Overview

overview

10

Static

static

3

b23adb76c3...63.exe

windows7-x64

10

b23adb76c3...63.exe

windows10-2004-x64

Analysis

  • max time kernel
    32s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 02:58

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963.exe

  • Size

    2.9MB

  • MD5

    9d38889192a887e1128ec41dd417fb6d

  • SHA1

    bf6b8a7c9ea4519ee2b4233375b9cf2cc9c7840b

  • SHA256

    b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963

  • SHA512

    d4e8aee2c1318e34537d0803f137282b5e9ec58b9a8113e38e8576f0808066f5a690149ea97f720d02642645e85edeba5c1dc482e6d730da25cb99caf604c8e3

  • SSDEEP

    49152:l9PJuLnwLwJL6OBkiP4hpzl9h+q+GJNXu:l9PILnwLwJL6OBMRvdN

Score
10/10
amadeyasyncratlummaxworm9c9aa5defaultdiscoveryevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

xworm

C2

xclient.fahrerscheinonlineholen.de:2489

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage?chat_id=1434988227

Extracted

Family

lumma

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hgzuiajogwnqs

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/dDuwSpUA

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 3 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963.exe
    "C:\Users\Admin\AppData\Local\Temp\b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe
        "C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1996
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4156
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3556
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4164
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1840
      • C:\Users\Admin\AppData\Local\Temp\1019050001\7a0580e989.exe
        "C:\Users\Admin\AppData\Local\Temp\1019050001\7a0580e989.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2444
      • C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe
        "C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe
          "C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe"
          4⤵
          • Executes dropped EXE
          PID:4696
        • C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe
          "C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe"
          4⤵
          • Executes dropped EXE
          PID:4408
        • C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe
          "C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3688
      • C:\Users\Admin\AppData\Local\Temp\1019052001\3f92e8139e.exe
        "C:\Users\Admin\AppData\Local\Temp\1019052001\3f92e8139e.exe"
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3936
      • C:\Users\Admin\AppData\Local\Temp\1019053001\132eccac96.exe
        "C:\Users\Admin\AppData\Local\Temp\1019053001\132eccac96.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3868
      • C:\Users\Admin\AppData\Local\Temp\1019054001\545593d666.exe
        "C:\Users\Admin\AppData\Local\Temp\1019054001\545593d666.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3944
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

3
T1497

Credential Access

Discovery

Query Registry

7
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

3
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    440cb38dbee06645cc8b74d51f6e5f71

    SHA1

    d7e61da91dc4502e9ae83281b88c1e48584edb7c

    SHA256

    8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

    SHA512

    3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    499298c8da8c8b6e630c889b60905388

    SHA1

    b3b519bebf9861bcdad6e2e6426c2e8a96fd8056

    SHA256

    2e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca

    SHA512

    9da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    10890cda4b6eab618e926c4118ab0647

    SHA1

    1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

    SHA256

    00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

    SHA512

    a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    359d1e37a264703c99ebd01eed362de5

    SHA1

    a1122c8bf9848b3371cd191ba540864204d1d845

    SHA256

    5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

    SHA512

    ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe
    Filesize

    88KB

    MD5

    07e410214a2aeb8f577e407154252f3c

    SHA1

    697fac558b66c0476c3f04d80764fa75eb6de77d

    SHA256

    12e340e551abbf8a61a6dd73d45c94e88aa217ceae070ba0748360d24c706114

    SHA512

    470b208122d6177e4635038418e4966a63725c7f9b21b4d41f3c89b953bae9a23e141424b358110de3a8d1624c125224a7471bb44ef7039c313d03e844a20ecc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019016001\wNFfgZ1.exe
    Filesize

    612B

    MD5

    e3eb0a1df437f3f97a64aca5952c8ea0

    SHA1

    7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

    SHA256

    38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

    SHA512

    43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019050001\7a0580e989.exe
    Filesize

    1.8MB

    MD5

    27c1f96d7e1b72b6817b6efeff037f90

    SHA1

    2972cc112fc7e20cbf5952abe07407b8c1fbb2a2

    SHA256

    aec3ec473de321d123e939985579227ee62b53b3b3edb7ab96e2a66c17e9696d

    SHA512

    9a31dc9945889d35aea8710df2f42806c72c422b7b5f4aa8acba6986cbd9ea6a49181a41a50ee21ccbed86cbff87c98a742e681ac3f6a87e2bd4436c9112eb32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019051001\6eee4e0161.exe
    Filesize

    758KB

    MD5

    afd936e441bf5cbdb858e96833cc6ed3

    SHA1

    3491edd8c7caf9ae169e21fb58bccd29d95aefef

    SHA256

    c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

    SHA512

    928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019052001\3f92e8139e.exe
    Filesize

    4.2MB

    MD5

    a1a76771507e4a627eccb41e1663aa47

    SHA1

    1bb24963526fb70dcbd724dcbe1ba54d22e7eab8

    SHA256

    c0193a45321ed0251587b1b5c5631f3149f97eeef4a64cf0ba6b506d7aec8e6b

    SHA512

    9fa92583862528cbc937f9643cb077b731394121dfa180e2b57a9655e84a377288b3f3d97d2ef1b85657ea2872e5424ed2c42488be0f85dfbe20945b9e94849d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019053001\132eccac96.exe
    Filesize

    1.3MB

    MD5

    669ed3665495a4a52029ff680ec8eba9

    SHA1

    7785e285365a141e307931ca4c4ef00b7ecc8986

    SHA256

    2d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6

    SHA512

    bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019054001\545593d666.exe
    Filesize

    1.1MB

    MD5

    ef08a45833a7d881c90ded1952f96cb4

    SHA1

    f04aeeb63a1409bd916558d2c40fab8a5ed8168b

    SHA256

    33c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501

    SHA512

    74e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv21prec.1zp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    Filesize

    2.9MB

    MD5

    9d38889192a887e1128ec41dd417fb6d

    SHA1

    bf6b8a7c9ea4519ee2b4233375b9cf2cc9c7840b

    SHA256

    b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963

    SHA512

    d4e8aee2c1318e34537d0803f137282b5e9ec58b9a8113e38e8576f0808066f5a690149ea97f720d02642645e85edeba5c1dc482e6d730da25cb99caf604c8e3

    Download Submit

  • memory/856-23-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/856-24-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/856-28-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/856-26-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1996-66-0x00000115F4690000-0x00000115F46B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2364-159-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-48-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-25-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-67-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-21-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-20-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2364-19-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2364-16-0x0000000000CD0000-0x0000000000FE8000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2444-144-0x0000000000D10000-0x00000000011AA000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2444-97-0x0000000000D10000-0x00000000011AA000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2980-180-0x000000001C620000-0x000000001C638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2980-47-0x0000000000710000-0x000000000072C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2980-179-0x000000001C600000-0x000000001C61C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3688-143-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3688-141-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3936-161-0x0000000000C00000-0x0000000001888000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/3944-201-0x0000000008140000-0x00000000086E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3944-200-0x0000000000C90000-0x0000000000DA6000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3944-202-0x0000000007C70000-0x0000000007D02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3944-203-0x00000000030E0000-0x00000000030EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3944-204-0x0000000007EB0000-0x0000000007F4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3944-205-0x00000000092F0000-0x0000000009316000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4656-0-0x0000000000950000-0x0000000000C68000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4656-2-0x0000000000951000-0x000000000097F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4656-3-0x0000000000950000-0x0000000000C68000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4656-18-0x0000000000950000-0x0000000000C68000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4656-1-0x00000000778A4000-0x00000000778A6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4656-4-0x0000000000950000-0x0000000000C68000-memory.dmp

    Filesize

    3.1MB

    Download