Overview

overview

7

Static

static

3

22846a4ce2...68.exe

windows7-x64

7

22846a4ce2...68.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2023, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22846a4ce2d41e6016ca35cec6d8a943874f6c96a028a7a687c4794e66476168.exe

  • Size

    1.6MB

  • MD5

    a1a959301554de6d7c70733a501589f5

  • SHA1

    e21f59f43d7dc531943ec8ee9ce10bc6d1d96fd3

  • SHA256

    22846a4ce2d41e6016ca35cec6d8a943874f6c96a028a7a687c4794e66476168

  • SHA512

    33d7dab3d9279eaaab0f12976c8a3f99318db06053f6c7f41eaa368bce3d188e9fdfd9c821beee8324a9e8c75773e216444de57eed77861f3d6eadb10c49827b

  • SSDEEP

    24576:hTbBv5rUmmH2mY3QtZUTNNd/EOnyTozjv63idwt2M4KXGCpmTuqaS5kld5:rBy6CGTN789TojvZwtzKCA7aPR

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22846a4ce2d41e6016ca35cec6d8a943874f6c96a028a7a687c4794e66476168.exe
    "C:\Users\Admin\AppData\Local\Temp\22846a4ce2d41e6016ca35cec6d8a943874f6c96a028a7a687c4794e66476168.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" Update-um.m.vbe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\atia\rcubghq.pif
        "C:\atia\rcubghq.pif" buurue.msc
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\atia
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3316
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5072
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4492
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4244
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:116
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5060
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:2488
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      c335bc8fcdc9fbf2cd63296bee165f87

      SHA1

      9133e03ab1a4c553ce6f16b62d51cfddbb907776

      SHA256

      01b450264d42bbee4f63c8ec74cd736f984544c2a3f5200bc92bcd16f2cb26c3

      SHA512

      cd8a13359ca44a76226c3fa4d0a02225fca4f4a057168d53a189a7e1a3479074b65533353930fa512a5b54c0a846efd3d9eb7a1b8fd8245ee3d7eeda40bae194

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      3f21fa3a707d2ef18e97d2922ccbb9cf

      SHA1

      b1dd772dc460eb2157b33bd933ab068e9487980e

      SHA256

      8df67344ce0b81e622ef7e7b06e0c370c91368037c84ea0170eaab1058d76b10

      SHA512

      4e64fb6bdca8b45b20fe09d6a4483a9da6b975d837bafeb468da3d0c7692a4302a9367478745b55faec563457349326d19fc2e238c53f96da8b8ed85ef8f52b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      3f21fa3a707d2ef18e97d2922ccbb9cf

      SHA1

      b1dd772dc460eb2157b33bd933ab068e9487980e

      SHA256

      8df67344ce0b81e622ef7e7b06e0c370c91368037c84ea0170eaab1058d76b10

      SHA512

      4e64fb6bdca8b45b20fe09d6a4483a9da6b975d837bafeb468da3d0c7692a4302a9367478745b55faec563457349326d19fc2e238c53f96da8b8ed85ef8f52b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      11KB

      MD5

      453d9a1ffc1ebd1329dd4a90c8bcbbf4

      SHA1

      fa1150b7a5eefade9a84a13d46b9508964ecdb1f

      SHA256

      c498ead86c33a3e8e1d8225821a21cd3d93cae4a4259ebd5a245ed2d589e3abe

      SHA512

      d6200c32322ee110d0ae6bd873f0561ef32d5e68f9320b9bc4ea5229506a2be76d5f225fc8847025178b7f5fbb7f9926110aa16973c1da30055350dea860afe6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      11KB

      MD5

      453d9a1ffc1ebd1329dd4a90c8bcbbf4

      SHA1

      fa1150b7a5eefade9a84a13d46b9508964ecdb1f

      SHA256

      c498ead86c33a3e8e1d8225821a21cd3d93cae4a4259ebd5a245ed2d589e3abe

      SHA512

      d6200c32322ee110d0ae6bd873f0561ef32d5e68f9320b9bc4ea5229506a2be76d5f225fc8847025178b7f5fbb7f9926110aa16973c1da30055350dea860afe6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      11KB

      MD5

      4427b8d759f1da72320d35bb358db90f

      SHA1

      9dbb1d964d907aef803fa978d1028559e323a4a2

      SHA256

      0c7c349a9536d563c973e6c61048a97a0ce8394b9859d5fa0f2307c804be4153

      SHA512

      868a8436a63718207b7ca3abc8db06d820cb2a40183b07cd281857ee3c067f809a9c34561913d8ebbcbaa6830d6c2be71bd518a507ed11de6e6167b700b4378d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      a44c448492c39838bc458cd8b05ab4d0

      SHA1

      ae9d758970138fb0da6af968273b1eeec82d7336

      SHA256

      71fcb03b086805e9ad97b493f58bb835e258260760c15a9246889e3ce88d2a23

      SHA512

      f1968e339a6adf330ce0e301fd4f2ee9e174de1ca5a103c8edbd9bf751b1ab803b775a3b02c4dda51373077a6a745a7025a5c92d8da1fd035a985aca236f8a9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      be7bc324d4af4eddcd7140b54aec96c9

      SHA1

      a240ea5ecad1912c46c092fe79d97d1f51d002f8

      SHA256

      3baf00942a0de96e3e071874106c4c2dc51ea9ba50366918443ec779fc0187c3

      SHA512

      9209425b5acfe5cae780ecb40051e28348943d0fe33c7ef3c102c709ee2ba05a506d1382ac421d44093954ddc1affa65c949481a0416df5a60930161c77094ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      11KB

      MD5

      806c569eb69f975c3d2642bf7aaf10d2

      SHA1

      7cb566500b7b8ae03ab434d96b69d1849f3e3dcd

      SHA256

      78cee835e85a8a88c1f20338785644ee0a50a941464eff6013709436bfe52dc1

      SHA512

      b5e79d21fcd4b14d81956944543372f3fd584a74947650b6ba8f6ae2b4cbec06355ff89b793dc20f7c5f3c7e40bc86952e0aef92c341fc02fc9d2644bb278a1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      11KB

      MD5

      c7b081ef8d13efecf4d53c4176a4c3c1

      SHA1

      36c09b3cda1b19c9560edf9e555e608cc3b364c4

      SHA256

      caca9097de1b2bbe7222b6f673b4df3696a36ed81f880770c2eb752e750e574e

      SHA512

      1f82ee44e9b94422575adbebb8fc8869a6950577d8c5607a1be54082db7c06277c862349551bc58524abd797df3ea69edd93b87cac9c488eef4a89240a94ec02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mugo0trf.stw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\atia\Update-um.m.vbe
      Filesize

      85KB

      MD5

      259316e04bb670684d416c028359920e

      SHA1

      1b9b2e05d2f2c0e2d907bdefeb6d6b6120b2eab0

      SHA256

      3681aa7bdb728f6da16b47183ab36494034c3d34b579ad6842eafbf106e70e8e

      SHA512

      297b5128e9495c206cd2e069fb8c7374aaf27abb11aed0553485cb13b04c71d5382f27a3fa7a6cb0f12ceb0c60db1811a4f4b98b02b73dba216d69c526f80e94

      Download Submit

    • C:\atia\buurue.msc
      Filesize

      7.7MB

      MD5

      d5372b9b3e49c951b8f5a70247beb9fa

      SHA1

      2917e9cd55865adb622390cd88b05d439fc69b09

      SHA256

      3591ae09f507dd6279f86dfc22e30a71dd172d1aa8c6fb044864d2eaf7e9d0a7

      SHA512

      7b3c701e9bb8db110e00913b21907b55ba9f80e4ccf69124d388b15f9e1ce61ba4bcd722541b259ec3d64b3e7f94e8fa9ce1947040262a7371505d23481dea39

      Download Submit

    • C:\atia\bwltkmu.aba
      Filesize

      366KB

      MD5

      c816e2961956d69685dbe3ade51a739c

      SHA1

      69d160eb45bd667e87110ea4fa745b6639318e8c

      SHA256

      5ce21d47819a4b9cc92e2203838eb172ca9f9da23353b06bcf7d1f4aa3a0ea0d

      SHA512

      a323df998cfa38b057023ecf1e110a31ddf167a3503b19a5f6d00fdfb2f0013d40da91b70ec7d20deac3ecbd90d97a0274af718c71e0228e2e4cae5ca23921d8

      Download Submit

    • C:\atia\huwtn.mp3
      Filesize

      34KB

      MD5

      d0e6fe6c44ca2d630745343dac8ddf03

      SHA1

      e7f76cb118e2d7ccd2217bf382304471b23438d4

      SHA256

      a9b997357aa7022526e3d96ba91fc1b8c92c98107e504191e644b7a8e600d61c

      SHA512

      27720c33267aa6e77eded76f4a4caf2e5401aa01683c334386e0edd28a1a34372ce3c4d87110b3fd95b4ae789a2761cabd8e3bc476120d75fc266acd5c642e6d

      Download Submit

    • C:\atia\rcubghq.pif
      Filesize

      2.8MB

      MD5

      ecf3380dca78f1688b4740e5eddac7f7

      SHA1

      320f7dc6d84a817ac522273752d37c9bd9a9b7d6

      SHA256

      02764cbb1d82cc15973994d9a2356cc8cf1464e30c020e713969c5b3758548ec

      SHA512

      d071276dc10862df62b4cec9887b801aa4d5e8fa6e27d295c4377cad4dedbb6d00eb4e174beba0f3055715370bd931c4705abd8e0025901bfa45d1965800fe96

      Download Submit

    • C:\atia\rcubghq.pif
      Filesize

      2.8MB

      MD5

      ecf3380dca78f1688b4740e5eddac7f7

      SHA1

      320f7dc6d84a817ac522273752d37c9bd9a9b7d6

      SHA256

      02764cbb1d82cc15973994d9a2356cc8cf1464e30c020e713969c5b3758548ec

      SHA512

      d071276dc10862df62b4cec9887b801aa4d5e8fa6e27d295c4377cad4dedbb6d00eb4e174beba0f3055715370bd931c4705abd8e0025901bfa45d1965800fe96

      Download Submit

    • memory/116-236-0x0000000005260000-0x0000000005270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-234-0x0000000005260000-0x0000000005270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-182-0x0000000005ED0000-0x0000000005F36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/560-235-0x0000000005010000-0x0000000005020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-314-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-356-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-322-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1192-321-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1420-246-0x0000000006560000-0x000000000657E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1420-196-0x0000000002D10000-0x0000000002D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1420-179-0x00000000056A0000-0x00000000056C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1420-190-0x0000000002D10000-0x0000000002D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2200-177-0x00000000050D0000-0x0000000005106000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2200-178-0x0000000005740000-0x0000000005D68000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2200-213-0x0000000002CF0000-0x0000000002D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2200-181-0x0000000002CF0000-0x0000000002D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-378-0x0000000007140000-0x000000000715A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3316-280-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3316-367-0x0000000007040000-0x000000000704E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3316-316-0x000000007F9B0000-0x000000007F9C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-317-0x0000000007450000-0x0000000007ACA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3316-318-0x0000000006E00000-0x0000000006E1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3316-319-0x0000000006E70000-0x0000000006E7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3316-320-0x00000000070A0000-0x0000000007136000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3316-180-0x0000000005420000-0x0000000005486000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3316-189-0x00000000045E0000-0x00000000045F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-287-0x00000000045E0000-0x00000000045F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-379-0x0000000007090000-0x0000000007098000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3316-297-0x0000000006C70000-0x0000000006C8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3316-286-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4164-285-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4164-247-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4164-300-0x00000000010E0000-0x000000000142A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4244-346-0x0000000002680000-0x0000000002690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-382-0x000000007F2F0000-0x000000007F300000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-368-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4244-315-0x0000000002680000-0x0000000002690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4492-298-0x0000000002980000-0x0000000002990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4492-336-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4492-333-0x0000000002980000-0x0000000002990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4492-299-0x0000000002980000-0x0000000002990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4860-201-0x0000000002230000-0x0000000002240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4860-185-0x0000000002230000-0x0000000002240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-357-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5060-381-0x000000007F460000-0x000000007F470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-313-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-335-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5060-312-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-301-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-334-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5072-380-0x000000007EE20000-0x000000007EE30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-323-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-311-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

      Download