amadey | 2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4

Analysis

max time kernel
142s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-05-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
Size

1.8MB
MD5

0600379e0b43eca022435a1b6d2e9391
SHA1

2dc38dd0d363b958f5fc959dca2b0a5cca79dbb5
SHA256

2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4
SHA512

2d9de6bace93d53cfbe3b79ac4312c829fc32f17dc9bc5a9f17d560e8848b607b5d5a7c2f446a576b2a7189105e42d469e85dd6a6672d436c82e3edd372a9545
SSDEEP

49152:xWe+x52aAyz4uU++JkTGd+GSRwvwh1RLm:xV+SjuU++JWGoGxw3RLm

Score

10^/10

amadey risepro 0e6740 49e482 evasion persistence stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exe2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exeexplortu.exe36d3fb4ee7.exe6fecaa723a.exeexplortu.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	36d3fb4ee7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6fecaa723a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explortu.exeexplortu.exeaxplont.exe6fecaa723a.exeaxplont.exeaxplont.exeexplortu.exeaxplont.exe2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe36d3fb4ee7.exeexplortu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6fecaa723a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	36d3fb4ee7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6fecaa723a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36d3fb4ee7.exe

Executes dropped EXE 10 IoCs

Processes:

explortu.exe36d3fb4ee7.exeaxplont.exe6fecaa723a.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exe

pid	process
2468	explortu.exe
848	36d3fb4ee7.exe
3368	axplont.exe
1004	6fecaa723a.exe
4216	explortu.exe
3340	axplont.exe
1940	explortu.exe
3988	axplont.exe
2216	explortu.exe
5080	axplont.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exe2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe36d3fb4ee7.exeaxplont.exeexplortu.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	36d3fb4ee7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplont.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe	themida
behavioral2/memory/1004-72-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-74-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-76-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-75-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-79-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-78-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-80-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-77-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida
behavioral2/memory/1004-90-0x0000000000FC0000-0x000000000161F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explortu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\6fecaa723a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\6fecaa723a.exe"	explortu.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

6fecaa723a.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6fecaa723a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6fecaa723a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exeexplortu.exe36d3fb4ee7.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exe

pid	process
988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
2468	explortu.exe
848	36d3fb4ee7.exe
3368	axplont.exe
4216	explortu.exe
3340	axplont.exe
1940	explortu.exe
3988	axplont.exe
2216	explortu.exe
5080	axplont.exe

Drops file in Windows directory 2 IoCs

Processes:

36d3fb4ee7.exe2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	36d3fb4ee7.exe
File created	C:\Windows\Tasks\explortu.job	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exeexplortu.exe36d3fb4ee7.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exe

pid	process
988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
2468	explortu.exe
2468	explortu.exe
848	36d3fb4ee7.exe
848	36d3fb4ee7.exe
3368	axplont.exe
3368	axplont.exe
4216	explortu.exe
4216	explortu.exe
3340	axplont.exe
3340	axplont.exe
1940	explortu.exe
1940	explortu.exe
3988	axplont.exe
3988	axplont.exe
2216	explortu.exe
2216	explortu.exe
5080	axplont.exe
5080	axplont.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exeexplortu.exe36d3fb4ee7.exe

description	pid	process	target process
PID 988 wrote to memory of 2468	988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe	explortu.exe
PID 988 wrote to memory of 2468	988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe	explortu.exe
PID 988 wrote to memory of 2468	988	2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe	explortu.exe
PID 2468 wrote to memory of 4748	2468	explortu.exe	explortu.exe
PID 2468 wrote to memory of 4748	2468	explortu.exe	explortu.exe
PID 2468 wrote to memory of 4748	2468	explortu.exe	explortu.exe
PID 2468 wrote to memory of 848	2468	explortu.exe	36d3fb4ee7.exe
PID 2468 wrote to memory of 848	2468	explortu.exe	36d3fb4ee7.exe
PID 2468 wrote to memory of 848	2468	explortu.exe	36d3fb4ee7.exe
PID 848 wrote to memory of 3368	848	36d3fb4ee7.exe	axplont.exe
PID 848 wrote to memory of 3368	848	36d3fb4ee7.exe	axplont.exe
PID 848 wrote to memory of 3368	848	36d3fb4ee7.exe	axplont.exe
PID 2468 wrote to memory of 1004	2468	explortu.exe	6fecaa723a.exe
PID 2468 wrote to memory of 1004	2468	explortu.exe	6fecaa723a.exe
PID 2468 wrote to memory of 1004	2468	explortu.exe	6fecaa723a.exe

C:\Users\Admin\AppData\Local\Temp\2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
"C:\Users\Admin\AppData\Local\Temp\2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
3⤵
PID:4748

C:\Users\Admin\1000004002\36d3fb4ee7.exe
"C:\Users\Admin\1000004002\36d3fb4ee7.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1004

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000004002\36d3fb4ee7.exe
Filesize
1.8MB

MD5
fe4e61e13c0b9d8f179b18608530cc21

SHA1
fae41b564cca41ad4140584622fe23627944c24d

SHA256
35cadd2f3c589e6bc0dd06b1bb5ae9d62fa5d108142aa81006dae50b7945e25f

SHA512
68f8ba9f8e627099e6c2b4fbe0ba3edee11a240a5c999cb7f17431354ade072dc32e9581c65d56a33f44fd790e5336d70107e42fc284d7f51315cad71f2b01ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe
Filesize
2.0MB

MD5
cea34b445e6306e6863c10100cc93948

SHA1
d64b6074cc20de96c2afc6f5071510ec55023a0f

SHA256
1dedd8a775a1fcaf26d8c1e1e4f2a6cba45809e2b5e36fbb0056f572ee04b286

SHA512
2a9cde8739c22afef43516c2a67e9c95646f813aaa36ffcca2548fa69baeacc0504e7659e0d20ef434413607061c4700680010bb1933ca2e4c3d7bb0bb40b594

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
Filesize
1.8MB

MD5
0600379e0b43eca022435a1b6d2e9391

SHA1
2dc38dd0d363b958f5fc959dca2b0a5cca79dbb5

SHA256
2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4

SHA512
2d9de6bace93d53cfbe3b79ac4312c829fc32f17dc9bc5a9f17d560e8848b607b5d5a7c2f446a576b2a7189105e42d469e85dd6a6672d436c82e3edd372a9545

Download Submit
memory/848-39-0x0000000000220000-0x00000000006EC000-memory.dmp

Filesize
4.8MB

Download
memory/848-53-0x0000000000220000-0x00000000006EC000-memory.dmp

Filesize
4.8MB

Download
memory/848-40-0x0000000000220000-0x00000000006EC000-memory.dmp

Filesize
4.8MB

Download
memory/988-1-0x0000000077B36000-0x0000000077B38000-memory.dmp

Filesize
8KB

Download
memory/988-2-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

Filesize
184KB

Download
memory/988-3-0x0000000000BA0000-0x000000000104C000-memory.dmp

Filesize
4.7MB

Download
memory/988-5-0x0000000000BA0000-0x000000000104C000-memory.dmp

Filesize
4.7MB

Download
memory/988-15-0x0000000000BA0000-0x000000000104C000-memory.dmp

Filesize
4.7MB

Download
memory/988-0-0x0000000000BA0000-0x000000000104C000-memory.dmp

Filesize
4.7MB

Download
memory/1004-74-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-72-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-90-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-76-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-75-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-79-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-78-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-80-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1004-77-0x0000000000FC0000-0x000000000161F000-memory.dmp

Filesize
6.4MB

Download
memory/1940-110-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/1940-113-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2216-134-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2216-137-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-92-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-128-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-21-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-141-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-108-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-88-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-18-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-91-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-81-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-19-0x0000000000601000-0x000000000062F000-memory.dmp

Filesize
184KB

Download
memory/2468-130-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-20-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-96-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-126-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-99-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-123-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-101-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-118-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-104-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/2468-116-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/3340-87-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3340-85-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-95-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-127-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-140-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-115-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-106-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-103-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-119-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-121-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-100-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-124-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-97-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-89-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-54-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-93-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3368-131-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3988-112-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/3988-114-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/4216-83-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/4216-86-0x0000000000600000-0x0000000000AAC000-memory.dmp

Filesize
4.7MB

Download
memory/5080-136-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download
memory/5080-139-0x0000000000F40000-0x000000000140C000-memory.dmp

Filesize
4.8MB

Download