Overview

overview

10

Static

static

3

Launcher.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14/12/2024, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    364KB

  • MD5

    93fde4e38a84c83af842f73b176ab8dc

  • SHA1

    e8c55cc160a0a94e404f544b22e38511b9d71da8

  • SHA256

    fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

  • SHA512

    48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

  • SSDEEP

    6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score
10/10
amadey9c0a5ddiscoveryexecutionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

9c0a5d

C2

http://185.208.158.116

http://185.209.162.226

http://zapsnn.com
Attributes
  • install_dir

    cdf9d60151

  • install_file

    Gxtuum.exe

  • strings_key

    5866d84c2de724a41612b3c391bae33f

  • url_paths

    /bVoZEtTa1/index.php

    /bVoZEtTa2/index.php

    /bVoZEtTa3/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
      "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
          "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
          • C:\Users\Admin\AppData\Roaming\services\winrar.exe
            "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01 C:\Users\Admin\AppData\Roaming\services
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:4884
          • C:\Users\Admin\AppData\Roaming\services\plugin342
            C:\Users\Admin\AppData\Roaming\services\plugin342
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Users\Admin\AppData\Roaming\services\plugin342
              "C:\Users\Admin\AppData\Roaming\services\plugin342"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4332
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000030111\0b2219a7b6.dll, Main
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:3768
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 596
                  8⤵
                  • Program crash
                  PID:2556
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:960
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:1552
          • C:\Users\Admin\AppData\Roaming\services\winrar.exe
            "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02 C:\Users\Admin\AppData\Roaming\services\data
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:4792
          • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
            C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
              "C:\Users\Admin\AppData\Roaming\services\data\2plugin4325"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4248
          • C:\Users\Admin\AppData\Roaming\services\plugin342
            C:\Users\Admin\AppData\Roaming\services\plugin342
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Users\Admin\AppData\Roaming\services\plugin342
              "C:\Users\Admin\AppData\Roaming\services\plugin342"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3340
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1976
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:1840
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
            5⤵
            • System Location Discovery: System Language Discovery
            PID:380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3768 -ip 3768
    1⤵
      PID:1496

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\10000030111\0b2219a7b6.dll
      Filesize

      12.2MB

      MD5

      83e9019f881d945f87758685054585ca

      SHA1

      fdfa8af4bead35694a6d433b1515d852ed47a16f

      SHA256

      5b1d2b003161369d607f886c584e3c55f3817a12d7a8b79c4d93ab2be647665a

      SHA512

      b6b0b5db208ed885c59558c502a5da1951420cdc0c1b1fab6261af9c52b0d1d57787c350c4e439a2babcc0eeb08fd9b4b349e6c62d018dd78889c66c018ddba1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10000030111\0b2219a7b6.dll
      Filesize

      6.1MB

      MD5

      6d296e78d1fa1fd19876c2b90e50361f

      SHA1

      f002a225a178b3ea9723f62794c3388dc11ee4e3

      SHA256

      1a0514c63f877396f7f6b20974b3f7c0dcaec8d58eefb7bdcd5a7915990cdf4e

      SHA512

      976b76b9784aeb0212206bd763c9e8b97cd959f7e872cec299976890f053c266064240ccf34c937a760770fa53424913924327077f0031c8a9c696f6e8f5d4fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13ai2taf.2qw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
      Filesize

      12B

      MD5

      51dc2160402a05084a77d9a5776deee9

      SHA1

      5a0fe95ecaa65918df9fd654ef59395aa831eb67

      SHA256

      3cdf9f36042e275cd95217697accf284299a3889ab49483eb719dd486f03003b

      SHA512

      4757c24a1012b948f60b54999425031850e47eb3b3caa43eaa8781c30e73e18bd48e70178471d97a8cb38ad52d0f7d0532568e978cb378d788e34c3eb288dd77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\HID.DLL
      Filesize

      7.1MB

      MD5

      7a04dcd7388b330f4745f8de2bf9605f

      SHA1

      ec746c2dc9b9f1c7667585a1fdc5769389d07b8b

      SHA256

      6683f3e6c27fd2c204f5c5d9c9e202a50b226258a00ec0f4ed75b046be1c6110

      SHA512

      104609c6b0a3ae8d12369d3c684d698bb009b3e849081be8d3c137d85993ae686e671abf1fa607cdc0b51fe21362fcf71cc1982eac8de31297561811eb19b37b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
      Filesize

      364KB

      MD5

      e5c00b0bc45281666afd14eef04252b2

      SHA1

      3b6eecf8250e88169976a5f866d15c60ee66b758

      SHA256

      542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

      SHA512

      2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\WinRAR.exe
      Filesize

      2.1MB

      MD5

      f59f4f7bea12dd7c8d44f0a717c21c8e

      SHA1

      17629ccb3bd555b72a4432876145707613100b3e

      SHA256

      f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

      SHA512

      44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\data\2plugin4325
      Filesize

      3.2MB

      MD5

      fd2f2543267e88ee102de87a6385a1b0

      SHA1

      1d23637a34ac33c1f842749877acebd18c70f00b

      SHA256

      3e76a6a04eb32e640a4f2873faf2028703307bb8a2620b94d71c2536b0b6c5fe

      SHA512

      acc5f64688a34482fed7e7d133c435c94df37b0097ebb15c5d1a5631f8101e23cc092a9282f4ff84155c7972009b0b77c23eee38386f56de1e404e1d0e2cddc8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      Filesize

      364KB

      MD5

      93fde4e38a84c83af842f73b176ab8dc

      SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

      SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

      SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\data\d3d11.dll
      Filesize

      5.7MB

      MD5

      ce00e40cbce6d3267e210f12e4e87a43

      SHA1

      388d00a34f419646a10de6aa028943892a0461dd

      SHA256

      e2cf5cfcb918abd8a8b65b8e1d6090d975560b81a91dfaac3f8e4d4149caeb06

      SHA512

      874049bcd9af9111111f972018fec5598d1e40bf41d9e4ff491c7b5bd730a25775438038a470655852d1eccf0ec9a1389c46f8c8243aa39edf0947244fdf005e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\services\plugin342
      Filesize

      2.7MB

      MD5

      a0fab21c52fb92a79bc492d2eb91d1d6

      SHA1

      03d14da347c554669916d60e24bee1b540c2822e

      SHA256

      e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

      SHA512

      e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

      Download Submit

    • memory/332-1-0x0000000072A5E000-0x0000000072A5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/332-3-0x0000000072A50000-0x0000000073201000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/332-21-0x00000000060E0000-0x00000000060FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/332-22-0x0000000006130000-0x0000000006152000-memory.dmp

      Filesize

      136KB

      Download

    • memory/332-23-0x00000000074B0000-0x0000000007A56000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/332-17-0x00000000057B0000-0x0000000005B07000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/332-7-0x00000000055C0000-0x0000000005626000-memory.dmp

      Filesize

      408KB

      Download

    • memory/332-5-0x0000000005440000-0x0000000005462000-memory.dmp

      Filesize

      136KB

      Download

    • memory/332-20-0x0000000006B60000-0x0000000006BF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/332-4-0x0000000004D70000-0x000000000543A000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/332-2-0x0000000004540000-0x0000000004576000-memory.dmp

      Filesize

      216KB

      Download

    • memory/332-18-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/332-71-0x0000000072A50000-0x0000000073201000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/332-19-0x0000000005C50000-0x0000000005C9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/332-59-0x0000000072A5E000-0x0000000072A5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/332-60-0x0000000072A50000-0x0000000073201000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/332-6-0x00000000054E0000-0x0000000005546000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1964-210-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1964-205-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1964-206-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1964-208-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1964-204-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1964-79-0x0000000000BC0000-0x0000000001547000-memory.dmp

      Filesize

      9.5MB

      Download

    • memory/1964-203-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-91-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-87-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-89-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-84-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-86-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-85-0x0000000065000000-0x0000000065726000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2672-61-0x0000000000BC0000-0x0000000001547000-memory.dmp

      Filesize

      9.5MB

      Download

    • memory/3340-217-0x0000000001910000-0x00000000019A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3340-207-0x0000000001910000-0x00000000019A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3340-214-0x0000000001910000-0x00000000019A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3340-216-0x0000000001910000-0x00000000019A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3976-103-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-106-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-107-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-104-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-101-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-82-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3976-102-0x0000000068400000-0x00000000689F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/4248-105-0x0000000000540000-0x0000000000987000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4248-112-0x0000000000540000-0x0000000000987000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4248-110-0x0000000000540000-0x0000000000987000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4248-196-0x0000000000540000-0x0000000000987000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4272-54-0x00000000077F0000-0x00000000077FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4272-53-0x0000000007DF0000-0x000000000846A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4272-52-0x00000000076C0000-0x0000000007763000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4272-38-0x00000000075A0000-0x00000000075D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4272-39-0x000000006F3C0000-0x000000006F40C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4272-51-0x00000000075E0000-0x00000000075FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4332-88-0x0000000000700000-0x0000000000792000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4332-94-0x0000000000700000-0x0000000000792000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4332-97-0x0000000000700000-0x0000000000792000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4332-96-0x0000000000700000-0x0000000000792000-memory.dmp

      Filesize

      584KB

      Download