Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

8

tmp.exe

windows11-21h2-x64

1

Resubmissions

11/04/2024, 06:38

240411-hd63esha9z 8

11/04/2024, 06:37

240411-hdp4xaha9x 8

11/04/2024, 06:37

240411-hdlrgsha9w 8

11/04/2024, 06:37

240411-hdk5ysha9t 8

11/04/2024, 06:37

240411-hdkjesha9s 8

07/04/2024, 08:23

240407-kabhfsgg71 8

07/04/2024, 08:23

240407-j97t9shc64 8

07/04/2024, 08:22

240407-j93wbagg7w 8

07/04/2024, 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    599s
  • max time network
    604s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:2856
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:268
      • C:\Users\Admin\AppData\Local\Temp\~tlD51A.tmp
        C:\Users\Admin\AppData\Local\Temp\~tlD51A.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\system32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:2768
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2712
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1296
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:1032
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:2016
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2132
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:2232
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1716
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1504
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:320
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2804
                • C:\Users\Admin\AppData\Local\Temp\~tlA229.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tlA229.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2992
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:1796
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:908
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3004
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2868
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2596
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {03F568FE-B494-45A2-8BB5-CC925BF8499A} S-1-5-18:NT AUTHORITY\System:Service:
            1⤵
            • Loads dropped DLL
            PID:2156
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:3048
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                • Modifies data under HKEY_USERS
                PID:1588
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:2276
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:1656
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                3⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2600
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2404
              • C:\Windows\TEMP\~tl512C.tmp
                C:\Windows\TEMP\~tl512C.tmp
                3⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2596
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:944
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:1724
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:1712
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2076
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:876

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            f303beebacaf508e0f83acfd48a83c65

            SHA1

            56079a2d55e1d96c210e637b1c182f7a89b250be

            SHA256

            0e29a023d6d0402ffac658603e1c16c50d62963c037e12db89f46bdb4abf99d3

            SHA512

            d0335327c8eff7d2f4de47ecd90060eea9ca78aaa0c0a38c94635025837f22b30846188d6298d5ae2a359859928e2f27f8adad22190c0a4c8faf901b84c60303

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
            Filesize

            2.7MB

            MD5

            c9b1dde253446b4b2bc6a0ad4d3022c2

            SHA1

            66cf356f3717f3d07a1c568c7146f9f9f14adf9f

            SHA256

            4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

            SHA512

            0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
            Filesize

            13.7MB

            MD5

            5ce556ef454356bbd54f3c9037de144f

            SHA1

            fd11d4ed434483891d5b3714cd00b16442c0a807

            SHA256

            4ece39bb1b07302c7f77579f0082e4548b4c9127bf78ce787409a6903db8ab27

            SHA512

            3aeb5ad49cec6d6ffce5048a43e489f6d4c7e1182dc788909c2a72717165421a1e8e267ce0e1ee860f9b227e0da5805915a3529c8c306b5aaa3dc600a2ab92c8

            Download Submit

          • C:\Windows\system\svchost.exe
            Filesize

            5.3MB

            MD5

            5fe4ea367cee11e92ad4644d8ac3cef7

            SHA1

            44faea4a352b7860a9eafca82bd3c9b054b6db29

            SHA256

            1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

            SHA512

            1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\~tlA229.tmp
            Filesize

            393KB

            MD5

            9dbdd43a2e0b032604943c252eaf634a

            SHA1

            9584dc66f3c1cce4210fdf827a1b4e2bb22263af

            SHA256

            33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

            SHA512

            b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

            Download Submit

          • \Users\Admin\AppData\Local\Temp\~tlD51A.tmp
            Filesize

            385KB

            MD5

            e802c96760e48c5139995ffb2d891f90

            SHA1

            bba3d278c0eb1094a26e5d2f4c099ad685371578

            SHA256

            cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

            SHA512

            97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

            Download Submit

          • memory/268-52-0x0000000002510000-0x0000000002518000-memory.dmp

            Filesize

            32KB

            Download

          • memory/268-57-0x00000000028F0000-0x0000000002970000-memory.dmp

            Filesize

            512KB

            Download

          • memory/268-55-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/268-61-0x00000000028F0000-0x0000000002970000-memory.dmp

            Filesize

            512KB

            Download

          • memory/268-51-0x000000001B430000-0x000000001B712000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/268-62-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/268-54-0x00000000028F0000-0x0000000002970000-memory.dmp

            Filesize

            512KB

            Download

          • memory/268-53-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/320-170-0x000000001B400000-0x000000001B6E2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/320-173-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/320-172-0x0000000002370000-0x0000000002378000-memory.dmp

            Filesize

            32KB

            Download

          • memory/320-181-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/320-180-0x000007FEF4C50000-0x000007FEF55ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/320-171-0x000007FEF4C50000-0x000007FEF55ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/320-186-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/320-188-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/320-190-0x000007FEF4C50000-0x000007FEF55ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1260-38-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1260-66-0x00000000450E0000-0x00000000455DC000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/1260-122-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1260-40-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1296-145-0x0000000002844000-0x0000000002847000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1296-142-0x000007FEF4D50000-0x000007FEF56ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1296-143-0x0000000002840000-0x00000000028C0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1296-141-0x000007FEF4D50000-0x000007FEF56ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1296-140-0x000000000284B000-0x00000000028B2000-memory.dmp

            Filesize

            412KB

            Download

          • memory/1604-123-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1604-163-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1604-124-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1604-121-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1640-4-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1640-1-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1640-3-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1640-2-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1640-0-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1640-36-0x0000000140000000-0x0000000140645400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1684-56-0x0000000002790000-0x0000000002810000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1684-60-0x0000000002790000-0x0000000002810000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1684-65-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1684-64-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1684-59-0x0000000002790000-0x0000000002810000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1684-63-0x000000000279B000-0x0000000002802000-memory.dmp

            Filesize

            412KB

            Download

          • memory/1684-58-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2132-202-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2132-161-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2132-162-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2132-164-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2516-138-0x000007FEF4D50000-0x000007FEF56ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2516-146-0x0000000002670000-0x00000000026F0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2516-144-0x0000000002670000-0x00000000026F0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2516-147-0x000007FEF4D50000-0x000007FEF56ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2516-139-0x0000000002670000-0x00000000026F0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2516-137-0x0000000002670000-0x00000000026F0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2516-136-0x000007FEF4D50000-0x000007FEF56ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2516-135-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2540-18-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2540-21-0x0000000002860000-0x00000000028E0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2540-22-0x0000000002860000-0x00000000028E0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2540-23-0x000000000286B000-0x00000000028D2000-memory.dmp

            Filesize

            412KB

            Download

          • memory/2540-15-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2596-306-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2596-289-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2612-24-0x0000000002424000-0x0000000002427000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2612-14-0x000000001B210000-0x000000001B4F2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2612-25-0x0000000002420000-0x00000000024A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2612-17-0x0000000002420000-0x00000000024A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2612-19-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2612-16-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2612-20-0x0000000002420000-0x00000000024A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2804-185-0x0000000002930000-0x00000000029B0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2804-189-0x0000000002930000-0x00000000029B0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2804-187-0x000007FEF4C50000-0x000007FEF55ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2804-184-0x0000000002930000-0x00000000029B0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2804-183-0x000007FEF4C50000-0x000007FEF55ED000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2804-182-0x0000000002930000-0x00000000029B0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2992-203-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2992-206-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2992-233-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3048-259-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3048-284-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download