Overview

overview

10

Static

static

3

Shade.zip

windows11-21h2-x64

10

inf.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1798s
  • max time network
    1597s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shade.zip

  • Size

    905KB

  • MD5

    d2692ae162eaa709fc51d353584f07f0

  • SHA1

    5a7ab325fd4662483a74e020249ab73f3557970f

  • SHA256

    23aa29c51dfaab97c07c2b1f9e61c9aabd1a8db97750ec1864b42cd2184710be

  • SHA512

    98a6b721b976320add77c4f2671c052dae38b36b420c23b60572d569ecad173a9ac0e616f6438b94d030ec64309f869bee6d8cfb786bff737802275003fbedb0

  • SSDEEP

    24576:5/Y3yTr4rFBZQ6ywN/9b5wYzaoXoUTBy8uUUSH:bCZ/Z9bpzL4Uly8TH

Score
10/10
troldeshdefense_evasionexecutionimpactpersistenceransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 54 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 61 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Shade.zip
    1⤵
      PID:3572
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2996
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:2364
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
          1⤵
            PID:1172
          • C:\Windows\SysWOW64\Taskmgr.exe
            "C:\Windows\SysWOW64\Taskmgr.exe"
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4360
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1368
              2⤵
              • Program crash
              PID:2012
          • C:\Users\Admin\Desktop\inf.exe
            "C:\Users\Admin\Desktop\inf.exe"
            1⤵
            • Adds Run key to start application
            • Enumerates connected drives
            • Sets desktop wallpaper using registry
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: RenamesItself
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Windows\system32\vssadmin.exe
              C:\Windows\system32\vssadmin.exe List Shadows
              2⤵
              • Interacts with shadow copies
              PID:4600
            • C:\Windows\system32\vssadmin.exe
              C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
              2⤵
              • Interacts with shadow copies
              PID:3856
            • C:\Windows\system32\vssadmin.exe
              C:\Windows\system32\vssadmin.exe List Shadows
              2⤵
              • Interacts with shadow copies
              PID:4588
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Modifies Installed Components in the registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4360 -ip 4360
            1⤵
              PID:2600
            • C:\Windows\system32\sihost.exe
              sihost.exe
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:912
              • C:\Windows\explorer.exe
                explorer.exe /LOADSAVEDWINDOWS
                2⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:2816
            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
              1⤵
              • Enumerates system info in registry
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4452
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2360

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Windows Management Instrumentation

            1
            T1047

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Defense Evasion

            Indicator Removal

            2
            T1070

            File Deletion

            2
            T1070.004

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            5
            T1012

            Peripheral Device Discovery

            2
            T1120

            System Information Discovery

            4
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            2
            T1490

            Defacement

            1
            T1491

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\$Recycle.Bin\S-1-5-21-3938118698-2964058152-2337880935-1000\$I3C2NK8.zip
              Filesize

              512B

              MD5

              3852b11d34d914c0826c00a19581467f

              SHA1

              0bb505153e505a2186585d5acb30fc3c7dfa7147

              SHA256

              c72730d58138c87df03920c71b6d45e69bb51b116181056b87abeaaac441da31

              SHA512

              c5945b715c501646eaf8f1ac84f95b44278904caa56b1ad4d9091b4d39924197c537ee3a182b69272df5ee43435240bbf10ee762d4870775806814756b552b95

              Download Submit
            • C:\$Recycle.Bin\S-1-5-21-3938118698-2964058152-2337880935-1000\$R3C2NK8.zip
              Filesize

              906KB

              MD5

              22e02762edebccfae8b19542f5980e14

              SHA1

              92a56b6663fc06d8580e93350b296ff9515bc48a

              SHA256

              c5090a26bc5d4e694631b0a61b40cd93abe1e2bd86812c8d375a01063aa9686b

              SHA512

              4f4ae8dd1e5989dcaeb9ce8eafa6e33f442db1eedded65ddd616c4c83d180436ec6f80e3552dce2536adcd8c150cba6cf3f5718e804297e78f9a8cc9fd66b0d0

              Download Submit
            • C:\ProgramData\System32\xfs
              Filesize

              267KB

              MD5

              03517e4de9329d794e00c9bfc878624f

              SHA1

              a05eabd606bc2cefd5a0ca7a4f2b2544668b781d

              SHA256

              8c219e08918dcb1e96a7c0da6e17eb75ab592b78121d033df40d47ba039b1c55

              SHA512

              7e9450b9782f198baa10db6b175541d8eafbc90866ffd1779555362405c16ba37c09367df54452745160009519e6c1bb31ba63348de5fbf9b66acfd19585bc36

              Download Submit
            • C:\ProgramData\Windows\csrss.exe
              Filesize

              1.3MB

              MD5

              73dea1a75637e14f6fcd012fe2815636

              SHA1

              f1edca0d6464b76bc4956352571d8941c02d2c4e

              SHA256

              fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883

              SHA512

              f6dc462194037a5c4e0b186088f1fd75befe4cb88bf1dcc7477987951332fc18f8aa66389d567e01677990b022fea6849a66a24510027794e12e2a517edde8d0

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
              Filesize

              24B

              MD5

              419a089e66b9e18ada06c459b000cb4d

              SHA1

              ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

              SHA256

              c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

              SHA512

              bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
              Filesize

              1024KB

              MD5

              d500e1110be0a7bc4dc90061fd99ff54

              SHA1

              311b1cb42082f959eba909a2e27a1ce809519ae1

              SHA256

              0c5e3e297baf54859b200958ef5160c2a01443e48b9133b99b50247f656b2abd

              SHA512

              3ab80eb94262e9b1dd88787f2f1a30f2ee5b2b35762784659bea65c39911836cfaf31f48ee8d47fb5d3c49184b154f88befb0fea9432fe89228cc4a0ffb3f95f

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
              Filesize

              1024KB

              MD5

              2c4566944fbb1ee590aed9cb406485dc

              SHA1

              4f03371a6f81dabd0b72b7b8364129188f902f9a

              SHA256

              7ed6711ec5edcad955f1032d1b364ca66132515f9290184dff22c8f3677e2f1c

              SHA512

              339f631260614c5687314107b9e286bd92723b5681d1cf04d4f0d3a57e62e319a472960651135f832340c9d6ee03af702b8ecb322cc9e0567ab15c01dd5b44aa

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
              Filesize

              24B

              MD5

              ae6fbded57f9f7d048b95468ddee47ca

              SHA1

              c4473ea845be2fb5d28a61efd72f19d74d5fc82e

              SHA256

              d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

              SHA512

              f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              5e654a5b94d8bd3712cc361adf122482

              SHA1

              1f89fee499995d781342e92250eed407e33f14a2

              SHA256

              93013c9daba885c1283a51c5f0ea20436407770237f8b90ebd95ab60ccf26366

              SHA512

              4827ce70cd580120360b10bee39cdd91116f1c37cb6801e92fbad78beb7c4f0bfdfde4ced7e01891f92b5c54731e5862f17d74e58a0ff87d8dd354a2bf21d32f

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              444a7a13f7482d4b98158779bce897d6

              SHA1

              e43c051baab192ce10c4feb181eda5eeb35d7af1

              SHA256

              b31d33762e37c5a9b833ce46af65b1f45a92e1024f657fa885af03ccd5bdbc35

              SHA512

              8a69a09c757054b106541188702e315e0144addf9fbfaa85fd4d5ff36c8523ca715f495a509a58e1340f8f9de78e3eab942f3bc178aaa7a871d49e7f4e445db4

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              a30c581b60e9f880807b08aa95cc231e

              SHA1

              c111f5b26beaaa99d8e3229a4e158a6f643e8a58

              SHA256

              24dab9292b325f3ef4501d3f0c54d868f1c7f4a8ed44fd6307cd7920a7884226

              SHA512

              d8093e4eceb5d08c09d411cc91b49a19b6aaf901ff9823c35f2c0d2caa687fcf2d97fab48c669150bcc79e8e8d41b9d08ecb5aed14bec909fe1f3e0a92f70293

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              10KB

              MD5

              1128fdf49c22e69f8da7e04fe429ee8b

              SHA1

              95bfe37f2a30834fccbaceee09faac1ab4ea286c

              SHA256

              55ad6dbef558277fae40560ff216eace6fb1c67fa66e3664ab1afcf1aa331e59

              SHA512

              7639ddd3aa8d3eb3c1846df2b5f6253e804e4f5092813d603067ac70b0d97370761baf58845ad70bf70a776fb3ad11205031850e551d19cd5e0e25822b3c199a

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              6KB

              MD5

              3c4ad6ebb334af835d9bef790590952c

              SHA1

              595252ced5d58189ce12c19f882856c133ff5785

              SHA256

              a0fd757de092d1a534e002aca0e0d35fcd2e5d83001ad301e83ef7278be58e56

              SHA512

              a8dd51a64da2b9ab8076dd4243e2efa928563d8239135d47acde7db1f849497be64539385e483e8790d56d611f3294af9151da307f37606ed6a1912cb8d8b515

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3JV2N3YF\www.bing[1].xml
              Filesize

              97B

              MD5

              bbda4563f512ed35b1bdc21d9db16026

              SHA1

              6b444f489960ce526d6a777c72af5ea352f25df8

              SHA256

              fe3fe70d573390397f20f82cd5e40b9833c5c5a02cd8324ec4e2c3fb2260759b

              SHA512

              517bfbf6c44eca7b8f87970f4205bd2a41cfa52e8780227630b52fabec5680c47588efd9c4728f05623c39b148a9dd8798ae9d4b59fd6e5de75efd5785c1f75a

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3JV2N3YF\www.bing[1].xml
              Filesize

              15KB

              MD5

              11ee41c6b62e91177ea1a0e434fa1d12

              SHA1

              29bc3cec511884d3f60397dd70ea05408caf3fdd

              SHA256

              9e9aaca2f21d1c1f9963b6dc272e54109919c21aa22a203e36e88476d085e08c

              SHA512

              4a8241f69b2ecccb81282d875e9b284ad2526d50080362a0d229f0c1231c9bfd0d31b9b8f12514ac7618ebc53fadce95c86daa6f7204ab60f31faea11354d7a9

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133605354943775460.txt
              Filesize

              2KB

              MD5

              65d939ef67bf440d30c8dee4eebe4890

              SHA1

              5aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40

              SHA256

              e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531

              SHA512

              8237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
              Filesize

              2KB

              MD5

              6e0b67c1c5932284626310fbd4537bc8

              SHA1

              1f701f8ec43fb9469fea1ab9f6da87c78b741834

              SHA256

              61c8b077abd6edc5273d878bd152bf09434399429cdd4d991ea6ff079a4dda01

              SHA512

              b269de4dc9c02898f1caea27998e278c38a39a024de88c1b3ef0179df7226dafcdb5e6958ffdeb05c56337638832eb95c8c03bd09d20bc35a4b7e81c6537208f

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
              Filesize

              3KB

              MD5

              33e44493bdd5ce52e38bb636e2c368d4

              SHA1

              a1a0a1bd2883c64f4d5a7c15bea4bc299939f3e3

              SHA256

              3aa0c633c56022bc5b3631d217df97a2e7e07d713c0226b6c1b9c4278acb2491

              SHA512

              7568a2a1a22dbbd7244d176030c74ceaf0b17f52b97733c2fa61d15a5c54fb80c0d0b9f4ad86ad346aa025290e750b31bda2fc83a314b3e99468ccb7142cd615

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
              Filesize

              846KB

              MD5

              766f5efd9efca73b6dfd0fb3d648639f

              SHA1

              71928a29c3affb9715d92542ef4cf3472e7931fe

              SHA256

              9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

              SHA512

              1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Shade.zip
              Filesize

              905KB

              MD5

              d2692ae162eaa709fc51d353584f07f0

              SHA1

              5a7ab325fd4662483a74e020249ab73f3557970f

              SHA256

              23aa29c51dfaab97c07c2b1f9e61c9aabd1a8db97750ec1864b42cd2184710be

              SHA512

              98a6b721b976320add77c4f2671c052dae38b36b420c23b60572d569ecad173a9ac0e616f6438b94d030ec64309f869bee6d8cfb786bff737802275003fbedb0

              Download Submit
            • memory/4020-56-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-65-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-36-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-37-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-38-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-39-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-40-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-41-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-42-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-43-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-44-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-45-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-46-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-47-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-48-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-49-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-50-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-51-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-52-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-53-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-54-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-55-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-34-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-57-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-58-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-59-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-60-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-61-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-62-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-63-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-64-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-35-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-66-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-67-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-68-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-69-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-70-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-71-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-72-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-73-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-74-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-33-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-30-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-29-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-27-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-26-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-25-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-24-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-15-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-14-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-19-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-17-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-16-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4020-18-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4360-1-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-3-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-2-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-13-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-12-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-11-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-10-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-9-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-8-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4360-7-0x0000000005D40000-0x0000000005D41000-memory.dmp
              Filesize

              4KB

              Download