Overview

overview

10

Static

static

3

2ce67a1ac2...00.exe

windows7-x64

10

2ce67a1ac2...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe

  • Size

    3.0MB

  • MD5

    735b427034dfa1e8184d92b3e9e0e918

  • SHA1

    b975f1733334e5fe7f5b243af277c443f2284959

  • SHA256

    2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00

  • SHA512

    c161ecb540f6f96cc2141920bf73d2964b9d467c40321659d908fb12d7cac130c1d15e927e45fbb58078ee2a5a0151d14883208edb1f5f8e08e346a77f497721

  • SSDEEP

    49152:jWGWJ9i+5Z5WxbqKJ9D+Fh1sOmQmSTxJCsso:CGZ+75WFqKJ9CFbPgST1

Score
10/10
amadeyxworm9c9aa5discoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe
        "C:\Users\Admin\AppData\Local\Temp\2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Users\Admin\AppData\Local\Temp\1005552001\pidgeon.exe
            "C:\Users\Admin\AppData\Local\Temp\1005552001\pidgeon.exe"
            4⤵
            • Executes dropped EXE
            PID:3424
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbdp.lnk'); $s.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\1005552001\pidgeon.exe'; $s.Save()"
              5⤵
              • Drops startup file
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3944
          • C:\Users\Admin\AppData\Local\Temp\1005561001\crypted.exe
            "C:\Users\Admin\AppData\Local\Temp\1005561001\crypted.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3228
            • C:\Users\Admin\AppData\Local\Temp\1005561001\crypted.exe
              "C:\Users\Admin\AppData\Local\Temp\1005561001\crypted.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 296
              5⤵
              • Program crash
              PID:2488
          • C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe
            "C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2768
          • C:\Users\Admin\AppData\Local\Temp\1005617001\new.exe
            "C:\Users\Admin\AppData\Local\Temp\1005617001\new.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2252
          • C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe
            "C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3148
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:532
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa opssvc"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4816
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1948
              • C:\Windows\SysWOW64\findstr.exe
                findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4756
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 609587
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4872
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "outputdiffswalnutcontainer" Sufficient
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4200
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4804
              • C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
                Horizon.pif k
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3024
                • C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4544
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5112
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228
      1⤵
        PID:1004
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4756
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1005552001\pidgeon.exe
        Filesize

        16.7MB

        MD5

        27da32557ef397101bd519d5a3e00180

        SHA1

        35338a9c8e6410dc2e9b90a11a15fa2ebc6ad861

        SHA256

        56c566348b994a79c0b6fadecb435141830c938469fc607f98c8aae838711f69

        SHA512

        a38448584807b7e137f4f467f3188ec4b6c02be497643b2f45f02908ef0e9cf2f6b84a543acc7354b8ff0f37eadfb47345d55866c9f93c1f089f80062a5bc6fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1005561001\crypted.exe
        Filesize

        3.0MB

        MD5

        1da8b17cbbaec15188a82b2339a7977f

        SHA1

        a5ac45156f3bfe959c0aa56871f53a51ad163b3d

        SHA256

        02cdc29204aef0d475c62c7dd9ad08ebfe8b39521d6ce57c1e7ae73fee7146f0

        SHA512

        6518d2c6586f0aa1553dcc08519b697db81ff79ffa0d81a020ce870a1905bb2b63bf22bc334d241843ee0a087ab1a8c040c7b0327d33cfcf87f9bff32bcc3dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe
        Filesize

        7.9MB

        MD5

        3c7a5e1c746ab968c270df5517cf8a8e

        SHA1

        d685d6683df1904277d90c0d6090488fd8052ea9

        SHA256

        db027953eb30087f3084e85b1930b384847129a1a4a988e6b0ee6d78be00b7ca

        SHA512

        feb1f63b3ac7b700348ba7baea692d01d38e49638e2fde8598424ab09ea2747f07c797406c8b697fd8662fc051fea984dd2d0560be07ffee6d236be239c73d27

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe
        Filesize

        1.0MB

        MD5

        bf265e0055178b2aa642fc6df2ae5f40

        SHA1

        f692cbf19ecf33a48ddefa2b615ea979fa5633b4

        SHA256

        9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

        SHA512

        c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
        Filesize

        872KB

        MD5

        18ce19b57f43ce0a5af149c96aecc685

        SHA1

        1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

        SHA256

        d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

        SHA512

        a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
        Filesize

        63KB

        MD5

        0d5df43af2916f47d00c1573797c1a13

        SHA1

        230ab5559e806574d26b4c20847c368ed55483b0

        SHA256

        c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

        SHA512

        f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\609587\k
        Filesize

        223KB

        MD5

        9c3ccfc1b85ec90de741f82334ec5c13

        SHA1

        cdb55d03f47197ac3c1556de854384e25a161285

        SHA256

        08e08296d2da025e5fd84c3ad002a83af525149d56b5d9a24f75a6d080bbea58

        SHA512

        9b567d773421bf3a84a56911c86589225c1faaad1391063bac65495a0287798a28b764da81c44596cc9c69f7673233876292fd172bbcdad4ce91f391042912c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Chef
        Filesize

        64KB

        MD5

        4929feb5427b3e00555c7cebeb73ab46

        SHA1

        a48cf5e4a6e44bba30589f5cf96536a3a007141b

        SHA256

        8faea441687488ed8da8773c1acf4f6ba847b42359716d1275fe44100fc46cd9

        SHA512

        a13ce8842a46e19c436558f51de82ae036b520182a042865c3c625cdb6c4c9bee4ba7f914cf0feac67685e6f299ceaea2008b3255b0868c0d5f414c07b32e43b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Combine
        Filesize

        85KB

        MD5

        dad5d9394613487c0825ad87374a4a96

        SHA1

        806d908a747487b4693b1dc7598c66670b342cac

        SHA256

        81887327e72b9233e2a002ed8d4557669f3305a60fc4ab45b3cb37257798c42c

        SHA512

        f0a5e4051f24360bdf6d7f969d187ab848e42906878a33f960c72dfa28a7ed48540eb59dc28ae0691ba7771aae501387221e1549bf71e24c9f850c05e6513418

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Dragon
        Filesize

        13KB

        MD5

        8f99511bc647d62d0ab24676ffbf1f81

        SHA1

        ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb

        SHA256

        3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6

        SHA512

        9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Sufficient
        Filesize

        7KB

        MD5

        b3b46c8e223bde8e40e6628db25523c9

        SHA1

        b1fe51169b519463044c613d4f3edf9c26115dac

        SHA256

        d0fa12b632138baed0239d8da41e60ae5e9d08c4ab7de774bea56741e8bd9a09

        SHA512

        e426f66a18ec6c5471908520a81d8f0e6b14b48841f96da6a5480603dddf65be6e56ed44a0411f5a3387f387a0a5ef3e651f90f4398d1643665330428db9263f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Transportation
        Filesize

        74KB

        MD5

        30a3404783a2d7652e29d645628b04c9

        SHA1

        aaf37b72d13c697276b34e323ca1bd00fc243cdf

        SHA256

        5b264df9d00b5df6d976a76cca68f3fd70bc1c277344d6d8c16a024cebbcb9a6

        SHA512

        48d768d87b9ede55b34ec699fd223e7fab0b55cc8fcafcab28dede80dd235cbf2bd3e9429f1533d6f891ddff1221f9d8c7cefb15bce8b155322ee97981d23eab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Traveling
        Filesize

        864KB

        MD5

        4546bdeea370b865f80ba3e523b3ade7

        SHA1

        7118f8844c1f938d3e00b5c50624d995ee01236a

        SHA256

        ade4df61ada81439b176e2b32f970ec6a0697c959e3d75c0e40eea07813ed930

        SHA512

        1c031f1a10e0080a3f5ed1359ebc05d214c8aa19a760ea05bb1008f3f1ee37d119f60ccd6c98c20044647711beb4f62c49a936b88199066dccceb9d741a1adb5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jr10jdz1.33r.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        Filesize

        3.0MB

        MD5

        735b427034dfa1e8184d92b3e9e0e918

        SHA1

        b975f1733334e5fe7f5b243af277c443f2284959

        SHA256

        2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00

        SHA512

        c161ecb540f6f96cc2141920bf73d2964b9d467c40321659d908fb12d7cac130c1d15e927e45fbb58078ee2a5a0151d14883208edb1f5f8e08e346a77f497721

        Download Submit

      • memory/2556-26-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-22-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-527-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-46-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-25-0x0000000000251000-0x00000000002B9000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2556-542-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-540-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-71-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-522-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-24-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-23-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-21-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-222-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-512-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-20-0x0000000000251000-0x00000000002B9000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2556-538-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-536-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-16-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-531-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-27-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-482-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-529-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2556-514-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2952-534-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2952-535-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3424-72-0x0000000000400000-0x00000000014E3000-memory.dmp

        Filesize

        16.9MB

        Download

      • memory/3424-530-0x0000000000400000-0x00000000014E3000-memory.dmp

        Filesize

        16.9MB

        Download

      • memory/3424-513-0x0000000000400000-0x00000000014E3000-memory.dmp

        Filesize

        16.9MB

        Download

      • memory/3424-484-0x0000000000400000-0x00000000014E3000-memory.dmp

        Filesize

        16.9MB

        Download

      • memory/3424-543-0x0000000000400000-0x00000000014E3000-memory.dmp

        Filesize

        16.9MB

        Download

      • memory/3944-494-0x000001659FD50000-0x000001659FD72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4072-2-0x0000000000BE1000-0x0000000000C49000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4072-3-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4072-0-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4072-1-0x00000000776F4000-0x00000000776F6000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4072-18-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4072-19-0x0000000000BE1000-0x0000000000C49000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4072-4-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4296-62-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4296-64-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4544-526-0x00000000057C0000-0x00000000057CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4544-518-0x0000000000540000-0x0000000000550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4544-521-0x0000000004E80000-0x0000000004F1C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4544-525-0x0000000005800000-0x0000000005892000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4544-524-0x00000000058D0000-0x0000000005E74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4756-509-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4756-511-0x0000000000250000-0x000000000054E000-memory.dmp

        Filesize

        3.0MB

        Download