Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2023 19:59

General

  • Target

    7ef92ac88c81b71b2f95eaad23367589f2451be1fe78ce04ebbb8ca96ad43b24.exe

  • Size

    1.0MB

  • MD5

    72d3a2328e718dfb0c2a9f15e7d7cf87

  • SHA1

    caa323f32e0d9a04d49e2c05bd7aa9c6239d07d6

  • SHA256

    7ef92ac88c81b71b2f95eaad23367589f2451be1fe78ce04ebbb8ca96ad43b24

  • SHA512

    0d46b347477e2d9fe43e427ce17b4a2c9455c4538d850b47aa75d86b71927f88a8e3a463156cf33c5fd601446574c2591b023e6488f9f8434018a0a29f593712

  • SSDEEP

    24576:vyWEGvsqOYMwSH46xpcqnoD+9onL2KDkD+NMcfRx:6WEGvsRbH4acq02KDkD+ac5

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ef92ac88c81b71b2f95eaad23367589f2451be1fe78ce04ebbb8ca96ad43b24.exe
    "C:\Users\Admin\AppData\Local\Temp\7ef92ac88c81b71b2f95eaad23367589f2451be1fe78ce04ebbb8ca96ad43b24.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3073300.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3073300.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3974541.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3974541.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628976.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628976.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2771219.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2771219.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598702.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598702.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3172
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983776.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983776.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1536
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                  8⤵
                  • Creates scheduled task(s)
                  PID:3516
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:688
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    9⤵
                      PID:4128
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:N"
                      9⤵
                        PID:2644
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "saves.exe" /P "Admin:R" /E
                        9⤵
                          PID:988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          9⤵
                            PID:5112
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:N"
                            9⤵
                              PID:1708
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\b40d11255d" /P "Admin:R" /E
                              9⤵
                                PID:4436
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                              8⤵
                              • Loads dropped DLL
                              PID:3008
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7565077.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7565077.exe
                        5⤵
                        • Executes dropped EXE
                        PID:1916
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0291347.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0291347.exe
                      4⤵
                      • Executes dropped EXE
                      PID:4492
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3804
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2708

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3073300.exe

                Filesize

                932KB

                MD5

                8faa7e3680bf63465ef64589f0a32a0d

                SHA1

                4c540b8fb1f982e641b5a536f9adbb3d8e96f9b5

                SHA256

                1b6ad79277fd707ed075eb2220c173645bf8889c84e01662bf67618ccaca59a7

                SHA512

                50ff2bf5c204baadbf70a3ae7695efa46eb44f6f812933030507bfe56989e192efa22eabf03944e1a3b12be077fce184eb958f7ce9d4b9f48da0426b760c6292

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3073300.exe

                Filesize

                932KB

                MD5

                8faa7e3680bf63465ef64589f0a32a0d

                SHA1

                4c540b8fb1f982e641b5a536f9adbb3d8e96f9b5

                SHA256

                1b6ad79277fd707ed075eb2220c173645bf8889c84e01662bf67618ccaca59a7

                SHA512

                50ff2bf5c204baadbf70a3ae7695efa46eb44f6f812933030507bfe56989e192efa22eabf03944e1a3b12be077fce184eb958f7ce9d4b9f48da0426b760c6292

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3974541.exe

                Filesize

                706KB

                MD5

                3d513dd4a298f1a84b98d6411d804386

                SHA1

                6124194c6f6bab00aba8ddab5b96c3c842afab9f

                SHA256

                0f08dc566557478e84e1c24c2d0c413d851750a1ddb7e704eeff3f8708424d30

                SHA512

                1c88a8e8cc3a5d8780f0660ccbce528e3d5202e76f10a7bc87db7b846afdb1339d0a9aee0d00da9157aed3cefe8a43250758606b802813975405587363ce64f3

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3974541.exe

                Filesize

                706KB

                MD5

                3d513dd4a298f1a84b98d6411d804386

                SHA1

                6124194c6f6bab00aba8ddab5b96c3c842afab9f

                SHA256

                0f08dc566557478e84e1c24c2d0c413d851750a1ddb7e704eeff3f8708424d30

                SHA512

                1c88a8e8cc3a5d8780f0660ccbce528e3d5202e76f10a7bc87db7b846afdb1339d0a9aee0d00da9157aed3cefe8a43250758606b802813975405587363ce64f3

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0291347.exe

                Filesize

                174KB

                MD5

                2776edc85d97e8dda2ca5b33a41b06df

                SHA1

                5769a6361ee9f17a4187a6cf9fcdd1849810db93

                SHA256

                4ad0672b1787b2e6995951f7a4610b46eb60f85b582f899b63c05c4b5a91f28b

                SHA512

                9aec75cb84b9a3bd244dcab3109127a2cc03e7ca5a7fbfe64ddc05e2a2aea335c8c335d9245de275ab40c0db3f975c5f72b3809000eb49eb72c9a515e1343533

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0291347.exe

                Filesize

                174KB

                MD5

                2776edc85d97e8dda2ca5b33a41b06df

                SHA1

                5769a6361ee9f17a4187a6cf9fcdd1849810db93

                SHA256

                4ad0672b1787b2e6995951f7a4610b46eb60f85b582f899b63c05c4b5a91f28b

                SHA512

                9aec75cb84b9a3bd244dcab3109127a2cc03e7ca5a7fbfe64ddc05e2a2aea335c8c335d9245de275ab40c0db3f975c5f72b3809000eb49eb72c9a515e1343533

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628976.exe

                Filesize

                550KB

                MD5

                982556c487b350ad614e5fc53e4a16d6

                SHA1

                1954c6559e83e40c756dcbe1012babe75a34ff23

                SHA256

                ec8d47506d1e68168c76ec75608f521b54c8ba903da498b88a170b8eaa91e40e

                SHA512

                011d636d4cb9ae8e50781ed789e4ec2fa633dc33f8762a8b611def48fdf43c869f978dba8151d846af9a7063d49f0663f73c8626d0cbbfb875dc7e4aba21cff2

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628976.exe

                Filesize

                550KB

                MD5

                982556c487b350ad614e5fc53e4a16d6

                SHA1

                1954c6559e83e40c756dcbe1012babe75a34ff23

                SHA256

                ec8d47506d1e68168c76ec75608f521b54c8ba903da498b88a170b8eaa91e40e

                SHA512

                011d636d4cb9ae8e50781ed789e4ec2fa633dc33f8762a8b611def48fdf43c869f978dba8151d846af9a7063d49f0663f73c8626d0cbbfb875dc7e4aba21cff2

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7565077.exe

                Filesize

                141KB

                MD5

                57467a39514284c248e7583c59d491a1

                SHA1

                ecd06d8d93b2d9a46b49bc42638e729f088cc7a5

                SHA256

                985e159284013f9325b6ec3d88dd53920cd0e0088f847995fe4dbcc634bb4202

                SHA512

                f9260bf5110c9b2d628710d8d7087001ed15b720d93a2f7f324bb6272bd55ae7f37cc5e800851efb5f1e65b87519e7de152210f11ae548a433fa6d0e6ba03ef3

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7565077.exe

                Filesize

                141KB

                MD5

                57467a39514284c248e7583c59d491a1

                SHA1

                ecd06d8d93b2d9a46b49bc42638e729f088cc7a5

                SHA256

                985e159284013f9325b6ec3d88dd53920cd0e0088f847995fe4dbcc634bb4202

                SHA512

                f9260bf5110c9b2d628710d8d7087001ed15b720d93a2f7f324bb6272bd55ae7f37cc5e800851efb5f1e65b87519e7de152210f11ae548a433fa6d0e6ba03ef3

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2771219.exe

                Filesize

                384KB

                MD5

                a17c76479e12b059d6696e181bdee7bb

                SHA1

                143be7efdd36f4cce77bfa3abf613da115729c19

                SHA256

                27042086da91f1a27bda6b393871292824297cf4fac91e5acd09e09be0556683

                SHA512

                c8c3421cec47ac7e9df5281bb892eb3f7bc323576c34e66d2d8109d48f65122e4515b307697c9868692c241eb4f0139c82f2abb098129f7648666fb68b20c312

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2771219.exe

                Filesize

                384KB

                MD5

                a17c76479e12b059d6696e181bdee7bb

                SHA1

                143be7efdd36f4cce77bfa3abf613da115729c19

                SHA256

                27042086da91f1a27bda6b393871292824297cf4fac91e5acd09e09be0556683

                SHA512

                c8c3421cec47ac7e9df5281bb892eb3f7bc323576c34e66d2d8109d48f65122e4515b307697c9868692c241eb4f0139c82f2abb098129f7648666fb68b20c312

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598702.exe

                Filesize

                184KB

                MD5

                3caf566a83dad7a2c6bc899534e97c00

                SHA1

                25bc00bee74838c5f6388ec5afc29676e0597a5b

                SHA256

                43573fe15bf518dc2bf1098c6709655ce5debdd1c5a69f23111d202d73a52a81

                SHA512

                59e9f2e963be8718bdd7dbf6d00bad1d5b1bb57ff58a40de12d6f5f429169d1787e4bcaffe6851812c17af4f6407d0b1dcc72586c1c5ee2caae05a4b379e094c

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598702.exe

                Filesize

                184KB

                MD5

                3caf566a83dad7a2c6bc899534e97c00

                SHA1

                25bc00bee74838c5f6388ec5afc29676e0597a5b

                SHA256

                43573fe15bf518dc2bf1098c6709655ce5debdd1c5a69f23111d202d73a52a81

                SHA512

                59e9f2e963be8718bdd7dbf6d00bad1d5b1bb57ff58a40de12d6f5f429169d1787e4bcaffe6851812c17af4f6407d0b1dcc72586c1c5ee2caae05a4b379e094c

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983776.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983776.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                Filesize

                334KB

                MD5

                68318cd271aed2ac3e6b9209e78dddc1

                SHA1

                a3028502231579f04d84988daa619c3d8a1559e9

                SHA256

                efa3a639237564fb647aa1fe2a7c469458c62f6e2b19624b53ad4390383ab51d

                SHA512

                83d7c6d7c131aa5d4b259cad1ab8fdfbc91dd5d6c25f82892d73e04f6b80dddc2299d6c208ed01c89db69559a639c82c3ff5d8de45f6c2d1d3ec00e2a8dd9ff3

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                Filesize

                273B

                MD5

                374bfdcfcf19f4edfe949022092848d2

                SHA1

                df5ee40497e98efcfba30012452d433373d287d4

                SHA256

                224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f

                SHA512

                bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7

              • memory/3172-56-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-69-0x0000000004B20000-0x0000000004B30000-memory.dmp

                Filesize

                64KB

              • memory/3172-54-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-50-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-58-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-60-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-62-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-64-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-48-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-46-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-44-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-42-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-66-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-67-0x00000000741F0000-0x00000000749A0000-memory.dmp

                Filesize

                7.7MB

              • memory/3172-68-0x0000000004B20000-0x0000000004B30000-memory.dmp

                Filesize

                64KB

              • memory/3172-52-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-71-0x00000000741F0000-0x00000000749A0000-memory.dmp

                Filesize

                7.7MB

              • memory/3172-35-0x00000000741F0000-0x00000000749A0000-memory.dmp

                Filesize

                7.7MB

              • memory/3172-36-0x0000000004B20000-0x0000000004B30000-memory.dmp

                Filesize

                64KB

              • memory/3172-37-0x0000000004B20000-0x0000000004B30000-memory.dmp

                Filesize

                64KB

              • memory/3172-38-0x0000000004B30000-0x00000000050D4000-memory.dmp

                Filesize

                5.6MB

              • memory/3172-39-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/3172-40-0x00000000024A0000-0x00000000024B6000-memory.dmp

                Filesize

                88KB

              • memory/4492-96-0x00000000057C0000-0x00000000057FC000-memory.dmp

                Filesize

                240KB

              • memory/4492-97-0x0000000072C50000-0x0000000073400000-memory.dmp

                Filesize

                7.7MB

              • memory/4492-98-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

                Filesize

                64KB

              • memory/4492-94-0x0000000005760000-0x0000000005772000-memory.dmp

                Filesize

                72KB

              • memory/4492-95-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

                Filesize

                64KB

              • memory/4492-93-0x0000000005820000-0x000000000592A000-memory.dmp

                Filesize

                1.0MB

              • memory/4492-92-0x0000000005D30000-0x0000000006348000-memory.dmp

                Filesize

                6.1MB

              • memory/4492-91-0x0000000072C50000-0x0000000073400000-memory.dmp

                Filesize

                7.7MB

              • memory/4492-90-0x0000000000C90000-0x0000000000CC0000-memory.dmp

                Filesize

                192KB