052F0000-0x00000000052F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-41-0x00000000052C0000-0x00000000052C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-43-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/4256-42-0x00000000052D0000-0x00000000052D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-35-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/4256-36-0x0000000000920000-0x0000000000DD3000-memory.dmp
          Filesize

          4.7MB

          Download
        • memory/4256-38-0x0000000005300000-0x0000000005301000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-40-0x0000000005320000-0x0000000005321000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-39-0x00000000052E0000-0x00000000052E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4268-218-0x0000000000400000-0x0000000000B18000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/4268-183-0x0000000000400000-0x0000000000B18000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/4268-181-0x0000000000B50000-0x0000000000C50000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4268-182-0x00000000027D0000-0x000000000283E000-memory.dmp
          Filesize

          440KB

          Download
        • memory/4268-236-0x0000000000400000-0x0000000000B18000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/4680-217-0x0000000000400000-0x0000000000AF5000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/4680-215-0x0000000000E10000-0x0000000000F10000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4680-216-0x0000000000D60000-0x0000000000D87000-memory.dmp
          Filesize

          156KB

          Download