meduza | b08b16fefd49c0780b9d875455ebd57d69e4c38a9bc0fd3d22fddf1decd8613e

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Last_Update.zip
Size

115.1MB
MD5

b77f2704c0b2d688d8d261ba9529ebe4
SHA1

da100b659aa3c02468ff48a1417e168e4fc5513f
SHA256

83cb8837a462f00a5d0e8327ff13c70eaa1f500d16dadacbdad79c7f21691c01
SHA512

d78154c6e09e789c98c1a29ff55aafbbc49f6baf77b5a1f220b48cf85f5603e1175d0c9f6ceb00598b7d49bd896b0202521e80f1349a3cdea2abd9375f26941d
SSDEEP

3145728:PEZRDJf7jLrjWKrpbT9XmdBCohjY/J2JCiC2ZKbKIsFfsfgSw6:PEZRhWKrZx+hjSJF2s25NsISN

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Santa
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral2/memory/3428-414-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-415-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-411-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-421-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-420-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-417-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-416-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-410-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-409-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-408-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-429-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-428-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-432-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-433-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-435-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-440-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-482-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-476-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-475-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-472-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-494-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-493-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-490-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-489-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-469-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-464-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-458-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-457-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-454-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-452-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-451-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-446-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-441-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-481-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-470-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-463-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-436-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-439-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-448-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-445-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza
behavioral2/memory/3428-442-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 3 IoCs

pid	Process
5024	Cheat.exe
3428	setup.exe
2812	Cheat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.ipify.org
40	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	Cheat.exe
3428	setup.exe
3428	setup.exe
2812	Cheat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4872	7zFM.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeRestorePrivilege	4872	7zFM.exe
Token: 35	4872	7zFM.exe
Token: SeSecurityPrivilege	4872	7zFM.exe
Token: SeDebugPrivilege	5024	Cheat.exe
Token: SeDebugPrivilege	3428	setup.exe
Token: SeImpersonatePrivilege	3428	setup.exe
Token: SeIncreaseQuotaPrivilege	5024	Cheat.exe
Token: SeSecurityPrivilege	5024	Cheat.exe
Token: SeTakeOwnershipPrivilege	5024	Cheat.exe
Token: SeLoadDriverPrivilege	5024	Cheat.exe
Token: SeSystemProfilePrivilege	5024	Cheat.exe
Token: SeSystemtimePrivilege	5024	Cheat.exe
Token: SeProfSingleProcessPrivilege	5024	Cheat.exe
Token: SeIncBasePriorityPrivilege	5024	Cheat.exe
Token: SeCreatePagefilePrivilege	5024	Cheat.exe
Token: SeBackupPrivilege	5024	Cheat.exe
Token: SeRestorePrivilege	5024	Cheat.exe
Token: SeShutdownPrivilege	5024	Cheat.exe
Token: SeDebugPrivilege	5024	Cheat.exe
Token: SeSystemEnvironmentPrivilege	5024	Cheat.exe
Token: SeRemoteShutdownPrivilege	5024	Cheat.exe
Token: SeUndockPrivilege	5024	Cheat.exe
Token: SeManageVolumePrivilege	5024	Cheat.exe
Token: 33	5024	Cheat.exe
Token: 34	5024	Cheat.exe
Token: 35	5024	Cheat.exe
Token: 36	5024	Cheat.exe
Token: SeDebugPrivilege	2812	Cheat.exe
Token: SeIncreaseQuotaPrivilege	2812	Cheat.exe
Token: SeSecurityPrivilege	2812	Cheat.exe
Token: SeTakeOwnershipPrivilege	2812	Cheat.exe
Token: SeLoadDriverPrivilege	2812	Cheat.exe
Token: SeSystemProfilePrivilege	2812	Cheat.exe
Token: SeSystemtimePrivilege	2812	Cheat.exe
Token: SeProfSingleProcessPrivilege	2812	Cheat.exe
Token: SeIncBasePriorityPrivilege	2812	Cheat.exe
Token: SeCreatePagefilePrivilege	2812	Cheat.exe
Token: SeBackupPrivilege	2812	Cheat.exe
Token: SeRestorePrivilege	2812	Cheat.exe
Token: SeShutdownPrivilege	2812	Cheat.exe
Token: SeDebugPrivilege	2812	Cheat.exe
Token: SeSystemEnvironmentPrivilege	2812	Cheat.exe
Token: SeRemoteShutdownPrivilege	2812	Cheat.exe
Token: SeUndockPrivilege	2812	Cheat.exe
Token: SeManageVolumePrivilege	2812	Cheat.exe
Token: 33	2812	Cheat.exe
Token: 34	2812	Cheat.exe
Token: 35	2812	Cheat.exe
Token: 36	2812	Cheat.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4872	7zFM.exe
4872	7zFM.exe
4872	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	setup.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3428	5024	Cheat.exe	92
PID 5024 wrote to memory of 3428	5024	Cheat.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Last_Update.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4872

C:\Users\Admin\Desktop\Cheat.exe
"C:\Users\Admin\Desktop\Cheat.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:3428

C:\Users\Admin\Desktop\Cheat.exe
"C:\Users\Admin\Desktop\Cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Cheat.exe.log

Filesize
4KB

MD5
b87272f76ea9b9af385c741368d0642b

SHA1
71d3fb857ce073df5af74e07f2b6f40a931bcb40

SHA256
2ce934bde9b37b4aaa20431ef2ea9da7d437704351e552498b2f1fb789ba31d7

SHA512
4cf30fd459caa546cbeeaa578831c5d4bdd8e90e08e1123c362266f6453d4265d1ff8c5cad2ae742b5c7a58a04bb75cbf98a26118ffde81f7195e168e8661de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8035CD18\Key_File\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8035CD18\Local_DB\Binn_DB\Resources\ru-RU\SqlUserInstance.dll

Filesize
150KB

MD5
423671a408eedd5e51f4d4f6a3de4589

SHA1
7a96a2c6e2381e78bdd152e3caef75146460f488

SHA256
b62fab3be134e7765720c0eb579be5a65ae719771b1e39c14ac39958d554b90e

SHA512
4e9aa8c9ff248d4ec86d79b8515dbe51fa30aa5b28124a2c1872270c30e7887c1d49c573116237f393c29ef431b97110212fdac9d3a27134b6effdc5d373c11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi0fgwr2.frl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
2.6MB

MD5
d17b18e5820ddb3e2515fa0562ab484e

SHA1
1dcb957dd975882a595f0c6475e0ddde5b44b6ed

SHA256
824b69c0796a480763a9d5c49154060c2f39c1782714b4b1054e715b49dd1489

SHA512
7342e4a58814d281a55704dffad23250a17928eaf0c171d2fb8c95320c413f3dc84c5f0a3486bff0fdbee26b6b4c2ec25199185467949e60cf59bdec677f1438

Download Submit
C:\Users\Admin\Desktop\DAC_DB\bin\Redist_DACFramework.txt

Filesize
18B

MD5
1f2cb924ab7c6c964d77c6a61098ff57

SHA1
efa42f9dc9d3c95179613c1afabd7906e86d4a42

SHA256
16f191e6355d32099b7f25945270f621bef6f92b3e5c1da178bc21e60912b470

SHA512
7aa55921af23ae4b9456cd3317391c8d8b927e266ef41a0e41c89a68798d7c53c62f730ee71977f3d465be3c8510a68e5ebabde73ea183b4c94af867daa209a7

Download Submit
C:\Users\Admin\Desktop\DAC_DB\bin\en\License_DACFx.txt

Filesize
13KB

MD5
5331bac43e1da20a9cf5b9bd4ee4f83a

SHA1
83f5cd92320abc367e4215f98c78ecaedec5f56b

SHA256
fba02491e20b9de7ed50476145904f4a130aa2ad6de15c4e55b63368263f6fe8

SHA512
0806679ecb8c5ea459092cbf7d5b030ed41eb596399f95770f5b4e95b3a70f46b8099c29cbfab292398b0bc03e76b0ad049a29ecb49b7aff81bca84dede4d2a8

Download Submit
C:\Users\Admin\Desktop\License Terms\License_SQLNCLI_ENU.txt

Filesize
13KB

MD5
3666ab3b60d527211ba53203bef9f911

SHA1
f63f946eb36414c845b4faa826379b5d84fd8f11

SHA256
9cfec87cb1fe913126aa50811a09d34f494d9917b2958ed2b9056744aed26a35

SHA512
bb5c4515ae0fbf10094e638ac6ddd033a6c72398ded656e02448aaff77e4c5c936a7584fd66b9838e66edd5b85d0c7de3dd456422c3a0a9348b87d2b24c47eed

Download Submit
C:\Users\Admin\Desktop\SDK\Assemblies\Redist_TSqlLanguageService.txt

Filesize
25B

MD5
975f1a1e9506cb4ecf67908349f93d70

SHA1
b4ef860be2eb4b48beec790fa24aa93e75e526d6

SHA256
b574e73c5c3f65df0099e958fc5b9959738daae7b2b8854e78815ccb08f564a8

SHA512
aee94612c838beed21be31f04482440a0357f5de9d1e426cc7ef0dd2deff9c15a912d19b0e83c10cfbeea044dcdf5b45e582a16e8a0e5027a133c885dde602f0

Download Submit
C:\Users\Admin\Desktop\SDK\Assemblies\ru\License_SMO.txt

Filesize
36KB

MD5
839cdfa87b30840faaa1d05f3f0014b6

SHA1
17c218e688e8c3176869dcab452ca362404f8bc6

SHA256
c53071322a5d6e161ef5105fbb5ee4129a848e0bcb1ecb0dbba11d351ad1cf13

SHA512
ade8eb1e2a1e1dfe3ea7b3f0b7fe28b06e3996a39b4d17164708d434f07967fd8809418ed5a0c4ff1f8b0fe0bc276e8c773e030f361fe9fb09d75e3e2e607550

Download Submit
C:\Users\Admin\Desktop\SDK\Assemblies\ru\License_TSqlLangSvc.txt

Filesize
17KB

MD5
015500391eecb049e857b8b354bb8aa9

SHA1
d4a886b73c656a3aec5e31364281ac1005acfd05

SHA256
80a47b479eaa4807a7a0fad4398b65fa830542802e00b9293660107a091d8aae

SHA512
977aeb8ed179393b0ad06ec08e78edcfb220c60ff123b5bed8b444f102fc8279579cadbc287cd3dc8d29054c7d4f903eafcd6640df251b8de9675b7dc6c17b72

Download Submit
memory/3428-476-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-452-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-410-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-409-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-408-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-406-0x0000025A39ED0000-0x0000025A39ED1000-memory.dmp

Filesize
4KB

Download
memory/3428-405-0x00007FFE0FC50000-0x00007FFE0FE45000-memory.dmp

Filesize
2.0MB

Download
memory/3428-429-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-428-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-432-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-433-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-435-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-414-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-442-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-445-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-448-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-439-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-440-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-482-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-417-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-475-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-472-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-494-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-493-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-490-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-489-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-420-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-421-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-436-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-463-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-411-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-415-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-469-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-464-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-458-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-457-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-454-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-416-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-451-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-446-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-441-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-481-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/3428-470-0x0000025A3B8D0000-0x0000025A3BACA000-memory.dmp

Filesize
2.0MB

Download
memory/5024-382-0x00007FFDEFC13000-0x00007FFDEFC15000-memory.dmp

Filesize
8KB

Download
memory/5024-383-0x000001FEACA50000-0x000001FEADA50000-memory.dmp

Filesize
16.0MB

Download
memory/5024-434-0x00007FFDEFC10000-0x00007FFDF06D1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-396-0x00007FFDEFC13000-0x00007FFDEFC15000-memory.dmp

Filesize
8KB

Download
memory/5024-395-0x000001FED6940000-0x000001FED6962000-memory.dmp

Filesize
136KB

Download
memory/5024-385-0x00007FFDEFC10000-0x00007FFDF06D1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-495-0x00007FFDEFC10000-0x00007FFDF06D1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-497-0x00007FFDEFC10000-0x00007FFDF06D1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-384-0x00007FFDEFC10000-0x00007FFDF06D1000-memory.dmp

Filesize
10.8MB

Download