Analysis Overview
SHA256
bc5e1a99ef6ace27c7fe4db351f1b09de2d6c7f3dffc9231786786da71191623
Threat Level: Known bad
The file am.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Blocklisted process makes network request
Downloads MZ/PE file
Suspicious use of SetThreadContext
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 15:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 15:44
Reported
2024-05-19 15:47
Platform
win7-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Amadey
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\netsh.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\WUUtls.job | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | theclientisalwaysright.com | udp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | changelink.site | udp |
| US | 172.67.182.114:443 | changelink.site | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | babayaga.ro | udp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
Files
memory/1924-0-0x0000000000400000-0x0000000000836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\973d89f4
| MD5 | 9a8424d64f2c48923a0d73e3777feaa6 |
| SHA1 | 0dda467487a11a6c04e64bcaa3636a3f0edfe324 |
| SHA256 | ed0fbac4b2ba5f8724c1a71f2a86136986dbbe8229a08ba914c36e3f507fd75f |
| SHA512 | 3fffb92cede2e2af804438eaadcda5bdde8b0c79863bb8c60d2e72415ef3c80d6d8e55ac9ec5a32d4aeeb15e4462a549435a1fd7aad85639fc8146f6467d1cf1 |
memory/1924-6-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/1924-7-0x0000000077960000-0x0000000077B09000-memory.dmp
memory/1924-8-0x0000000074A52000-0x0000000074A54000-memory.dmp
memory/1924-9-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/2804-13-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/1924-12-0x0000000074A40000-0x0000000074BB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\995cd83e
| MD5 | c9af8110caa8c044e03e0381f0ac3af2 |
| SHA1 | 193f72108f30ef45aac4d0af175d56d8353428e1 |
| SHA256 | fcd078cd8336c0c3933d18975b1f4f45bc50c9f9c7b58d82b8c411d18926148b |
| SHA512 | e24ecf777d72e9e148d153a3a59b4ab00fb9039f751a6a1f5d10415f675a018eb48278bfa2b64ee0f19c0b111087cff78f6f63e69f0a14816fbad7bb3b89f268 |
memory/2804-15-0x0000000077960000-0x0000000077B09000-memory.dmp
memory/2804-17-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/2804-18-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/2804-23-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/2804-24-0x0000000074A40000-0x0000000074BB4000-memory.dmp
memory/2504-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2504-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2804-28-0x0000000074A40000-0x0000000074BB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\gwcloud\AQ_System.exe
| MD5 | dee06456c2cd6367c77d6e665cb292f9 |
| SHA1 | 33d6677f1e04ab6656b839f354819b249e300787 |
| SHA256 | bc5e1a99ef6ace27c7fe4db351f1b09de2d6c7f3dffc9231786786da71191623 |
| SHA512 | 636e3f72ed4fc97daacc6c048eccff6b1da14784ce712d9639b89420004f7c88a015cefc24c2f27e2f7c0f493b369a44697bc872a43247aeca4aac92d96096e4 |
memory/2504-30-0x0000000077960000-0x0000000077B09000-memory.dmp
memory/2504-31-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9EE0.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar9FD1.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f59827d92692f45a6c12db90b6090d6 |
| SHA1 | e161facb4417b0ce1bbd4dc484754845769ced8e |
| SHA256 | ac52a5c6647fd8edc3a67cd81e93c4633a52295a907a5dd7c525f7ebd2d1b0ef |
| SHA512 | daa9dbb8f88c6c0e5cad3859235c19de8709c4fa616ff607555edde51323f4a85b301dd7766917d8be76092c0f1299d69d33fcd44bebe0b8c3b05727790931fb |
C:\Users\Admin\AppData\Local\Temp\1000872001\FoundedCampus.exe
| MD5 | 4845f01eaa8068384625e302e9a4eb05 |
| SHA1 | fb6ff8293fa45e17ba97f84954e7d1d5b0d38f87 |
| SHA256 | 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41 |
| SHA512 | bb58f2438524b518b19f2b74c5d598460735958f77c310ba3710520d1d88ce7975449977c9965dbca87cd6a824c8ab82e56bea6d571d79594079f0a0ea404d77 |
memory/2504-133-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2504-134-0x0000000000400000-0x000000000046F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 15:44
Reported
2024-05-19 15:47
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\netsh.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\WUUtls.job | C:\Windows\SysWOW64\netsh.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000876041\heic.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-Item -Path C:\Users\Admin\AppData\Local -Name Heic -ItemType directory
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theclientisalwaysright.com | udp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | 112.92.11.45.in-addr.arpa | udp |
| EE | 45.129.199.237:80 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| EE | 45.129.199.237:80 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| EE | 45.129.199.237:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | rtattack.xycydau0.fun | udp |
| US | 8.8.8.8:53 | rtattack.xycydau0.fun | udp |
| US | 8.8.8.8:53 | rtattack.xycydau0.fun | udp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | changelink.site | udp |
| US | 104.21.59.188:443 | changelink.site | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | 188.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | babayaga.ro | udp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | 86.135.36.89.in-addr.arpa | udp |
| RO | 89.36.135.86:443 | babayaga.ro | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 45.11.92.112:80 | theclientisalwaysright.com | tcp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/3124-0-0x0000000000400000-0x0000000000836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cd0a5993
| MD5 | 9a8424d64f2c48923a0d73e3777feaa6 |
| SHA1 | 0dda467487a11a6c04e64bcaa3636a3f0edfe324 |
| SHA256 | ed0fbac4b2ba5f8724c1a71f2a86136986dbbe8229a08ba914c36e3f507fd75f |
| SHA512 | 3fffb92cede2e2af804438eaadcda5bdde8b0c79863bb8c60d2e72415ef3c80d6d8e55ac9ec5a32d4aeeb15e4462a549435a1fd7aad85639fc8146f6467d1cf1 |
memory/3124-6-0x0000000073B50000-0x0000000073CCB000-memory.dmp
memory/3124-7-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp
memory/3124-8-0x0000000073B62000-0x0000000073B64000-memory.dmp
memory/3124-9-0x0000000073B50000-0x0000000073CCB000-memory.dmp
memory/3124-10-0x0000000073B50000-0x0000000073CCB000-memory.dmp
memory/1616-12-0x0000000073B51000-0x0000000073B5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfb94fa3
| MD5 | b37fea06aa62d178ddee4376de655fcb |
| SHA1 | c3e39073d1bb2b937991f7278104eb311997e033 |
| SHA256 | 8851befff446f4b3b3412e86259d836346cc3db717c197b38e1985b074216e61 |
| SHA512 | 25d1a460cac2cfb4b53fa6b1e5cb2b0d35acbd7fc18d3dd8a30ed496e37464999c503b909fa5aa3763fdc1ba2a245b5457bb83eee1a13a3e37edbc758716e1b8 |
memory/1616-14-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp
memory/1616-17-0x0000000073B51000-0x0000000073B5F000-memory.dmp
memory/1616-16-0x0000000073B5E000-0x0000000073B62000-memory.dmp
memory/1616-19-0x0000000073B51000-0x0000000073B5F000-memory.dmp
memory/1616-21-0x0000000073B51000-0x0000000073B5F000-memory.dmp
memory/1616-20-0x0000000073B5E000-0x0000000073B60000-memory.dmp
memory/1616-24-0x0000000073B51000-0x0000000073B5F000-memory.dmp
memory/1616-25-0x0000000073B5E000-0x0000000073B62000-memory.dmp
C:\Users\Admin\AppData\Roaming\gwcloud\AQ_System.exe
| MD5 | dee06456c2cd6367c77d6e665cb292f9 |
| SHA1 | 33d6677f1e04ab6656b839f354819b249e300787 |
| SHA256 | bc5e1a99ef6ace27c7fe4db351f1b09de2d6c7f3dffc9231786786da71191623 |
| SHA512 | 636e3f72ed4fc97daacc6c048eccff6b1da14784ce712d9639b89420004f7c88a015cefc24c2f27e2f7c0f493b369a44697bc872a43247aeca4aac92d96096e4 |
memory/4580-27-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp
memory/4580-28-0x0000000000DC0000-0x0000000000E2F000-memory.dmp
memory/4580-29-0x0000000000DC0000-0x0000000000E2F000-memory.dmp
memory/4580-37-0x0000000000DC0000-0x0000000000E2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000872001\FoundedCampus.exe
| MD5 | 4845f01eaa8068384625e302e9a4eb05 |
| SHA1 | fb6ff8293fa45e17ba97f84954e7d1d5b0d38f87 |
| SHA256 | 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41 |
| SHA512 | bb58f2438524b518b19f2b74c5d598460735958f77c310ba3710520d1d88ce7975449977c9965dbca87cd6a824c8ab82e56bea6d571d79594079f0a0ea404d77 |
memory/4580-51-0x0000000000DC0000-0x0000000000E2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000876041\heic.ps1
| MD5 | ccb01e7cf4cd635fdc30a1b438b16381 |
| SHA1 | 4234c51fbb279a22658c6c7ab33e17efde3a1bf4 |
| SHA256 | 67ee2536bc8481e0c60dc40c77d265e2d3f7a7805c05cc92888068f4f1ffc2e7 |
| SHA512 | 7ee422773b65d2c89c124d0ef7bce7e88757091046afcbc98948ec33b8267a481c37efa5373be32dae60c54d9145e7c6e073bcabdd752f721ae2971739d1cb41 |
memory/1484-59-0x0000000005270000-0x00000000052A6000-memory.dmp
memory/1484-60-0x00000000058F0000-0x0000000005F18000-memory.dmp
memory/1484-61-0x0000000005870000-0x0000000005892000-memory.dmp
memory/1484-62-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/1484-63-0x00000000061C0000-0x0000000006226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vvuwook.qts.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1484-73-0x0000000006230000-0x0000000006584000-memory.dmp
memory/1484-74-0x0000000006810000-0x000000000682E000-memory.dmp
memory/1484-75-0x0000000006850000-0x000000000689C000-memory.dmp
memory/1488-86-0x00000000061D0000-0x0000000006266000-memory.dmp
memory/1488-87-0x0000000006120000-0x000000000613A000-memory.dmp
memory/1488-88-0x0000000006170000-0x0000000006192000-memory.dmp
memory/1488-89-0x0000000007460000-0x0000000007A04000-memory.dmp
memory/1484-92-0x0000000008170000-0x00000000087EA000-memory.dmp
memory/4580-93-0x0000000000DC0000-0x0000000000E2F000-memory.dmp