Overview

overview

10

Static

static

3

57a3b4e843...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57a3b4e843bcce69125a951184a792d95bd780e26e3cc48b01195de89e1c579c.exe

  • Size

    7.1MB

  • MD5

    ffaa957b9fa4fd4d1d3a88b7600b6ea6

  • SHA1

    4939736d9648fcdeccdecedc5c1d5e4b60815c08

  • SHA256

    57a3b4e843bcce69125a951184a792d95bd780e26e3cc48b01195de89e1c579c

  • SHA512

    2e717ba76a602bfbebc329263011f786ca71ea7338555a2561d30a2934dc702156684cb41fb8efb27dbfeb437cecd95c49b04a156447302d1f865d9289fe16a5

  • SSDEEP

    196608:PtXblkafj/LLFn8IdjCLC9oIX1WN0skcXVUFOuYT:PB53jnF8MjCLqoIA0aeFLy

Score
10/10
amadeylummastealc9c9aa5drumdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57a3b4e843bcce69125a951184a792d95bd780e26e3cc48b01195de89e1c579c.exe
    "C:\Users\Admin\AppData\Local\Temp\57a3b4e843bcce69125a951184a792d95bd780e26e3cc48b01195de89e1c579c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X3z70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X3z70.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0k47.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0k47.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1U35a0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1U35a0.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Users\Admin\AppData\Local\Temp\1011089001\da066a223d.exe
              "C:\Users\Admin\AppData\Local\Temp\1011089001\da066a223d.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4436
            • C:\Users\Admin\AppData\Local\Temp\1011090001\27657630de.exe
              "C:\Users\Admin\AppData\Local\Temp\1011090001\27657630de.exe"
              6⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4148
            • C:\Users\Admin\AppData\Local\Temp\1011091001\ec243b4f46.exe
              "C:\Users\Admin\AppData\Local\Temp\1011091001\ec243b4f46.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3524
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1584
                7⤵
                • Program crash
                PID:4996
            • C:\Users\Admin\AppData\Local\Temp\1011092001\5a7330e616.exe
              "C:\Users\Admin\AppData\Local\Temp\1011092001\5a7330e616.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2D3134.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2D3134.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2124
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1116
            5⤵
            • Program crash
            PID:2412
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1740
            5⤵
            • Program crash
            PID:4996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S76K.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S76K.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1652
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4P494Y.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4P494Y.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3048
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2124 -ip 2124
    1⤵
      PID:4712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2124 -ip 2124
      1⤵
        PID:3080
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4304
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3524 -ip 3524
        1⤵
          PID:2412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1011089001\da066a223d.exe
          Filesize

          1.9MB

          MD5

          7d9e81071dca4ffd98fdaa3a59f3d4c2

          SHA1

          7d717efa51114a837b32435a11744536e086b324

          SHA256

          a8f6e1f06ce798c9a24a7406366b8abed6f82097e593a8390c48b612f9e4d69b

          SHA512

          b641f3aafc38851503f3e9f1883c809fb3c73a7042c953b8c7416c133fd7e1770f427598204dd8411b68fcdba05ce21981090792cc5d74b7fb4c7b30c8947be8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1011090001\27657630de.exe
          Filesize

          4.3MB

          MD5

          ff4b8170d65a601c9dd68f65991fcd26

          SHA1

          ed404a41c0991fd1b250d82fd6e95ca3b1ed047f

          SHA256

          d4d15d36936bf4c07fec6af26c3a877ea4fd5e8417eeaeed74106809c0151c5d

          SHA512

          b7aaeae076ebd114e9d58651e2bf96e577aec54b9ccbadbb1b050eb29a865dcf3411d60cbf90d5aa0e923cf7690591f8c5affdebaa5797f2cf169f6b41d2400a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4P494Y.exe
          Filesize

          2.7MB

          MD5

          8645cc60ea0d7f3f64d87a95c9059377

          SHA1

          9ef12d226d49bfb6daae661bb41e83ec7a5df672

          SHA256

          889ef406ae4e3e9db8e605eedfda2f42174580353d6886044d7d61354bd03cd0

          SHA512

          07c5eaa6869a1123f7479416a47d404fce95a41a5551c8586c098745f0e4dd0a28ea5da1bcfd7fab3444564e57cf228bd904e02810d481f2462bf4644af83f11

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X3z70.exe
          Filesize

          5.5MB

          MD5

          9c3efefed5f03f763f4cb713c2eebf67

          SHA1

          c0cb88262789fe4d1fb06225991d1d373641551a

          SHA256

          7570f05cbe3009e6dbb1c1a03e08f8f0e6e326d409977bc140a7bcdb32abc604

          SHA512

          f235b84197d180e0cd6ca2dcc6b90133e4672eb3c2ffaa3c086a14cb2939d565cc603e85a0e9df85625190f6236f55d86d4739b0c6313a2fa2ada45cd0d090e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S76K.exe
          Filesize

          1.7MB

          MD5

          67a3f36d09e43df0dc573740f80c383d

          SHA1

          1e46691a92586a72111174070f8e6772fd045478

          SHA256

          f5bc3eb3ce1e72dc332853f436784bb44f53324463514b78356cc711fc8653bb

          SHA512

          0200be8eabda8949549ae45cf0a55ac43449c84af8707d26f13a1806ce9afd1556fc7371be933cb196d1bed69d2a80ce43ae7c0f7bb354d7d5d498d37c91e5a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0k47.exe
          Filesize

          3.7MB

          MD5

          3e284aa4c5850bb29a942d904313fe6f

          SHA1

          d0b2f3fbbd06b51c26265aba4b0dfb6a6d34656e

          SHA256

          5dd398f93e2cdcd16ba146c8305ccf7776f03b305b128b1e94c695060f0e45b7

          SHA512

          133796a0c8049d549e003041f75f9ef4027fa1b77c30e59a59515d42c39e7afab4732ace7365d6e2476ccb9aa6fe7620e7a2c580494f25ff38d30189dd903fff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1U35a0.exe
          Filesize

          1.8MB

          MD5

          6168d17233fabf78c99b2332ef567ee8

          SHA1

          fc01ec2e16bb741ddacf14c25eca3d7e2c502b95

          SHA256

          5aaa108b8e6e927fe2cf2ae6280d54bbc78b779d2bb31f171846f216ebeeb0e7

          SHA512

          4398c14274e147ece5faa6d707b837615724e1b410a42eee95fcb099ba405d71b998be230fa4c20cb1f42d36f5fa65bf9356226ada7f8d7a34cac62b4d1a29f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2D3134.exe
          Filesize

          1.8MB

          MD5

          b670ae6d2db43ba12d14b7e29d02eb3b

          SHA1

          35cd2df71bb0acf5a161b4d4d60ffcf220822490

          SHA256

          23ec194caafa831e65e924bd7513771b81a44c8447232f80ba23a7a571c6aa98

          SHA512

          39daa37162b922c1b0592e1585ca185940e1c94ce7210f487b821aab7ee48b2ba1498e5843cffa0d0cc96277cbad037760f5a3f11673c0c5ae8af91cb5d7f2a9

          Download Submit

        • memory/1540-163-0x0000000000430000-0x0000000000AD7000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/1540-159-0x0000000000430000-0x0000000000AD7000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/1652-51-0x0000000000DF0000-0x0000000001497000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/1652-48-0x0000000000DF0000-0x0000000001497000-memory.dmp

          Filesize

          6.7MB

          Download

        • memory/2124-45-0x00000000003A0000-0x0000000000845000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2124-41-0x00000000003A0000-0x0000000000845000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2124-44-0x00000000003A0000-0x0000000000845000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2124-42-0x00000000003A0000-0x0000000000845000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2124-38-0x00000000003A0000-0x0000000000845000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/3048-58-0x0000000000B40000-0x0000000000DF2000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3048-55-0x0000000000B40000-0x0000000000DF2000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3048-59-0x0000000000B40000-0x0000000000DF2000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3048-86-0x0000000000B40000-0x0000000000DF2000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3048-63-0x0000000000B40000-0x0000000000DF2000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3524-161-0x0000000000DC0000-0x0000000001265000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/3524-164-0x0000000000DC0000-0x0000000001265000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/3524-138-0x0000000000DC0000-0x0000000001265000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/3524-142-0x0000000000DC0000-0x0000000001265000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/4148-121-0x00000000006A0000-0x000000000132A000-memory.dmp

          Filesize

          12.5MB

          Download

        • memory/4148-120-0x00000000006A0000-0x000000000132A000-memory.dmp

          Filesize

          12.5MB

          Download

        • memory/4148-117-0x00000000006A0000-0x000000000132A000-memory.dmp

          Filesize

          12.5MB

          Download

        • memory/4304-61-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4304-57-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-90-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-39-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-92-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-166-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-94-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-34-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-96-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-62-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-144-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-40-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-101-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-140-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-87-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-43-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-119-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4408-123-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4436-83-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-143-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-91-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-118-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-89-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-141-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-100-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-122-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-93-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-165-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4436-95-0x0000000000400000-0x0000000000C61000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/4496-98-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4496-99-0x00000000007A0000-0x0000000000C5F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4780-32-0x0000000000770000-0x0000000000C2F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4780-21-0x0000000000770000-0x0000000000C2F000-memory.dmp

          Filesize

          4.7MB

          Download