Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 08:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe

  • Size

    1.8MB

  • MD5

    6f54435ac42e18c797942e79bc77080c

  • SHA1

    0e9fd3af85cd3ab3fa9b772d72c854ebd9ef77f9

  • SHA256

    06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc

  • SHA512

    545164d0b4d3ac4039b832101f25d42d10c0ac4cb6493eaa0d1230acbb08c80e3970d28c7054c6f227e1a05a31793b315941fe263d2638798c727df5e23a5f3a

  • SSDEEP

    24576:Tdj0ht8vXenMUwpUkQP4ztFvSlkP4Utm14mAfs0tARnJLgJicNR/bYmqIewCokPW:B0rMHpUr4ztBAkt1RvsAbvew3

Score
10/10
amadeyrisepro0e6740evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
    "C:\Users\Admin\AppData\Local\Temp\06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:4144
        • C:\Users\Admin\AppData\Local\Temp\1000016001\eaa82e21a4.exe
          "C:\Users\Admin\AppData\Local\Temp\1000016001\eaa82e21a4.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4768
        • C:\Users\Admin\AppData\Local\Temp\1000017001\101bcd096d.exe
          "C:\Users\Admin\AppData\Local\Temp\1000017001\101bcd096d.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
            4⤵
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffffbfbab58,0x7ffffbfbab68,0x7ffffbfbab78
              5⤵
                PID:896
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:2
                5⤵
                  PID:4624
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:8
                  5⤵
                    PID:5068
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:8
                    5⤵
                      PID:1716
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:1
                      5⤵
                        PID:4656
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:1
                        5⤵
                          PID:5020
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:1
                          5⤵
                            PID:5148
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:8
                            5⤵
                              PID:5452
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:8
                              5⤵
                                PID:5512
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:8
                                5⤵
                                  PID:5548
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1888,i,11378335238632246632,2397856739451569710,131072 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5020
                        • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                          C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1588
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:4348
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5540
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2920

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            216B

                            MD5

                            69e56dc56b4c5a22036a7d92f1fc94b9

                            SHA1

                            9301fdca2d9ef474f91e7360efe3c7f68280dcf9

                            SHA256

                            083830d472b247c949273daae29bfe467a62074338bc961e57035fc94cc06b3b

                            SHA512

                            010b64bf3114ea07a73d3e6c3d10dbf0ae814f56447d13b680be5810da690b289173847076a47c2ce5dcce3c7023b323cc4811f9523ef608f8e0bef82d8e904d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            2KB

                            MD5

                            f50a9d1b31da2d9d9f610e78cfe148f7

                            SHA1

                            1ccfe6dd8d888e2614f072c78fe67cf3cc0cedeb

                            SHA256

                            887e8953fa2a5625b9b14e882fb1ad5e406e7ea68468c2181779073261fdf345

                            SHA512

                            c3a8d78d05ac1029faa3283b7507c6c5cdcc186974746b98872b5de566b3ad5d6f84a68e7d6d3202d43bf87453d79ab1df7fc6161f8f075aabb8cdb9b9e27c98

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            2KB

                            MD5

                            575238fcdc1da06be3b891e338e07696

                            SHA1

                            0cbe06cd84a5a14824ec9ec373db39783669d8b7

                            SHA256

                            063fec5a73cf96d55964ca7983530fb833ab2cd51a2de92349b6d2a058159857

                            SHA512

                            932ead08b008fc1cebe4ae7dc3b426bda9e957f76746602a9ca2db210176893825b223654f3752fcddcdf44d303033287742756ef5448a018124e73ebdb98e5d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                            Filesize

                            688B

                            MD5

                            8b5f9ec9a11d2444c5d0ce5644476aea

                            SHA1

                            a4d84213e5ed8d27633b1cb747d35a4bf0c12fb8

                            SHA256

                            9f951b3f1f2ef531706daa150a4efc5c332814d878af1d2ce5ba84b6788b3068

                            SHA512

                            e381d368499d87d0b75cf8f452965eace061c4142ba48125a5b3db86c8ffff8c4147652caa0d03cd8eddbebf816f51dff798a2f93df14f1b5d6f920ee3f860e0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                            Filesize

                            7KB

                            MD5

                            ac14ffd417ddd20ed97871acc935e179

                            SHA1

                            2225232d50ea0b0546badcd84953ebae152b3dc5

                            SHA256

                            94b1bcb018378da771e96ddc19ab8518e8155509fb5d25f771667969e8b808f9

                            SHA512

                            2bb370b2d3720b438589166ca1c97f4de06fa99a0f3ea45093324b99a0fb6d6e7e262d966f51cecfa4b92002d82aea614a1ffd9bc77a28720996bf9ef6b99b69

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                            Filesize

                            16KB

                            MD5

                            009de568bcf23d3b519d991c1cc3ff1d

                            SHA1

                            2ed04cf756a73121e3d56757dacb14b4704f44c7

                            SHA256

                            69b450fead50bf492d69c54c6e16ebbde1e43575b44a26461c07d15fa0adf648

                            SHA512

                            3aec9879a53df0d0dde8b76f9ab5e465fbf1f67eee12d75705ff1bb239654da4eb1c62a65d6b2868ace3129577ac1724c37766ce2aadc397a71991543e65130f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                            Filesize

                            280KB

                            MD5

                            28dd7775609d6188261bf19110354b77

                            SHA1

                            5b47445a7e50bc73799540e14f58c413bc3fbe18

                            SHA256

                            800ff2c1231775ec93f61771669f4dc4c07385a814c4a21c742cbe5c4dd0a6f8

                            SHA512

                            0f8bc5f9a633422c25d17e4633e4cd89106ef49e69f1703e09715d9f31542452761fa0153f6126f1f5c45bcb3004475c8b2bf716bfccd8c038cb4dcbd0148483

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000016001\eaa82e21a4.exe
                            Filesize

                            2.3MB

                            MD5

                            2414198f1bfe185780b5549bf67df4e9

                            SHA1

                            04237fb0b148bf405a6f5e7681eef3cea471a2a5

                            SHA256

                            68cfcba954cefe1bae03ee109dda0386d2f897a805c2fff96b539a5443ecd6b4

                            SHA512

                            953cf8fa17235d3f7fc04646693a66774a08f365d2e7fb789c0397abc0d20ce8f1a403e276fd49d69bb1b4fe12422ef52bee316ba1f3a9cb3efaf869e3b85fe1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000017001\101bcd096d.exe
                            Filesize

                            2.3MB

                            MD5

                            8b6add9f9e2e7856108ff0a42280945b

                            SHA1

                            3d3d153224fc02b0d28609c57d745b65276f9ad3

                            SHA256

                            a579ceba84d65bcda920c3d7c3c829b887a53dd9456aadde382ee0d7726481e4

                            SHA512

                            ea9154e771da8ecda02b0ac13e3b58fd3b8aeda3c90ba8d5f77239f8f0b7a1a289b0c6d0852618586f176d0289e84bea3d373dca289eacbcaa8f8a626b208c45

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            Filesize

                            1.8MB

                            MD5

                            6f54435ac42e18c797942e79bc77080c

                            SHA1

                            0e9fd3af85cd3ab3fa9b772d72c854ebd9ef77f9

                            SHA256

                            06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc

                            SHA512

                            545164d0b4d3ac4039b832101f25d42d10c0ac4cb6493eaa0d1230acbb08c80e3970d28c7054c6f227e1a05a31793b315941fe263d2638798c727df5e23a5f3a

                            Download Submit

                          • memory/388-0-0x00000000003F0000-0x00000000008A9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/388-18-0x00000000003F0000-0x00000000008A9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/388-5-0x00000000003F0000-0x00000000008A9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/388-3-0x00000000003F0000-0x00000000008A9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/388-2-0x00000000003F1000-0x000000000041F000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/388-1-0x0000000076FE4000-0x0000000076FE6000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1588-66-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/1588-103-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/2920-149-0x0000000000060000-0x00000000005D0000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/2920-213-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/2920-207-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/2920-124-0x0000000000060000-0x00000000005D0000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/2920-158-0x0000000000060000-0x00000000005D0000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/2920-61-0x0000000000060000-0x00000000005D0000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/2920-156-0x0000000000060000-0x00000000005D0000-memory.dmp

                            Filesize

                            5.4MB

                            Download

                          • memory/4612-20-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-130-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-17-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-214-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-138-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-21-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-19-0x0000000000A01000-0x0000000000A2F000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/4612-155-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-225-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-139-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-112-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-160-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-204-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-171-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-202-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-173-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-200-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-198-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-196-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4612-180-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/4768-174-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-203-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-226-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-197-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-43-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-199-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-118-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-201-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-172-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-181-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-161-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-205-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-159-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-148-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-147-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-215-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4768-42-0x00000000009B0000-0x0000000000FAA000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/5540-177-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download

                          • memory/5540-179-0x0000000000A00000-0x0000000000EB9000-memory.dmp

                            Filesize

                            4.7MB

                            Download