Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe

  • Size

    1.8MB

  • MD5

    57417c027a4140c3e5def85c31b40a17

  • SHA1

    250b272d82e258046f49df98b076d181b87fee0f

  • SHA256

    5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

  • SHA512

    48f25aea42c92753d380c97a81ba3b3838ba65b6a48a97ff01bfb359e8c673bf94f68c196ce3b834f9f510edad95fae7829131557a9a464e63fa7adb9b7a086b

  • SSDEEP

    24576:evUUu7weBzsyDb7y19RdBcUeraJMD4ZVDDhKh66Q0EhQm8Wttvkg13Il2fMG5Ptb:0uLBvwcUCO22DDY63bFqg13IkVEei

Score
10/10
amadeyrisepro0e6740evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
    "C:\Users\Admin\AppData\Local\Temp\5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:2880
        • C:\Users\Admin\AppData\Local\Temp\1000016001\23d5bdbdad.exe
          "C:\Users\Admin\AppData\Local\Temp\1000016001\23d5bdbdad.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3080
        • C:\Users\Admin\AppData\Local\Temp\1000017001\42deb1b27c.exe
          "C:\Users\Admin\AppData\Local\Temp\1000017001\42deb1b27c.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
            4⤵
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4324
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff874edab58,0x7ff874edab68,0x7ff874edab78
              5⤵
                PID:3936
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:2
                5⤵
                  PID:3484
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:8
                  5⤵
                    PID:4696
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:8
                    5⤵
                      PID:1712
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:1
                      5⤵
                        PID:5072
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:1
                        5⤵
                          PID:1308
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:1
                          5⤵
                            PID:5540
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:8
                            5⤵
                              PID:5852
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:8
                              5⤵
                                PID:5916
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:8
                                5⤵
                                  PID:5924
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=2024,i,10910927640972846032,14246737248188318701,131072 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5708
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
                          1⤵
                            PID:2208
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:5248
                            • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5468
                            • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4268
                            • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2208

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\590d75fd-1b44-422b-9c5e-03958a57d8b0.tmp
                              Filesize

                              16KB

                              MD5

                              f444577f8f1874eb7629221a04d52a2b

                              SHA1

                              e6c78d89d7eb31cd9dbd54e1fdeee11e5a7ae43d

                              SHA256

                              3edc3e460d92f77b7dd2bf83c1c6332a4891a0c08a10ab87759aa77f53b585e8

                              SHA512

                              e8c72d03004e60c8fa87f8892deed5f8ee207655d1a90b150f68d1f2011bb72346c3c18f08becb0e0322fb9d5c5b581b1fe09c52dfa51be76138977daae9a7f4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                              Filesize

                              216B

                              MD5

                              a996b866063ed4cc13752998fd41908e

                              SHA1

                              cbeaa0e6de6cf7dafc334c889c3593d704062e8c

                              SHA256

                              679df740d97a4c4b011150438b9faff9ef28897d582592306ca9c6ff368d6da7

                              SHA512

                              959975475bad3a44dc311c7cac5cc4971f2448a2124ab704f098abf0635e0dbf98e3f76abeb1fc0d537e88a33c3695d175f74362c6e889ff40be1da8b2ecf0bc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              2KB

                              MD5

                              0619e381a05709e24bc8b573e21e743f

                              SHA1

                              5bd0c05d288276f84d5a7120e12f7cf3e1bfc9d3

                              SHA256

                              3bef04e994b86cf1a1e9ad431bd0bbeec386fe4abe1d0010608c32bded13f9d9

                              SHA512

                              6eef0c5b20b709f9700261b45f2a94d6b3d5482b1a0afa209c27e4fa9a5ba0fd794d774d8c85218857dbfa78df93765c8e6f2f7a40f232e65a97057f38f929ee

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              2KB

                              MD5

                              bd94294f57e7b14cb4c03b69f297c068

                              SHA1

                              ee8939969bc9a74747ce9525a741b9e9749d5079

                              SHA256

                              12ab4b2497006bd48417089093668a6d2c4121b2b339ae3dc00806d01ed3fd15

                              SHA512

                              e734e1426b43ccdf257cc704b854da2773704536739267d70a840a6d41de7b5e5cf3f6b1d72c8dd89a24e66b633fe18e40fec1ba4c20c18729737ea2b5eefe1b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                              Filesize

                              688B

                              MD5

                              79f3a7bee5ef41284d6152f9cdb09c56

                              SHA1

                              5c98bbc451e470ca11a9fc0a49a69a0f71a40bce

                              SHA256

                              c02e866aee5b69d411a4ded9e6378f6aec131ada3db5538dd2acf07cbfd7b65d

                              SHA512

                              e46ce1079be4de36bf6db92a3631554f2364f7c7c732aba5d4cb68045082924340257805935562c03364ac56a500254d1680e82a48acc806a2fffba281cf9d50

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              7KB

                              MD5

                              e2c8f9af16e481b2c6494d75600e8c2f

                              SHA1

                              c28e376c6c2d9f235504e3d2c7ea9e9b19931ca1

                              SHA256

                              cbdd37ba287fa4768799a3138de336a086302202da820954b4485f25ec4cc031

                              SHA512

                              6420d3edd0d233ce656e4ac0e9e762cdccc0cc372f8cd25bebb399979ee31c24fe3dca387567380b9b25fab8d08364c5a5342f45d82dd03068a6c1fbc0494958

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              280KB

                              MD5

                              6c87fb8fe2cb903a0c424c6afa84d80e

                              SHA1

                              fe38fc20f49508a611aa32bbc741be9329bce4e3

                              SHA256

                              99fc8af8d9fff5d0f428824794243510e8680c55aa1e7c0114ebfb911a956e5a

                              SHA512

                              bc8432173f5ade85027dc1d89ef0842fec42ce0946889a49ea8afcbbaa921024be1ba24e5807bdbb94c38ab05688b0bacea1d90b675a225c29a87cd508ff40cf

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1000016001\23d5bdbdad.exe
                              Filesize

                              2.3MB

                              MD5

                              06d91f9f90d2f1114149c2c1d147a119

                              SHA1

                              ab867b58b6866f926a684ce5c6cac254578aace7

                              SHA256

                              a0c7887947f74e96b5ead5f118a1983d5ef832c5c1bb28f5c687280d643c909c

                              SHA512

                              903a5adc5a4460e6c4aa4d6009629429d0fa70b9f2864b1255f3018fc5df046695c4ef7e7ae6ab8c6baf9d58a457d5914c98e3e45aebb6b95f631b41b0e9ea9c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1000017001\42deb1b27c.exe
                              Filesize

                              2.3MB

                              MD5

                              4b1b3eb8f30cbe71e5268a9cab180156

                              SHA1

                              a3377a1c2037740bf4ce1e27b281af7a40c70075

                              SHA256

                              1d4297af7cdae0e82469c41619bf84f7b20d4806721254495b610756cb198e89

                              SHA512

                              fb87b5b90eb3899d6b2990fa70fbff3fe24f8d1210c7462d4724c5dd3c9fffae55f4a5f5c5a18d97fef59b1e031bf7e64f1981d66df4d8a71d65fc65f73bf228

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
                              Filesize

                              1.8MB

                              MD5

                              57417c027a4140c3e5def85c31b40a17

                              SHA1

                              250b272d82e258046f49df98b076d181b87fee0f

                              SHA256

                              5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

                              SHA512

                              48f25aea42c92753d380c97a81ba3b3838ba65b6a48a97ff01bfb359e8c673bf94f68c196ce3b834f9f510edad95fae7829131557a9a464e63fa7adb9b7a086b

                              Download Submit

                            • memory/1016-209-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-142-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-169-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-220-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-21-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-20-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-113-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-19-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-171-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-116-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-18-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-174-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-158-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-132-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-190-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-155-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-143-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-201-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-199-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-197-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1016-195-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2000-0-0x0000000000B30000-0x0000000000FE6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2000-2-0x0000000000B31000-0x0000000000B5F000-memory.dmp

                              Filesize

                              184KB

                              Download

                            • memory/2000-3-0x0000000000B30000-0x0000000000FE6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2000-1-0x0000000077094000-0x0000000077096000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2000-5-0x0000000000B30000-0x0000000000FE6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2000-17-0x0000000000B30000-0x0000000000FE6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2208-223-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2208-224-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/3080-192-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-210-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-172-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-159-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-175-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-157-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-42-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-43-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-222-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-114-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-170-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-196-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-202-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-198-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-144-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/3080-200-0x00000000006D0000-0x0000000000CB4000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/4268-194-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4268-193-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4556-115-0x0000000000F20000-0x000000000148C000-memory.dmp

                              Filesize

                              5.4MB

                              Download

                            • memory/4556-148-0x0000000000F20000-0x000000000148C000-memory.dmp

                              Filesize

                              5.4MB

                              Download

                            • memory/4556-61-0x0000000000F20000-0x000000000148C000-memory.dmp

                              Filesize

                              5.4MB

                              Download

                            • memory/4556-149-0x0000000000F20000-0x000000000148C000-memory.dmp

                              Filesize

                              5.4MB

                              Download

                            • memory/4556-156-0x0000000000F20000-0x000000000148C000-memory.dmp

                              Filesize

                              5.4MB

                              Download

                            • memory/5468-146-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/5468-147-0x0000000000910000-0x0000000000DC6000-memory.dmp

                              Filesize

                              4.7MB

                              Download