djvu | 1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675

Analysis

max time kernel
52s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
Size

261KB
MD5

4fecc825a08f3c09a103e99df20c8dde
SHA1

0e14b4d5cbf637ae940b32d038d5a574021d22c1
SHA256

1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675
SHA512

31daf45d526889f8dfa8d425719c7a905a8371804018dcd5d8d4c339c3c4b23f10896346391ba419f7c25f82775e73e96a211124e829b02aa0f58cefa52d8c21
SSDEEP

6144:qI1PkisrsB8kz3z8XJHIsORQKWTUwaOvkSbRBTw:R8Xr2FveGsORQKW1ag79l

Score

10^/10

djvu redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4464-21-0x0000000002970000-0x0000000002A8B000-memory.dmp	family_djvu
behavioral2/memory/4684-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4684-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4684-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4684-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4684-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4596-71-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3236
Executes dropped EXE 6 IoCs

Processes:

E129.exeE129.exeE129.exeE129.exeEE79.exe3B42.exe

pid process

4464 E129.exe
4684 E129.exe
2156 E129.exe
1292 E129.exe
1632 EE79.exe
4932 3B42.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1924 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3236

pid	process
4464	E129.exe
4684	E129.exe
2156	E129.exe
1292	E129.exe
1632	EE79.exe
4932	3B42.exe

pid	process
1924	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E129.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8e3e1eb-3762-4de8-9e3b-d529d784cf28\\E129.exe\" --AutoStart"	E129.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
5 api.2ip.ua

flow	ioc
1	api.2ip.ua
5	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

E129.exeE129.exeEE79.exe

description	pid	process	target process
PID 4464 set thread context of 4684	4464	E129.exe	E129.exe
PID 2156 set thread context of 1292	2156	E129.exe	E129.exe
PID 1632 set thread context of 4596	1632	EE79.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4444 1292 WerFault.exe E129.exe
1592 1632 WerFault.exe EE79.exe

pid	pid_target	process	target process
4444	1292	WerFault.exe	E129.exe
1592	1632	WerFault.exe	EE79.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe

pid	process
3416	1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
3416	1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236
3236

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe

pid process

3416 1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

EE79.exeRegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeDebugPrivilege	1632	EE79.exe
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeShutdownPrivilege	3236
Token: SeCreatePagefilePrivilege	3236
Token: SeDebugPrivilege	4596	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

cmd.exeE129.exeE129.exeE129.exeEE79.exe

description	pid	process	target process
PID 3236 wrote to memory of 700	3236		cmd.exe
PID 3236 wrote to memory of 700	3236		cmd.exe
PID 700 wrote to memory of 2076	700	cmd.exe	reg.exe
PID 700 wrote to memory of 2076	700	cmd.exe	reg.exe
PID 3236 wrote to memory of 4464	3236		E129.exe
PID 3236 wrote to memory of 4464	3236		E129.exe
PID 3236 wrote to memory of 4464	3236		E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4464 wrote to memory of 4684	4464	E129.exe	E129.exe
PID 4684 wrote to memory of 1924	4684	E129.exe	icacls.exe
PID 4684 wrote to memory of 1924	4684	E129.exe	icacls.exe
PID 4684 wrote to memory of 1924	4684	E129.exe	icacls.exe
PID 4684 wrote to memory of 2156	4684	E129.exe	E129.exe
PID 4684 wrote to memory of 2156	4684	E129.exe	E129.exe
PID 4684 wrote to memory of 2156	4684	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 2156 wrote to memory of 1292	2156	E129.exe	E129.exe
PID 3236 wrote to memory of 1632	3236		EE79.exe
PID 3236 wrote to memory of 1632	3236		EE79.exe
PID 3236 wrote to memory of 1632	3236		EE79.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 1632 wrote to memory of 4596	1632	EE79.exe	RegAsm.exe
PID 3236 wrote to memory of 4932	3236		3B42.exe
PID 3236 wrote to memory of 4932	3236		3B42.exe
PID 3236 wrote to memory of 4932	3236		3B42.exe

C:\Users\Admin\AppData\Local\Temp\1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe
"C:\Users\Admin\AppData\Local\Temp\1e806ede096943b172b442cff2a7b76cccb4555067757fff5a37949b524fc675.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCD5.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\E129.exe
C:\Users\Admin\AppData\Local\Temp\E129.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\E129.exe
C:\Users\Admin\AppData\Local\Temp\E129.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f8e3e1eb-3762-4de8-9e3b-d529d784cf28" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1924

C:\Users\Admin\AppData\Local\Temp\E129.exe
"C:\Users\Admin\AppData\Local\Temp\E129.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\E129.exe
"C:\Users\Admin\AppData\Local\Temp\E129.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 600
5⤵
- Program crash
PID:4444

C:\Users\Admin\AppData\Local\Temp\EE79.exe
C:\Users\Admin\AppData\Local\Temp\EE79.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 840
2⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 1292
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1632 -ip 1632
1⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3B42.exe
C:\Users\Admin\AppData\Local\Temp\3B42.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E31.bat" "
1⤵
PID:4976

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B42.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCD5.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\E129.exe
Filesize
759KB

MD5
8fc47a2e0522045212012582f2a93237

SHA1
1d32e4ca7f3dba186a6b51c8b6b3d35fc33d76a4

SHA256
3446214e3bc72a5c67cdc3caed85f1611133fe4dad33fc398ab6d4402d3aa20c

SHA512
c6c35796ab378aff8437da960675d45c189eb09546cdfc8a5701be7275004b2d13fd38f695f92f17a783697236c054a7e64da9ea771e233dbcb1c6abb0cd52ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE79.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
memory/1292-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1632-65-0x0000000000010000-0x0000000000074000-memory.dmp

Filesize
400KB

Download
memory/1632-66-0x00000000740A0000-0x0000000074851000-memory.dmp

Filesize
7.7MB

Download
memory/1632-67-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1632-81-0x00000000740A0000-0x0000000074851000-memory.dmp

Filesize
7.7MB

Download
memory/1632-74-0x00000000025C0000-0x00000000045C0000-memory.dmp

Filesize
32.0MB

Download
memory/1632-68-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2156-41-0x0000000002730000-0x00000000027CC000-memory.dmp

Filesize
624KB

Download
memory/3236-4-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/3416-5-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/3416-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/3416-2-0x00000000027F0000-0x00000000027FB000-memory.dmp

Filesize
44KB

Download
memory/3416-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

Filesize
1024KB

Download
memory/4464-21-0x0000000002970000-0x0000000002A8B000-memory.dmp

Filesize
1.1MB

Download
memory/4464-20-0x0000000002760000-0x00000000027FB000-memory.dmp

Filesize
620KB

Download
memory/4596-83-0x0000000005430000-0x000000000553A000-memory.dmp

Filesize
1.0MB

Download
memory/4596-78-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/4596-84-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/4596-86-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download
memory/4596-85-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/4596-79-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4596-80-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/4596-118-0x00000000740A0000-0x0000000074851000-memory.dmp

Filesize
7.7MB

Download
memory/4596-82-0x0000000006240000-0x0000000006858000-memory.dmp

Filesize
6.1MB

Download
memory/4596-97-0x0000000008270000-0x000000000879C000-memory.dmp

Filesize
5.2MB

Download
memory/4596-96-0x0000000007B70000-0x0000000007D32000-memory.dmp

Filesize
1.8MB

Download
memory/4596-73-0x0000000005670000-0x0000000005C16000-memory.dmp

Filesize
5.6MB

Download
memory/4596-75-0x00000000740A0000-0x0000000074851000-memory.dmp

Filesize
7.7MB

Download
memory/4596-87-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4596-88-0x0000000006CB0000-0x0000000006D00000-memory.dmp

Filesize
320KB

Download
memory/4596-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4684-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4684-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4684-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4684-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4684-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4932-104-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/4932-127-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-106-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/4932-108-0x00000000006F0000-0x00000000013D5000-memory.dmp

Filesize
12.9MB

Download
memory/4932-109-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/4932-107-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/4932-110-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/4932-112-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/4932-113-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/4932-114-0x0000000003670000-0x00000000036B0000-memory.dmp

Filesize
256KB

Download
memory/4932-116-0x0000000003670000-0x00000000036B0000-memory.dmp

Filesize
256KB

Download
memory/4932-117-0x0000000003670000-0x00000000036B0000-memory.dmp

Filesize
256KB

Download
memory/4932-115-0x0000000003670000-0x00000000036B0000-memory.dmp

Filesize
256KB

Download
memory/4932-99-0x00000000006F0000-0x00000000013D5000-memory.dmp

Filesize
12.9MB

Download
memory/4932-119-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-120-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-121-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-122-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-124-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-125-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-126-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-105-0x0000000001990000-0x0000000001991000-memory.dmp

Filesize
4KB

Download
memory/4932-128-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-129-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-130-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-131-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-132-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-133-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-134-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-135-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-136-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-138-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-139-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-141-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-142-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-143-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-145-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-147-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-146-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-144-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-140-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-137-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download
memory/4932-123-0x0000000004190000-0x0000000004290000-memory.dmp

Filesize
1024KB

Download