amadey | 207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
Size

1.5MB
MD5

9e0d8d07a60fabc862137c73218944e0
SHA1

05a4e4e5c1f298d413616a85735ecdd000529e2f
SHA256

207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32
SHA512

d060c501beba283f1f56cc4487950e2f079dfdbd95101692da12f40c11c9dcf859a360186b2edd95a9e21ba543bb7602a23780214c170a8f02f0d71bb509cc73
SSDEEP

24576:LEd6iSHW2y1SQuqdg2cfW6b62vz++bTmDQC9iWbMVxXbei5FU94r+:Ad6iaIfuqdgoA6yPmN9kxXbeivU9U+

Score

10^/10

amadey risepro 18befc c767c0 evasion persistence stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d815804a12.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d815804a12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d815804a12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe

Executes dropped EXE 9 IoCs

pid	Process
564	explorku.exe
4916	amers.exe
4860	explorku.exe
4116	axplons.exe
4348	d815804a12.exe
2500	axplons.exe
1928	explorku.exe
2984	explorku.exe
3528	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe

Themida packer 52 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1360-0-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-2-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-1-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-3-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-8-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-6-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-7-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-5-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/1360-4-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/files/0x000100000002aa1d-14.dat	themida
behavioral2/memory/1360-21-0x00000000008B0000-0x0000000000D95000-memory.dmp	themida
behavioral2/memory/564-22-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-23-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-26-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-30-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-29-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-28-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-27-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-24-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-25-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/564-33-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-52-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-54-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-55-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-58-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-59-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-57-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-56-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-53-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4860-61-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/files/0x000100000002aa22-80.dat	themida
behavioral2/memory/4348-94-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-95-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-97-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-98-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-96-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-99-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-101-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-102-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/4348-100-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/564-103-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/4348-105-0x0000000000EF0000-0x0000000001575000-memory.dmp	themida
behavioral2/memory/1928-123-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-128-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-125-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-129-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-127-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-133-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-126-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/1928-124-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/2984-160-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida
behavioral2/memory/2984-164-0x0000000000CA0000-0x0000000001185000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\d815804a12.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\d815804a12.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d815804a12.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4916	amers.exe
4116	axplons.exe
2500	axplons.exe
3528	axplons.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorku.job	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4916	amers.exe
4916	amers.exe
4116	axplons.exe
4116	axplons.exe
2500	axplons.exe
2500	axplons.exe
3528	axplons.exe
3528	axplons.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4916	amers.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 564	1360	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe	82
PID 1360 wrote to memory of 564	1360	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe	82
PID 1360 wrote to memory of 564	1360	207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe	82
PID 564 wrote to memory of 1484	564	explorku.exe	83
PID 564 wrote to memory of 1484	564	explorku.exe	83
PID 564 wrote to memory of 1484	564	explorku.exe	83
PID 564 wrote to memory of 4916	564	explorku.exe	84
PID 564 wrote to memory of 4916	564	explorku.exe	84
PID 564 wrote to memory of 4916	564	explorku.exe	84
PID 4916 wrote to memory of 4116	4916	amers.exe	86
PID 4916 wrote to memory of 4116	4916	amers.exe	86
PID 4916 wrote to memory of 4116	4916	amers.exe	86
PID 564 wrote to memory of 4348	564	explorku.exe	87
PID 564 wrote to memory of 4348	564	explorku.exe	87
PID 564 wrote to memory of 4348	564	explorku.exe	87

C:\Users\Admin\AppData\Local\Temp\207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe
"C:\Users\Admin\AppData\Local\Temp\207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\1000014001\d815804a12.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\d815804a12.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4348

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4860

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1928

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2984

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

Filesize
1.8MB

MD5
a2ca4bbfdd5cdb67ad561ac2d90f39f6

SHA1
2ec75719aa6289887dd008c977eb68da1795800b

SHA256
3365510ac4fedcd800e019eb3fac3fbe9ee52eef130e6d7e77ae7e57e8cf749f

SHA512
a41fbce7a5398664920b0cae64509ac87f477448635fb381e8ad7bb0f3db46b2c426aa7807da155a73b53702a6a908d657e18f22861d15fa444c606d4299cedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\d815804a12.exe

Filesize
2.2MB

MD5
29499e066c6f407a90a9e26cf2e48dd1

SHA1
25fb15d4c4635cde9462b0fe6e5d11841e84c22f

SHA256
7d5425027afadd6b7a3f06299a2d23fd7b143c35ddde5e66a3604e93007ee6bc

SHA512
66ce45f03f8decf49c06953f9b08f1291ef9c10c1bd1ff16f506908c4b827af5e15721b027b14acac67d02aa4981cb43eb3cd21784717b820c24a033246398fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.5MB

MD5
9e0d8d07a60fabc862137c73218944e0

SHA1
05a4e4e5c1f298d413616a85735ecdd000529e2f

SHA256
207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32

SHA512
d060c501beba283f1f56cc4487950e2f079dfdbd95101692da12f40c11c9dcf859a360186b2edd95a9e21ba543bb7602a23780214c170a8f02f0d71bb509cc73

Download Submit
memory/564-24-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-33-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-25-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-103-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-27-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-28-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-29-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-30-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-22-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-23-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/564-26-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1360-0-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-6-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-4-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-5-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-7-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-8-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-21-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-1-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-2-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1360-3-0x00000000008B0000-0x0000000000D95000-memory.dmp

Filesize
4.9MB

Download
memory/1928-126-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-123-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-127-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-124-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-133-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-129-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-125-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/1928-128-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/2500-132-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/2500-121-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/2984-164-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/2984-160-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/3528-162-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/3528-166-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-73-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-107-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-137-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-134-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-117-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-114-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-111-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-110-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4116-104-0x00000000009D0000-0x0000000000E99000-memory.dmp

Filesize
4.8MB

Download
memory/4348-95-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-99-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-97-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-100-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-102-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-101-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-98-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-94-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-96-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4348-105-0x0000000000EF0000-0x0000000001575000-memory.dmp

Filesize
6.5MB

Download
memory/4860-53-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-56-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-57-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-59-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-58-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-55-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-61-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-54-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4860-52-0x0000000000CA0000-0x0000000001185000-memory.dmp

Filesize
4.9MB

Download
memory/4916-75-0x0000000000640000-0x0000000000B09000-memory.dmp

Filesize
4.8MB

Download
memory/4916-50-0x0000000077676000-0x0000000077678000-memory.dmp

Filesize
8KB

Download
memory/4916-49-0x0000000000640000-0x0000000000B09000-memory.dmp

Filesize
4.8MB

Download