Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    307s
  • max time network
    311s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/03/2024, 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe

  • Size

    1.8MB

  • MD5

    3057a14ae0c5f0ceb2858e273ee9633a

  • SHA1

    ce9ffe6d73c10e260de31df0b34765708208afee

  • SHA256

    881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4

  • SHA512

    15e30b0c7b874d1ff11178e147f3adf744a7631e6d94e103bdd150323540131b6f47acbb1d8ad0253071cbca60460da47c9b3abfe0ffc89675c6d83deb8a5dc9

  • SSDEEP

    49152:4dW5kRem7F2qwI51qRhqcLSy+Pj+uHR5JKxh9iyU:4c5IL77V51ahjLSy+bxJKX9iyU

Score
10/10
amadeyriseproevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

risepro

C2

193.233.132.62

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe
    "C:\Users\Admin\AppData\Local\Temp\881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
        "C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        PID:5116
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
              PID:3688
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\772066395907_Desktop.zip' -CompressionLevel Optimal
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1768
        • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
          "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe" /F
            4⤵
            • Creates scheduled task(s)
            PID:1376
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:4608
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:624
    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      1⤵
      • Executes dropped EXE
      PID:2268
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4632
    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      1⤵
      • Executes dropped EXE
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4740
    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      1⤵
      • Executes dropped EXE
      PID:4028
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1612
    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      1⤵
      • Executes dropped EXE
      PID:1136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      Filesize

      448KB

      MD5

      d2dab51fe1d0fe5808f788a797ba440c

      SHA1

      715ff4ec5c56e044dd29cb7cdac81dea68b114c5

      SHA256

      8f959b206923a156a88252f5d6b03faf12591c942e85acfd7e0c72c60eb87295

      SHA512

      1c0b62b73d5d08f801f6c0bc0d0fa6987300b0d0e49c3db990f5758f839dc24c7deaa13aa247437800b2a289cfed48327902b77d87999a0c98d4f33f96b60a61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      Filesize

      1.8MB

      MD5

      3057a14ae0c5f0ceb2858e273ee9633a

      SHA1

      ce9ffe6d73c10e260de31df0b34765708208afee

      SHA256

      881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4

      SHA512

      15e30b0c7b874d1ff11178e147f3adf744a7631e6d94e103bdd150323540131b6f47acbb1d8ad0253071cbca60460da47c9b3abfe0ffc89675c6d83deb8a5dc9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      Filesize

      1.8MB

      MD5

      a96639013dd6a6779130148e29ddc3c1

      SHA1

      952dc0eea5102aa53c6059173a75e75e5c082468

      SHA256

      f3435c7148d06536c18c46b9668a1eabd49044f8d956117a3c34015b9843275c

      SHA512

      18d92a41614f6135dbfd3a401d607cdb86738f36131889f7c1ff4f6b74072e870d07324281e56cc7d123e1586026ac413e7fdb32c2d4f79dccab01b336b835bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      Filesize

      560KB

      MD5

      2bdc103c3db940d50a5a8cc4d38e8dc9

      SHA1

      d3e374f37c39996c397bc19112ad12e97e4c0063

      SHA256

      89a65cf3b972687ba3ecbfcdbb9731dfb2f477243c7f49690539dcb08d35f91a

      SHA512

      8cf7b5265a888e641f3c1454d6a03e250ece94d2c871a6b7c8f9cc5398a4899645410a515fd5eddada1e51b3c7338ca3d68ffe39293595a375cb51daddb8471d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      Filesize

      384KB

      MD5

      9f6c12ee9a2047bed5b11c02d85a8017

      SHA1

      3de5cc7207d4734213c2f65305bb9340d3b40c8c

      SHA256

      3beff944dfd4bce942f600ad00497fb0cb278b12b23834a95178ebd34b0eaf53

      SHA512

      929c0492716faf704d2f53499dabf7f045e7ae00076d1d424553f80cd687075910cb971a72dcd7ddb63db0fdfd92d803b443fcafd411f2d3c87b934371ece2ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
      Filesize

      3.0MB

      MD5

      3d64a79615fce0bd0bcf8d123b5d4218

      SHA1

      d0d27ee13f2e2c169ce0e89fc2d0584f774edd8e

      SHA256

      0821aa04218b032989b65e98adcbecbea94c94378d94d5c7591b124cd78322bd

      SHA512

      f80087fdea0151710cfe0360eb19c243aa87326c121d05615cf47cf2b6caa5bf90bdde6476c3c76eee38b6a0512630a935c2a8d06038658068b9cdc9ee9e11ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
      Filesize

      962KB

      MD5

      7fe6cdf7db2a8feb56f6827903fef414

      SHA1

      751b6824df8869a56aa00f53a088f8caf2514c36

      SHA256

      ff231a8c0b840f76f5e1b40fc71d92e43fd61ca81eeef07a3b7af4a6840f9fa5

      SHA512

      4299d5d4df33502d904317ec04e3c464060a1dfc48913e8e4b5b0fcaabc13e2805b6e7f3e944caa1abe2c882745b4352cc5fc8cf5b59c0d7c5a187c9b18c39fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
      Filesize

      352KB

      MD5

      eb0d116c14e6acd53e4eac0b415fd1f5

      SHA1

      86113e19da9f5714963537ddb21ca3e485edbb5d

      SHA256

      b2e8fca10a71a67ec2af610d0f588dfbc80f6a6d9578b2bf9e833478cc6a87a5

      SHA512

      cdcbc9b41453fe0583ab85f704343e9d207917a2eb497d457de349e96a34fa745e7e7c6d7f0640bae3df5620d8e665e523531acfd7d3280bf476f75b5adb5ba4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
      Filesize

      418KB

      MD5

      0099a99f5ffb3c3ae78af0084136fab3

      SHA1

      0205a065728a9ec1133e8a372b1e3864df776e8c

      SHA256

      919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

      SHA512

      5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svslg2kc.z4b.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
      Filesize

      109KB

      MD5

      726cd06231883a159ec1ce28dd538699

      SHA1

      404897e6a133d255ad5a9c26ac6414d7134285a2

      SHA256

      12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

      SHA512

      9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
      Filesize

      1.2MB

      MD5

      15a42d3e4579da615a384c717ab2109b

      SHA1

      22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

      SHA256

      3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

      SHA512

      1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

      Download Submit

    • memory/624-160-0x0000000004F70000-0x0000000004F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-154-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/624-156-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/624-158-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-157-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-159-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-161-0x0000000004F90000-0x0000000004F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-162-0x0000000004F80000-0x0000000004F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-164-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-27-0x00000000051B0000-0x00000000051B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-198-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-30-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-31-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-32-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-33-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-28-0x0000000005230000-0x0000000005231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-23-0x00000000051D0000-0x00000000051D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-24-0x0000000005200000-0x0000000005201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-224-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-25-0x00000000051A0000-0x00000000051A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-222-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-26-0x00000000051C0000-0x00000000051C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-220-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-218-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-216-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-214-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-170-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-22-0x00000000051E0000-0x00000000051E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-102-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-200-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-29-0x0000000005220000-0x0000000005221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1420-196-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-194-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-192-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-21-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-151-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-20-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-190-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-172-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-168-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-174-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-166-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-236-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-238-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-240-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-242-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-244-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-246-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1420-176-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1612-234-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1612-228-0x0000000004980000-0x0000000004981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1612-229-0x0000000004960000-0x0000000004961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1612-227-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1768-76-0x00007FFE2C1A0000-0x00007FFE2CB8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1768-139-0x00007FFE2C1A0000-0x00007FFE2CB8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1768-130-0x000001CBBD100000-0x000001CBBD10A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1768-75-0x000001CBBCF70000-0x000001CBBCF92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1768-117-0x000001CBBD4A0000-0x000001CBBD4B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1768-78-0x000001CBBCE10000-0x000001CBBCE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1768-77-0x000001CBBCE10000-0x000001CBBCE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1768-104-0x000001CBBCE10000-0x000001CBBCE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1768-81-0x000001CBBD120000-0x000001CBBD196000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2268-6-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-3-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-5-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-4-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-2-0x0000000000CA0000-0x000000000114A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2268-1-0x0000000077C94000-0x0000000077C95000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-0-0x0000000000CA0000-0x000000000114A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2268-11-0x0000000004B00000-0x0000000004B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-18-0x0000000000CA0000-0x000000000114A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2268-7-0x0000000004A80000-0x0000000004A81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-8-0x0000000004A90000-0x0000000004A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-9-0x0000000004B10000-0x0000000004B11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-182-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-188-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-187-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-186-0x0000000000840000-0x0000000000841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-185-0x00000000007E0000-0x00000000007E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-184-0x0000000004A00000-0x0000000004A01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-183-0x0000000000850000-0x0000000000851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-181-0x0000000000860000-0x0000000000861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4632-180-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-178-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4740-202-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4740-204-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4740-206-0x0000000005250000-0x0000000005251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-207-0x0000000005230000-0x0000000005231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-205-0x0000000005240000-0x0000000005241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-208-0x0000000005270000-0x0000000005271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-209-0x0000000005210000-0x0000000005211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-210-0x0000000005220000-0x0000000005221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-211-0x0000000005260000-0x0000000005261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-212-0x0000000000870000-0x0000000000D1A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/5116-189-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-213-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-215-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-199-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-217-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-197-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-219-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-195-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-221-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-55-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-223-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-46-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-193-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-140-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-191-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-153-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-171-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-235-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-155-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-237-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-165-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-239-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-175-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-241-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-167-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-243-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-173-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-245-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/5116-169-0x0000000000270000-0x000000000061C000-memory.dmp

      Filesize

      3.7MB

      Download