Overview

overview

10

Static

static

7

72e1fc6da0...50.exe

windows7-x64

10

72e1fc6da0...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

  • Size

    21.3MB

  • MD5

    416de11d210ae0ff50214021ff57b32b

  • SHA1

    3142453c18080b83d8dbdeba89524beea1c94ff3

  • SHA256

    72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850

  • SHA512

    e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c

  • SSDEEP

    393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

Score
10/10
auroraquasarredlinesectopratshurkxmrigcheatthemdasdiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

themdas

C2

auroraforge.art:55326

thesirenmika.com:55713
Mutex

0cbdfe7f-0215-41e8-a7b5-d4fbbc555089

Attributes
  • encryption_key

    A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1

  • install_name

    up2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 11 IoCs
    miner
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Power Settings 1 TTPs 10 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
        "C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
          "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\system32\cmd.exe
              cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\system32\PING.EXE
                ping localhost -n 1
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2912
              • C:\Windows\system32\attrib.exe
                attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
                6⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2836
              • C:\Windows\system32\icacls.exe
                icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
                6⤵
                • Modifies file permissions
                PID:2872
              • C:\Windows\system32\cmd.exe
                cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1388
                • C:\Users\Admin\AppData\Local\Msedge.exe
                  C:\Users\Admin\AppData\Local\Msedge.exe
                  7⤵
                  • Executes dropped EXE
                  PID:1252
        • C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2844
        • C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
          "C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
            4⤵
            • Adds Run key to start application
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2200
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            #cmd
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
        • C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
          "C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2596
        • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
          "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
          3⤵
          • Executes dropped EXE
          PID:2424
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Power Settings
        PID:300
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:804
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:924
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:448
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2924
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
        2⤵
          PID:1140
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          PID:980
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:352
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:584
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1192
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:876
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2344
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {13CC630C-48AF-4DFD-9C5F-4F5463C9FE30} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
          1⤵
          • Loads dropped DLL
          PID:908
          • C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
            C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            PID:1688

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab1538.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Tar1605.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
          Filesize

          80KB

          MD5

          65f0a85c4b056d6bcee60c49e2372e35

          SHA1

          6af820a2030950617bf150777af4a43a06a17184

          SHA256

          d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e

          SHA512

          7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2FCJFND2T29L6YFZ7P3.temp
          Filesize

          7KB

          MD5

          533cdacb2424c7fa2206a5242638b6f7

          SHA1

          7ab0e332ec311316006829f1ca75d38b905eae92

          SHA256

          42e61ac924eef8c34ba386fa2b75c1c46d0aede8370442456a92df342a6e41c6

          SHA512

          3ef996e2ab8d4701a682903276e5b550b80fa2295d60578e0eb11c0dbfbb79007d1d06fc00d475f04d12ce9c8313a17f146cc553d2b0226e49e578f0389f9561

          Download Submit
        • \Users\Admin\AppData\Local\Temp\Aurora.exe
          Filesize

          25.2MB

          MD5

          1504c863a05885816d2c8874137ae7a7

          SHA1

          5b16d440a7e9b5887886549f016f252900b5c0ac

          SHA256

          33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad

          SHA512

          055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
          Filesize

          95KB

          MD5

          c9a9d471428a5f92068c0823e6454254

          SHA1

          8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2

          SHA256

          b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5

          SHA512

          ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

          Download Submit
        • \Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
          Filesize

          3.2MB

          MD5

          3b4f58cd4bca7274be25e885be00798b

          SHA1

          eb57c281d8324a1079db97c9da43483a65debbed

          SHA256

          a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80

          SHA512

          dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

          Download Submit
        • \Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
          Filesize

          5.6MB

          MD5

          b9fc8581b52abfc6b563da731438e27d

          SHA1

          43111fe9b307c850a379fe2d64d279e994680de3

          SHA256

          e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058

          SHA512

          c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

          Download Submit
        • memory/448-107-0x0000000002830000-0x0000000002838000-memory.dmp
          Filesize

          32KB

          Download
        • memory/448-106-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/584-121-0x0000000002200000-0x0000000002208000-memory.dmp
          Filesize

          32KB

          Download
        • memory/584-120-0x000000001B530000-0x000000001B812000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/824-2-0x0000000075DC0000-0x0000000075E07000-memory.dmp
          Filesize

          284KB

          Download
        • memory/824-0-0x0000000000990000-0x000000000245A000-memory.dmp
          Filesize

          26.8MB

          Download
        • memory/824-1-0x0000000075DCE000-0x0000000075DCF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/824-54-0x0000000000990000-0x000000000245A000-memory.dmp
          Filesize

          26.8MB

          Download
        • memory/824-50-0x0000000075DC0000-0x0000000075E07000-memory.dmp
          Filesize

          284KB

          Download
        • memory/824-6-0x0000000075DC0000-0x0000000075E07000-memory.dmp
          Filesize

          284KB

          Download
        • memory/876-128-0x0000000140000000-0x0000000140029000-memory.dmp
          Filesize

          164KB

          Download
        • memory/876-132-0x0000000140000000-0x0000000140029000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1688-126-0x000000013FD90000-0x000000014032A000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1688-114-0x000000013FD90000-0x000000014032A000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1948-100-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-93-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-91-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-95-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-98-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-99-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1948-89-0x0000000000400000-0x0000000000724000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2344-136-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-138-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-127-0x0000000000240000-0x0000000000260000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2344-144-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-148-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-129-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-131-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-142-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-133-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-140-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2344-146-0x0000000140000000-0x00000001407EF000-memory.dmp
          Filesize

          7.9MB

          Download
        • memory/2424-84-0x000000013FB20000-0x00000001413EF000-memory.dmp
          Filesize

          24.8MB

          Download
        • memory/2596-101-0x000000013FA60000-0x000000013FFFA000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2596-110-0x000000013FA60000-0x000000013FFFA000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2844-31-0x00000000001A0000-0x00000000001BE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2848-32-0x00000000013D0000-0x00000000016FE000-memory.dmp
          Filesize

          3.2MB

          Download