hxxps://github[.]com/disepi/ambrosial/releases/download/1[.]5/Ambrosial[.]exe

max time kernel
67s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

Score

8^/10

agilenet

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Ambrosial.exe

pid process

1472 Ambrosial.exe
Loads dropped DLL 1 IoCs

Processes:

Ambrosial.exe

pid process

1472 Ambrosial.exe

pid	process
1472	Ambrosial.exe

pid	process
1472	Ambrosial.exe

Obfuscated with Agile.Net obfuscator 32 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1472-392-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-393-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-395-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-397-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-399-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-402-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-404-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-406-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-408-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-410-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-412-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-414-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-416-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-418-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-420-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-422-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-424-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-426-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-428-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-430-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-432-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-434-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-436-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-438-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-440-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-442-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-444-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-446-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-448-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-450-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-452-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net
behavioral1/memory/1472-454-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

Processes:

Ambrosial.exe

description	ioc	process
File created	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File opened for modification	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File created	C:\Windows\Fonts\OpenSansLight.ttf	Ambrosial.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 861a78379e45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1357670657"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039259"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7BAE923C-0B0E-11EE-9156-D660CAC54930} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31039259"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{3352292B-2476-4FBB-8BC4-B8972E8DD56A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1357670657"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ambrosial.exe

description pid process

Token: SeDebugPrivilege 1472 Ambrosial.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

4836 iexplore.exe
4836 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4836 iexplore.exe
4836 iexplore.exe
1388 IEXPLORE.EXE
1388 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1472	Ambrosial.exe

pid	process
4836	iexplore.exe
4836	iexplore.exe

pid	process
4836	iexplore.exe
4836	iexplore.exe
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4836 wrote to memory of 1388	4836	iexplore.exe	IEXPLORE.EXE
PID 4836 wrote to memory of 1388	4836	iexplore.exe	IEXPLORE.EXE
PID 4836 wrote to memory of 1388	4836	iexplore.exe	IEXPLORE.EXE
PID 4836 wrote to memory of 1472	4836	iexplore.exe	Ambrosial.exe
PID 4836 wrote to memory of 1472	4836	iexplore.exe	Ambrosial.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4836 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\Ambrosial.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\Ambrosial.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.16.220\Atani Classic\launcherAssets\ataniclassic.png
Filesize
44KB

MD5
e5ef6bdf0c495893af82822f51711550

SHA1
b09ad5ecaaed6af91dd24e031aaf8bceae1ae055

SHA256
5a47fa7b19198bcad18091ae138a411b44faa2ddc2d9891650061cbdb63094da

SHA512
3408ce2f0727e223f939b4d34fd9035083eddd7a0a8ace2a038d98d201dbeb1c48d1da0b5335d21dcdd8ddc726b5f117611247cfdacc9cd046d2c9dcde0cd492

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.17.201.0\Zephyr Classic\launcherAssets\yeeee.png
Filesize
115KB

MD5
57b901d65f2725d394d569c05dd34fa4

SHA1
cdb25673ae31bc33872c39ec02924c33d42bba93

SHA256
e6ce3cf2c8094af5e4e8e24b1283a8711dfd34dbb2d47b0f373ce7349dfb5998

SHA512
bea29493c6b73d29e2e16f2f63fe49c9cf3d843156aca838f3d5e0f2e917050d4e79df3d44e09144e6a42f8c8a52bf4a0080f2dff6356fc04f8d469841a894b3

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.17.4006.0\Zephyr Classic\launcherAssets\zephyrNewB.png
Filesize
50KB

MD5
93a8e487ac8ce3f27b99b41dffc28551

SHA1
3ef1dec9d98dc84015fb0924df6398cb4df0de41

SHA256
2a6157da3d3b511fcd05b67f6449c773663d3dc5b8328b808ccb2e4b4cf9f73b

SHA512
18ba3eb47747ffae1afbf269b748fbbf4eaee6ce8d7c73b0c8410164ad8cbfac1af765e6f542ced635f2355773ee623f8b516ef6454fe1c363fe3e9ae3d2959e

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.3004.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png
Filesize
54KB

MD5
cf4b10cab822fb4e563d5c1fc7757a30

SHA1
57328884b3e1ebf4eaeb4715a33bf93a52c95d53

SHA256
abb9e95c2b6bf7f7fad5f483b9e3e746bbca54a82ff79009d0760dcd2ff013cc

SHA512
f0607ac012b3e86a56f63b9778bde661424e56b3b048f24c8d82b693fe673e860bf0225863f4f71915a1c8c5c83f3caa0de796a0059860d62e378e0b98135eb0

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
3KB

MD5
8281fa4d4b3498911aabd9c1978523e4

SHA1
649142eaaeb8f482497dc11145ce751b926ab820

SHA256
b96f2cc101072b952d8d2b5a435319b188bc9f47e6e998cf0bd62d3f97b0ee14

SHA512
6c4e1e3850783c6536c3c9a7697d2acbe6cb108412a0be517f0bb1e3f8d6d6e9664f44f7f8aab5751b5c36e397aede5745f61dead27381acd51045476ce12f8d

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
4KB

MD5
a95c9e1dfbac637bb95377cb8f57e86b

SHA1
04da2c2ea62d18e1a76d039a68e0b9e734d0fd39

SHA256
5ac17ef03295a0319774a72c72e7aee0ded6b4ce7afbd9492c2262e4f8f13ce6

SHA512
0f3d6f823341d9d3fc7dbd92ba6390eb925a314626ccc46aa7c86f4e5f7a23d495fb430745efeeacaef3db3217b282b72f096e6b535e3d3e84afb53ca9bab291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\Ambrosial.exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\Ambrosial.exe.8v9z5x1.partial
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\Ambrosial[1].exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\Desktop\Azonix.otf
Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\Windows\Fonts\OpenSansLight.ttf
Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
memory/1472-420-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-436-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-392-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-393-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-395-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-397-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-399-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-402-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-401-0x00007FFA274C0000-0x00007FFA274E7000-memory.dmp

Filesize
156KB

Download
memory/1472-404-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-406-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-408-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-410-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-412-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-414-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-416-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-418-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-183-0x0000025EE9E70000-0x0000025EE9E92000-memory.dmp

Filesize
136KB

Download
memory/1472-422-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-424-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-426-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-428-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-430-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-432-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-434-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-391-0x00007FFA29910000-0x00007FFA29A5E000-memory.dmp

Filesize
1.3MB

Download
memory/1472-438-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-440-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-442-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-444-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-446-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-448-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-450-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-452-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-454-0x0000025EE9F90000-0x0000025EEA174000-memory.dmp

Filesize
1.9MB

Download
memory/1472-612-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-1118-0x00007FFA274C0000-0x00007FFA274E7000-memory.dmp

Filesize
156KB

Download
memory/1472-11708-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11709-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11725-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-171-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-153-0x0000025ECE700000-0x0000025ECE71A000-memory.dmp

Filesize
104KB

Download
memory/1472-152-0x0000025ECD160000-0x0000025ECE14A000-memory.dmp

Filesize
15.9MB

Download
memory/1472-11836-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11837-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11838-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11839-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11840-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11841-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download
memory/1472-11842-0x0000025EE8770000-0x0000025EE8780000-memory.dmp

Filesize
64KB

Download