Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-06-2024 16:29

General

  • Target

    c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe

  • Size

    1.9MB

  • MD5

    62071def9c66134b49b6f603d74bed23

  • SHA1

    8d75934ba64ae1885a249f38054e6a1073dc2a59

  • SHA256

    c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1

  • SHA512

    6d607f896d8d5efb7e33c9958b545b052d830111383c92e1cbdbcd673aa62863fee702f1b648e178841cb0bc2ce92dd689e719d9899cfbe4014f3e4d5b3ed52c

  • SSDEEP

    49152:X0BAH1eZ4gk+pfKyCYYm1iycYakjytwP8KByvQhC6qLwia+f2:X0DWmpfdYmg8akjgcy4hORf

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe
    "C:\Users\Admin\AppData\Local\Temp\c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:764
        • C:\Users\Admin\AppData\Local\Temp\1000016001\a86b8c8598.exe
          "C:\Users\Admin\AppData\Local\Temp\1000016001\a86b8c8598.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3584
        • C:\Users\Admin\AppData\Local\Temp\1000017001\faf34d8e54.exe
          "C:\Users\Admin\AppData\Local\Temp\1000017001\faf34d8e54.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
            4⤵
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71c0ab58,0x7fff71c0ab68,0x7fff71c0ab78
              5⤵
                PID:1984
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:2
                5⤵
                  PID:3924
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:8
                  5⤵
                    PID:1892
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:8
                    5⤵
                      PID:2092
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:1
                      5⤵
                        PID:4032
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:1
                        5⤵
                          PID:3780
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3844 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:1
                          5⤵
                            PID:3984
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:8
                            5⤵
                              PID:4568
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:8
                              5⤵
                                PID:3928
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:8
                                5⤵
                                  PID:1908
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3516
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:2632
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2292
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1092

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            216B

                            MD5

                            32945fe75c7ce0b49f92d8316c5a86ff

                            SHA1

                            17bbdb81cf514b2c9cd8f3afc58208fbef7e31f8

                            SHA256

                            38462fd22a26da500b556a5e52f5c63a2722cd69cc2ef9ac67c7f03b70bb19ed

                            SHA512

                            2a0a07ad5a76007754d5115b4211936ed719ebeffa9f5c8fc4f4cb2df5e3d32616b85d6e658304a562347d29e5764e54de39ba5e57969fdda6f5049e1282dfc3

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            3KB

                            MD5

                            67eb0077ef2cc78c8c511acc4559fb2b

                            SHA1

                            a7efa344016fd2305c2e6ba43f8b3fa59a1f3355

                            SHA256

                            c71b1a43440f534a3bdcf8a961ba776c5fb352f3df750aedd467586de02a6220

                            SHA512

                            fd8d8df701e77e7549d65a894080f8fb72e09cdb1cedc6b243a583c1978292b759534212b2c10ad45f3e3387fdb73fddf9bc0e5ff398210460bde2e706eb69f1

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            2KB

                            MD5

                            18a9178780a4fc229795d0d95d29f39e

                            SHA1

                            6a60827d0c0e46477e547dc1c82611c09edc72f8

                            SHA256

                            e10adb52aab7dc96dc2efae9200c6ff5add0e5a3fb31f2cc32c2b83ce3dfcc7b

                            SHA512

                            5656607709fb82328335f18a11cb9a0680db262109f72899d04f024781cbc13af317fa6a53acf3cc9883e59e187460cea3e4de4972e89ea3ec18797d2c6851eb

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                            Filesize

                            692B

                            MD5

                            359c63416575884c2bf90472c00e0356

                            SHA1

                            3a0ad2bab03d84f57b0d57a422b193671c22f850

                            SHA256

                            149bd9f4a6671ca9d43414f0edba98e775c8920da7b62fe75e78b0ace913c928

                            SHA512

                            1f555d86883af061ccb5d5861f0d76afc8bdc0e7a99f3105b590497bb83d26a55102be44ce506edc914f6dfc7d6ca04b7489ec274e4b8bf4ff8f92830082ca7c

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            7KB

                            MD5

                            2ac8184f7c1f3490dba7c52fbfaa6557

                            SHA1

                            3afc539c012906e7e3da56cfe7be29cf2e773ed3

                            SHA256

                            45b6e5d828653f2940d06af2d1a8de4081e2eeafe154723b369ca98944eb887c

                            SHA512

                            0270f6c0fb31c025e38bbf9454e78c1425e5490f4973d1e9b90d72b50f873cffcc20a089e1472f49d225a0aa0c92d2020c897cebcec99331872d8d9f3fa88836

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                            Filesize

                            16KB

                            MD5

                            3a010f8d3adc472cc8de7c68a96804d0

                            SHA1

                            c7985cca903645398d671edd2d9a3c4ea05db205

                            SHA256

                            7a5a567e61239abe2880984ce07f1046368c6c0098be1b3de64a63484b9f8f5b

                            SHA512

                            48181c19bde8b352956a2f1065135beb1f3a34b223677ef6e88dad1fdaa3ecacea16e94eab1aad84633346018edc9c9c498044e0879c517156c516d3004a9bc3

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            279KB

                            MD5

                            988f610799c226d549a1f41aea15d7ac

                            SHA1

                            cec0fb1a46af7dff30bfe7c01bb89eb724311b9a

                            SHA256

                            51ac5067157dbc436a490e1166605b528e5122b6434c1ab7afb04324b0302c60

                            SHA512

                            091033bede2e3be5d2d131adf842190c1c4c2dc3f429a1f76c67c2998870b102ed47cb6faaf0a2460e6eba2ba6245f1066a6c602ff92f95cb18d481e82cf41e1

                          • C:\Users\Admin\AppData\Local\Temp\1000016001\a86b8c8598.exe

                            Filesize

                            2.3MB

                            MD5

                            904f75daa93fd4309898863f56a4e984

                            SHA1

                            d28454c3d875ad4b353a0f9644969ac21bad99bf

                            SHA256

                            17ea5facb9c79357269348b19b95e83bab36c367b26dc1ad0f7639ee547002dd

                            SHA512

                            9327a1208e4af49914ccfb0dfa93bef03cadbb4fe3e3c5cd9978278ce4fb99025571b691d7c89f56c873c13f7d3bbda1970ffb3da1714d53d2f825630c7d29c2

                          • C:\Users\Admin\AppData\Local\Temp\1000017001\faf34d8e54.exe

                            Filesize

                            2.3MB

                            MD5

                            421b69e42849130ab80d06431deeb7bb

                            SHA1

                            3a8010d6697a56103d3d44670012bdca3e5664ac

                            SHA256

                            e368b3c7ab7211bdfa5f83c652fc6ca3b4dd7cf9292e8a3b7001e33f9835381d

                            SHA512

                            fd185e1a78518512cbdb7f8c16fdb66d4a4a69fae736b2645448ad3b28cd3665519c438354b9a003d2d12c9ce774f2a49c6c578a4a9abfabe4965e2d00cb8799

                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

                            Filesize

                            1.9MB

                            MD5

                            62071def9c66134b49b6f603d74bed23

                            SHA1

                            8d75934ba64ae1885a249f38054e6a1073dc2a59

                            SHA256

                            c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1

                            SHA512

                            6d607f896d8d5efb7e33c9958b545b052d830111383c92e1cbdbcd673aa62863fee702f1b648e178841cb0bc2ce92dd689e719d9899cfbe4014f3e4d5b3ed52c

                          • memory/1092-195-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1092-196-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-151-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-18-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-219-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-112-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-208-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-115-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-201-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-21-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-20-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-19-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-133-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-158-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-141-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-142-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-199-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-197-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-192-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-190-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-174-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-171-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1632-169-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2292-157-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2292-156-0x0000000000890000-0x0000000000D5E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2728-3-0x0000000000D40000-0x000000000120E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2728-0-0x0000000000D40000-0x000000000120E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2728-1-0x0000000077D96000-0x0000000077D98000-memory.dmp

                            Filesize

                            8KB

                          • memory/2728-2-0x0000000000D41000-0x0000000000D6F000-memory.dmp

                            Filesize

                            184KB

                          • memory/2728-17-0x0000000000D40000-0x000000000120E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2728-5-0x0000000000D40000-0x000000000120E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/3584-194-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-155-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-175-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-220-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-170-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-191-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-172-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-209-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-42-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-159-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-145-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-198-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-143-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-200-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-113-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3584-202-0x0000000000D60000-0x0000000001359000-memory.dmp

                            Filesize

                            6.0MB

                          • memory/3936-144-0x0000000000F00000-0x0000000001452000-memory.dmp

                            Filesize

                            5.3MB

                          • memory/3936-114-0x0000000000F00000-0x0000000001452000-memory.dmp

                            Filesize

                            5.3MB

                          • memory/3936-153-0x0000000000F00000-0x0000000001452000-memory.dmp

                            Filesize

                            5.3MB

                          • memory/3936-60-0x0000000000F00000-0x0000000001452000-memory.dmp

                            Filesize

                            5.3MB

                          • memory/3936-152-0x0000000000F00000-0x0000000001452000-memory.dmp

                            Filesize

                            5.3MB