Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 01:57

General

  • Target

    bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe

  • Size

    2.4MB

  • MD5

    f7f2373c7005d9978782be75bef6a1c4

  • SHA1

    24523818e79c6ccc38c90de912743552e98be2be

  • SHA256

    bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13

  • SHA512

    26e4a9ba65207c91dd181c5010d051838d6172dcbfc165aa750cbe72297dde0b0c0e54b024a6cba070089f3ac5f943d67ba779ee64f78a8f37b425f274f607d8

  • SSDEEP

    49152:IK08+UO8Ajkw2s5uNuuiV/0H31F7AqxxJ/PgWAOEIm9B1:/V+UTwDl5eiGXPNxxJQxIm

Malware Config

Extracted

Family

stealc

Botnet

jony

C2

http://85.28.47.4

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe
    "C:\Users\Admin\AppData\Local\Temp\bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe
        "C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:644
          • C:\Users\Admin\AppData\Local\Temp\1000007001\880f763fff.exe
            "C:\Users\Admin\AppData\Local\Temp\1000007001\880f763fff.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
              6⤵
              • Enumerates system info in registry
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3424
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0a78ab58,0x7ffe0a78ab68,0x7ffe0a78ab78
                7⤵
                  PID:540
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:2
                  7⤵
                    PID:1616
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:8
                    7⤵
                      PID:4092
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:8
                      7⤵
                        PID:3820
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:1
                        7⤵
                          PID:3672
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:1
                          7⤵
                            PID:4140
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:1
                            7⤵
                              PID:4244
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:8
                              7⤵
                                PID:4332
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:8
                                7⤵
                                  PID:5056
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:8
                                  7⤵
                                    PID:1456
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:2
                                    7⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:424
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"
                          2⤵
                          • Checks computer location settings
                          • Suspicious use of SetWindowsHookEx
                          PID:528
                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                        1⤵
                          PID:2056
                        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                          C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2384
                        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                          C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4224

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\mozglue.dll

                          Filesize

                          593KB

                          MD5

                          c8fd9be83bc728cc04beffafc2907fe9

                          SHA1

                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                          SHA256

                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                          SHA512

                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                        • C:\ProgramData\nss3.dll

                          Filesize

                          2.0MB

                          MD5

                          1cc453cdf74f31e4d913ff9c10acdde2

                          SHA1

                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                          SHA256

                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                          SHA512

                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                          Filesize

                          216B

                          MD5

                          cb5a4ae6cc9cf7f736f00e55ef7044c7

                          SHA1

                          bf92de411a04a4148a1cf0e8253ded4420d5b418

                          SHA256

                          23ab3c6fde2170d0123eb4278cfbe6780dfcc9b76aa60d08805b146e4adf0ecf

                          SHA512

                          b1cd498ff589563586367bcb5f15824012425f1e1ca7249e7badba2d9a89a80f00ffd97436fd05c2d53733ac8819955e211e9130da1c7e96a4944b7253fffbb4

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          3KB

                          MD5

                          34769a0083e4a61dd67f277e044cb238

                          SHA1

                          4bff89cd589e4be3b8dceac27e9a2762ab1a6b99

                          SHA256

                          7c3929467308d618c57b0633f03d6caf776045ed66c06faa88c3a52c4bac256d

                          SHA512

                          35a4ec9763359f0668bdfacfc860e43caf2ca22bbd36bab3dcdc2d38da00f26c915600dae23a648c8d3e90b90b01b1fe48e8fed723501b7434cef4e2c1f0ba59

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          2KB

                          MD5

                          fcdf2f610dd6641766d3c30dd679e200

                          SHA1

                          d6c6bd9297da145d599f8e0175577033718b8317

                          SHA256

                          89609d26f4aca4c29e62634476e732ef3fb25f9b1566f30adae6115f601c85a9

                          SHA512

                          66cda3df354cfa03dfefd84a32c4163413f2aeb8f3cc3ca1e36de3f51a0e4e7bb17f894163f92d717d60dc78e5eb2719cc2112869dfe8c995afefacb69d3e17c

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                          Filesize

                          688B

                          MD5

                          bfa302c0eb8a63b0f6b0604ed1763b78

                          SHA1

                          aa7f8bb27fe6d12c4415fe9e5ec0ac4dc02d5222

                          SHA256

                          4c1b9602fb529c2d99048c3e8f307a7993dbfeafe783c5758b75f2b5719749a5

                          SHA512

                          c54f22ca060e76790bf84770f22207f1ece14e03e381ca8b1ff9ef8e3639f013c9bb5f19b780ed860c29b4e94028ff06caf07a6e0b97901d435c644be3bd4f95

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          7KB

                          MD5

                          b93e5423faf80e4de9793c37cad04d79

                          SHA1

                          07450dc8375d47b7759e39b115d7304ab39fbb60

                          SHA256

                          0919504ac9409aff83d2d9a5aeb86c9b9bbed18405e2b6eec309824ee24d3a16

                          SHA512

                          ba70b6e3c8d5103c7cb756ce011b3ae9871492f3e0696b43f4be7a5248695804d4f40c157ceca5f38bf250e88b0227974803b8c2aa302bfe41148a5771e3026f

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                          Filesize

                          16KB

                          MD5

                          b83ab8270ae8b955e0ea40b85832ee37

                          SHA1

                          61f29fe9bdde7ad6545b7ba8cdac1e60a61f702f

                          SHA256

                          a8c308f61397477cc83873e89fa2db72da7ceb712d54f1abcc035e97f7217689

                          SHA512

                          4b5c1c2dca90c833c74e4fc599992cc97d42c20665e8eedeba4ac615e302aa1ad58605e0588779d870cf30e3bdf4f60a04427a2da1e1a7327106b141198086f5

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          279KB

                          MD5

                          a9e37c21cc0ca548b2b8394f39605d1d

                          SHA1

                          b40cc6cc071f857d1c343a4ade50876a800f7842

                          SHA256

                          0faf59614fea47c7a33c74f352ccea10cda4fb8cbe4a68c9678161f5d108b7ed

                          SHA512

                          38b6bc5088287c43d4f545467b7c5aeac43a1a7e91b11e88e699f5dff86c292c32690cdb6173c48372b5e09d27e4922bb15b1b9e29cea7835daf843f2e4bff91

                        • C:\Users\Admin\AppData\Local\Temp\1000007001\880f763fff.exe

                          Filesize

                          1.1MB

                          MD5

                          08adf93a86b983edaee843e01f85fddb

                          SHA1

                          1647634a1bdf17e3944046992f03e52ccbbc9f7c

                          SHA256

                          1ef265a69a824b0ad8781771c35265868c58e56264461d74e825ef473c57161e

                          SHA512

                          60d37930bf6845cea06eaa3d7a48b97d17ff2b24cc8725814b4aae9ce2de2fd5964e690489b8e9f9126bb57b685191bb922640a4d6c123d9749845075224ae0e

                        • C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe

                          Filesize

                          1.8MB

                          MD5

                          6c4ea5959222315f89ec2a4c31a79b42

                          SHA1

                          b0e03f4bb8f6cd1e0d35abe12e6a38f500b61c08

                          SHA256

                          03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39

                          SHA512

                          32697372fdde9adb6994838ff81d00b8e02d0e26ffb2feb8eaf366180bad7b7e0a22c8e92284680733ef1015b437144694793cdfc7791913b1a6f9771fe67695

                        • \??\pipe\crashpad_3424_CNRYVRVQGZHTMJRW

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/644-213-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-165-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-96-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-244-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-238-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-237-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-190-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-215-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-236-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-195-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-235-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-201-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-202-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-212-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/644-230-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/2384-192-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/2384-194-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/3112-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                          Filesize

                          972KB

                        • memory/3112-0-0x0000000000D90000-0x000000000196F000-memory.dmp

                          Filesize

                          11.9MB

                        • memory/3112-78-0x000000007F2E0000-0x000000007F6B1000-memory.dmp

                          Filesize

                          3.8MB

                        • memory/3112-77-0x0000000000D90000-0x000000000196F000-memory.dmp

                          Filesize

                          11.9MB

                        • memory/3112-1-0x000000007F2E0000-0x000000007F6B1000-memory.dmp

                          Filesize

                          3.8MB

                        • memory/4224-232-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/4224-234-0x00000000002B0000-0x000000000075F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/4528-82-0x0000000000BC0000-0x000000000106F000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/4528-95-0x0000000000BC0000-0x000000000106F000-memory.dmp

                          Filesize

                          4.7MB