Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe

  • Size

    1.8MB

  • MD5

    a434d5c301551f28fd501c1a28bc4cc1

  • SHA1

    26dc0809a985fe7e8d605a7fc34498967f3c5bdf

  • SHA256

    36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3

  • SHA512

    18b62e4171edf7c7590f237551c1d142321b1c99d0889c834cd396b79e3a225d89caeff7050b045296316297cb17e47ce454761e584bfb93d0b774524684a738

  • SSDEEP

    49152:C1oNJ1L5HA09H7r7OHUgTN4StRv/QQZ0Ld6HMD:CO1dHA8jOHPvzrZyYs

Score
10/10
amadeyrisepro0e6740evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe
    "C:\Users\Admin\AppData\Local\Temp\36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:3844
        • C:\Users\Admin\AppData\Local\Temp\1000016001\d13a3cf604.exe
          "C:\Users\Admin\AppData\Local\Temp\1000016001\d13a3cf604.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4336
        • C:\Users\Admin\AppData\Local\Temp\1000017001\8feeef9591.exe
          "C:\Users\Admin\AppData\Local\Temp\1000017001\8feeef9591.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
            4⤵
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5657ab58,0x7ffd5657ab68,0x7ffd5657ab78
              5⤵
                PID:3532
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:2
                5⤵
                  PID:4592
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:8
                  5⤵
                    PID:3644
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:8
                    5⤵
                      PID:2916
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:1
                      5⤵
                        PID:808
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:1
                        5⤵
                          PID:2316
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4000 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:1
                          5⤵
                            PID:3540
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:8
                            5⤵
                              PID:3628
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:8
                              5⤵
                                PID:1140
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:8
                                5⤵
                                  PID:2180
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1936,i,15539048825368198102,17714732809367844365,131072 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:704
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:3180
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4808
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3384
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3220

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            216B

                            MD5

                            4b987577e8a9cd4c85acbfde77c7fcc5

                            SHA1

                            8afd577ce895457c64e409828069be2a6cf3b03d

                            SHA256

                            c68fe389b220b84ffadfed6505724890c2b45626ebc341d9b8b9e7837a3863a1

                            SHA512

                            6efbd5bd1a522f05cf1d6191d5a440fe5e89fb367abc975b3419ff325c2b80f26c37006e25041fe1906018777044671e392a471a4cf9c5fe25a8cf34024635a4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            2KB

                            MD5

                            127ff8467a67c0e30ad1163a3a8f52b5

                            SHA1

                            0944897ae88bd04d826864d28defc409719d8aee

                            SHA256

                            6b5ac095d3394f7bd66143bb53f28a608cfddbc56960c066335c32efa756e918

                            SHA512

                            89cc6307b20041948f434abc00c0151cc144b4e432e4a007245f529f8097b696404124753243e2de7fa0adc00531c8b492586cee87ed8d85aba96d2518611cc6

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            3KB

                            MD5

                            0fe57ff881944421c61cb4848bcd05ae

                            SHA1

                            9c6f2e2afafdecab2b9ae58767afa308c0db2733

                            SHA256

                            65950d09ff81e51351e2fbccfb4a871d73b2e7d78d8dccc2db062d059c304790

                            SHA512

                            366860f21d66e26da1b07bde2b33a2b182a10df051eb1838dde03517aeb0c7c0c0e9811303bd0104a5458220d060d0df1935dda8ae4843d24de50eb946bcebd7

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                            Filesize

                            692B

                            MD5

                            1fdb3a025c4e38880c4459d1c744a4e0

                            SHA1

                            9e65b1680fe68ed1fd9b1bede9e52d23dca0fdc6

                            SHA256

                            6c696835664ab29dda81da35cd05feb0b2f0a829e9fee8d682337658ac1508d1

                            SHA512

                            745b6b1285ddd08a6e64db58cf1540749b1af2186e317f51e564d1c75c4abc1e1f9f53bed405355102c49059d33f29c9d15d3431832b981220d5b252c43b73f4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                            Filesize

                            7KB

                            MD5

                            834d0bc83fa908de1c8d9bab442c5c92

                            SHA1

                            f592176c3fb4940dae242bcb96effa3a63a933a7

                            SHA256

                            023035b58be00774dcd6eadc53c8bf48568e35576b2f4751066f66baf7e562f4

                            SHA512

                            c5b226ba93ed5476bb8f0fbb6ec7a255d979ff425cd03372a75b1c42d7df2ab3343a39fabcf6808810e64bb146006dd826f3abe4647cea0db6b974e8ab7c6176

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                            Filesize

                            16KB

                            MD5

                            3a3168a31a02aefd1c1c4b0d160cd607

                            SHA1

                            0f0f838a1c0d8d943cc8b3db26ce795e4c2212a5

                            SHA256

                            a2db7d3ba7c4cf5d79ac82ec866df080fa716f8d020431b1a3d486a5d58ce440

                            SHA512

                            aa26ec6a23802f949384ea8335553c7bafd77862f111859ec2b9eebd9411cfb6b8aec13bb7d46a23770c7a16f451120dcd1028ae4be621d6b9e09f6600ee163b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                            Filesize

                            279KB

                            MD5

                            dc641fbb48616b0792a2033b4568820d

                            SHA1

                            4bb37134fd139e4bbd7b8c4a8ed06f9889d6e73d

                            SHA256

                            ccdea6733797734175f0ee0f4a112229dce444231b1afc45cc0de862bcc70fe1

                            SHA512

                            5df17e8938c5d10676914adeab0a42635580ac40c35f1151065a5737f4793c61c61393ad01862ae3f1c55031667c231289f74cd065af664c462e613d7c982c0a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000016001\d13a3cf604.exe
                            Filesize

                            2.3MB

                            MD5

                            60132cb27146af72ae6ebd7e2ba5f523

                            SHA1

                            9d04f2edae301a202a0d0221b3534edf6f3c715b

                            SHA256

                            1999b67fbbddf3311f72661444f6d79955396839495c97584675c61d04f7964a

                            SHA512

                            24eeae84d8d87caa87f0d78f76b2d54c9a1d40bb7e7168f7d806d6581c7ce42ed029f3f623659e13ca8bba6694c3cc94c753f90e4355d3aabfd22d484150f05d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000017001\8feeef9591.exe
                            Filesize

                            2.3MB

                            MD5

                            f2919adcf551238270aee051002030ee

                            SHA1

                            ed08d5f622548975869c8b5b6932d1b4f651564b

                            SHA256

                            44f043047a39e6c5c4d382a85dd6921d456ac18d89d1a4856c5e894e4d44173a

                            SHA512

                            437ed9206341a8eb1a755c0c2202b673cb59affafd20e380ffde2a0b21cb7b2236011d18a703dfe614fe3e0d6e68807d895c4916364f39699bd0c5a0ecb27178

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            Filesize

                            1.8MB

                            MD5

                            a434d5c301551f28fd501c1a28bc4cc1

                            SHA1

                            26dc0809a985fe7e8d605a7fc34498967f3c5bdf

                            SHA256

                            36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3

                            SHA512

                            18b62e4171edf7c7590f237551c1d142321b1c99d0889c834cd396b79e3a225d89caeff7050b045296316297cb17e47ce454761e584bfb93d0b774524684a738

                            Download Submit

                          • memory/684-149-0x0000000000F60000-0x00000000014C6000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/684-117-0x0000000000F60000-0x00000000014C6000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/684-60-0x0000000000F60000-0x00000000014C6000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/684-155-0x0000000000F60000-0x00000000014C6000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/2092-18-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-202-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-172-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-115-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-20-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-118-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-116-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-19-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-168-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-170-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-209-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-100-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-200-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-198-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-196-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-148-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-194-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-189-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-21-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2092-157-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3220-220-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3220-222-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3384-191-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3384-192-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3812-17-0x0000000000F60000-0x00000000013FC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3812-3-0x0000000000F60000-0x00000000013FC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3812-1-0x0000000077204000-0x0000000077206000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3812-5-0x0000000000F60000-0x00000000013FC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/3812-2-0x0000000000F61000-0x0000000000F8F000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/3812-0-0x0000000000F60000-0x00000000013FC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4336-146-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-174-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-193-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-158-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-195-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-171-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-197-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-147-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-199-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-156-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-201-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-223-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-208-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-114-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-169-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4336-42-0x0000000000070000-0x0000000000661000-memory.dmp

                            Filesize

                            5.9MB

                            Download

                          • memory/4808-137-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4808-138-0x0000000000F20000-0x00000000013BC000-memory.dmp

                            Filesize

                            4.6MB

                            Download