Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/06/2024, 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe

  • Size

    1.8MB

  • MD5

    5d8db7f0c0a8012c52645788c3b45bb3

  • SHA1

    97dc9c3f109f7df727c53931f919a0fe12896382

  • SHA256

    ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db

  • SHA512

    1dbf1829315df0636b99bea3c83134726e382c1db2c78f32d38cac74c7b5617f2564abed6fe2920009fde682a01e79108f62b0ee0925645847de76cfdfb2e9e7

  • SSDEEP

    24576:HAFe3VaOVG6h4xx7XjCLCJcv5EyQebU+aBpj+d5/yD3I/JPqaMymIzcoegP81q+O:HAFcVU6cxHACcEmbUIPVmIzJPgZ

Score
10/10
amadeyrisepro0e6740evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
    "C:\Users\Admin\AppData\Local\Temp\ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:2988
        • C:\Users\Admin\AppData\Local\Temp\1000016001\d242192fed.exe
          "C:\Users\Admin\AppData\Local\Temp\1000016001\d242192fed.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2452
        • C:\Users\Admin\AppData\Local\Temp\1000017001\74749e97d3.exe
          "C:\Users\Admin\AppData\Local\Temp\1000017001\74749e97d3.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
            4⤵
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa8beab58,0x7fffa8beab68,0x7fffa8beab78
              5⤵
                PID:4564
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:2
                5⤵
                  PID:4304
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:8
                  5⤵
                    PID:440
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:8
                    5⤵
                      PID:3216
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:1
                      5⤵
                        PID:452
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:1
                        5⤵
                          PID:4648
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:1
                          5⤵
                            PID:3028
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:8
                            5⤵
                              PID:1848
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:8
                              5⤵
                                PID:908
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:8
                                5⤵
                                  PID:1456
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1916,i,14645187889952882188,6395502511579045899,131072 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2824
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:4136
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:344
                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2336

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            216B

                            MD5

                            eec787f11507d5d8a86d855723cd83b8

                            SHA1

                            3ebcb1ee468a855ca0c6310b3bed4e06df8804b6

                            SHA256

                            befc82c300d50f9b425056e9709fb5485f730213c821d83542c6418f79c654a7

                            SHA512

                            e15b3033c1fe5cefd82f9135f358c01a164d75363e23760954a3fe29a6ddd876a39a253f0756a0de98886b437ec3aa7ab26d57cf43f9440e3ed29165f4a3ad3c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2f50ecfa-8d29-4ca4-afc1-81d0c9d8304f.tmp
                            Filesize

                            692B

                            MD5

                            8504d175a3951e9e0ff0655a0837cb42

                            SHA1

                            c1eb6d7ed3da209aef845a4063ed950a7dfadc6c

                            SHA256

                            2d48e8eba0c61517bb666b742f6bc70d8d18bd5d25e072635c9ee5a83346f77e

                            SHA512

                            52e153d740507db59b3b99b4f73528e3c22da4e378bcc9d7dd81d333540bc8252fb56d7df834736aedff6fa4a758a3327bcc85eb235f4be9a78a6bb473102703

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            2KB

                            MD5

                            a3d30df2f603dc5645871ef62e3bfe80

                            SHA1

                            4415b855bbf0767f66563c80bfe675c50246cb12

                            SHA256

                            c375c30fddc9f204ae629c98bdd0de919ad850a275f14f639fe46363daebe521

                            SHA512

                            161354a41fd6b8c2cf5c3261d488abf336bf4b2e2255a93372269a2f04374ff394ab708a5d24c64b3843805f61a86912efd42971b55233a380acb500b5d16de0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                            Filesize

                            3KB

                            MD5

                            ba0fec9b86b2aa4d4a2efbb0d8ba7220

                            SHA1

                            74dbf29f234bc692d65109c888b6ecb3200e8d85

                            SHA256

                            1df7290769be4a230d00358a4e8e4b4d33553d0f538a014e7624b6b0ca2f5040

                            SHA512

                            103104a3ec3aeb1eef70da3c0f8992f5dbdf770ae53b56a905e7e14d8d098507c24ce803041b50ba83f6a11a62d8eb97b36250399d08a0c809f71b662af69322

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                            Filesize

                            7KB

                            MD5

                            ac9497b3893f5da255b3744d7b2dc963

                            SHA1

                            40570e908601869791efda3c67af5a394063ad30

                            SHA256

                            fb20cb02f737a6a383716bd17a53a22fad7adb7ea06b04e62f78d407218d3598

                            SHA512

                            92bd02c9ddc92cef4ede5e56ec1b971cb965b0fbfd7a142393bfe2fe4cbb92cf6423c447e9787a999d9401d2348a94a1670ec355ed6b71a55dd297a6aae39f45

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                            Filesize

                            16KB

                            MD5

                            da94fa0cb01e9383871fcdecbd18b293

                            SHA1

                            d6de2de4796ca82bf7fa5db9ba55f35668b7a414

                            SHA256

                            59041d4f6f74dde72469c7e8a5bde886b9b043a49761a9b0176a7936015e9662

                            SHA512

                            74457200e67931d33b9e9c7fac2b93db158e4ca75bf15a3f2a4e8b7b4dd599237b538de60607ad9676f6cdd2e0e8ee445f3f99485efb5cd19760e05cc31bf4f6

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                            Filesize

                            279KB

                            MD5

                            ecd133520a345502ddc6f5faa920ae60

                            SHA1

                            d5ad4bbae9e0b07d6c60685310fb283d04773066

                            SHA256

                            12d2d88aabcc889ad07a2ebfad6712decb9866c95d15ae2f936bde2b0f33b022

                            SHA512

                            297ef763a73754d9ffaf1017bd063c4c8e2b52b031e2072fef52ca1bd4525e31b68fa0f50a0ea2c46c11dd2c9ffd06c41572bea696fe13d8ded0dbff9b8c8479

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000016001\d242192fed.exe
                            Filesize

                            2.4MB

                            MD5

                            2eb3a55faf1758dcd3eb4444e2916f67

                            SHA1

                            9d1183f8d2fcb431f13f2623e7c5576f44f802c3

                            SHA256

                            73add53c5cd676a937a974e094fca30813967a8b5f436a9c3a66cbfeede62ced

                            SHA512

                            5efd160d602f7b677c7fa4879081883572ddac9d8206f035e4d06c1337ca4dbc00d23e8abec116f39f58c3eb2f59eea848c7ab61e052279d75d81fe3f1aea544

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\1000017001\74749e97d3.exe
                            Filesize

                            2.3MB

                            MD5

                            67fa41ca85ba076c464f63cf7cf2973b

                            SHA1

                            836791dbd81943d26c87255dc5263b6bae89fd68

                            SHA256

                            55cb4e9e16bdc318decefc462626bfd7f92d438f20a290b22280377c8085615a

                            SHA512

                            f1274de83daee5a1e4fb1c1ee6ca1a813b4965d40cfa68f66aabe29ce4e494fae6444bf5e797c17b3c91482091cd8e4b3a03add456deafd016d5e0780a6649f6

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                            Filesize

                            1.8MB

                            MD5

                            5d8db7f0c0a8012c52645788c3b45bb3

                            SHA1

                            97dc9c3f109f7df727c53931f919a0fe12896382

                            SHA256

                            ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db

                            SHA512

                            1dbf1829315df0636b99bea3c83134726e382c1db2c78f32d38cac74c7b5617f2564abed6fe2920009fde682a01e79108f62b0ee0925645847de76cfdfb2e9e7

                            Download Submit

                          • memory/344-171-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/344-172-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2336-202-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2336-201-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/2452-152-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-197-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-223-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-212-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-115-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-204-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-199-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-43-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-42-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-195-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-193-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-177-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-174-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-144-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-169-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-158-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2452-156-0x00000000002A0000-0x00000000008B1000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/2732-145-0x0000000000100000-0x0000000000651000-memory.dmp

                            Filesize

                            5.3MB

                            Download

                          • memory/2732-153-0x0000000000100000-0x0000000000651000-memory.dmp

                            Filesize

                            5.3MB

                            Download

                          • memory/2732-155-0x0000000000100000-0x0000000000651000-memory.dmp

                            Filesize

                            5.3MB

                            Download

                          • memory/2732-116-0x0000000000100000-0x0000000000651000-memory.dmp

                            Filesize

                            5.3MB

                            Download

                          • memory/2732-61-0x0000000000100000-0x0000000000651000-memory.dmp

                            Filesize

                            5.3MB

                            Download

                          • memory/4316-2-0x0000000000991000-0x00000000009BF000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/4316-5-0x0000000000990000-0x0000000000E30000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4316-1-0x0000000077054000-0x0000000077056000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4316-17-0x0000000000990000-0x0000000000E30000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4316-0-0x0000000000990000-0x0000000000E30000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4316-3-0x0000000000990000-0x0000000000E30000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-176-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-117-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-136-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-19-0x0000000000301000-0x000000000032F000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/4372-192-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-135-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-194-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-21-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-196-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-157-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-198-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-168-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-173-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-18-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-203-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-151-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-211-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-109-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-20-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-222-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download

                          • memory/4372-108-0x0000000000300000-0x00000000007A0000-memory.dmp

                            Filesize

                            4.6MB

                            Download