Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64e589ec7b...ab.exe

windows10-2004-x64

7

64e589ec7b...ab.exe

windows7-x64

8

64e589ec7b...ab.exe

windows10-1703-x64

8

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows11-21h2-x64

1

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/04/2024, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

  • Size

    5.3MB

  • MD5

    63552c60caeefe5f2d0e4028b3cc65d3

  • SHA1

    dbed3040d53495a6afda01bfb8399376792eb48c

  • SHA256

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

  • SHA512

    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

  • SSDEEP

    98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
    "C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:3808
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
      • C:\Users\Admin\AppData\Local\Temp\~tl9007.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl9007.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:4340
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:1476
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:2940
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:3512
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1152
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:3176
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:828
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1252
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3908
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3588
                • C:\Users\Admin\AppData\Local\Temp\~tl741E.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl741E.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4720
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:3808
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3044
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3048
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:684
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4072
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
              • Modifies data under HKEY_USERS
              PID:1912
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:3820
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:3968
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:308
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:1088
            • C:\Windows\TEMP\~tl9671.tmp
              C:\Windows\TEMP\~tl9671.tmp
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:1700
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                • Modifies data under HKEY_USERS
                PID:3136
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                PID:4808
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:876
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                3⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:4408
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                3⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:5028

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            268b890dae39e430e8b127909067ed96

            SHA1

            35939515965c0693ef46e021254c3e73ea8c4a2b

            SHA256

            7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

            SHA512

            abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            246694a613262d9e401f6be4615dff88

            SHA1

            40c86e65658237804991ec9c493649313a959656

            SHA256

            0d8527acc24a3fd358d629c9108f4863efb773b299a67f265b0075b394bd60d0

            SHA512

            0135b3e9ef9f1085a518c076abaaa5e12bcebbbd2ab7ebd8948c894ceac59e763e6d4c0ceb089011197523c492286cb0ae04a5a2d38bb2cdf2b16f79d4d611b7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            ccc63e24453ce834e007e1fcf4ebbd5b

            SHA1

            e94e9bb96127809dd73d78da16bf713dc42819db

            SHA256

            eed35806ac0670c93c02cf7620055bd578671a262438e30fc9c018d342ab3f25

            SHA512

            c2681a50865ce9718e53ff0238747475a7a47a52a45b7045abe36104c5f219a0c17975afb29640823e78ff1822f0075fba2a8c07cb1cd1373bed104d85622ad1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            9450dfeeadfadc104552b3bcce0a193e

            SHA1

            44759f7521e156978008ce1c0dbad5e660d07e17

            SHA256

            b2a99ff5cbbf1ecb8c32c0eefb6897cbc88da3b28e7880c8d83563d686200dee

            SHA512

            c88fb94f01a418cb94cc73c5fa5bd4b57b7a1332db9db59e0fb3039d88de21c27510abb3d30402aef64e751097a1dca03ce2d1e4466bcf48983f7db428bb2ddc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            553991c7ec92e59ae864f6e05439bb31

            SHA1

            1d2b0bc1f64a447788b1346ba5c1141c1bf2c132

            SHA256

            69fe45a6004949f55d6f508fae8239349441f2dc1cc6084702e651379c65b981

            SHA512

            0f410491d11e0b1e9f18b1491a56f9d3f3948ddf975270e54442d5a5b0ef1b9e5b1cb32f5146f2bbc2543558269c12059e79653b5e1d2b6c6154c51c0ce8e893

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            357f83db5efbfcfcfd7b341fd9083be8

            SHA1

            77173d713ca439c2858655b5e7961abceed6e15f

            SHA256

            0c9e57545470180291f41257115f29c5743a5038a24a48e7bda2916ce93affd8

            SHA512

            665c85bcd1928ce128d199d9014e5303158f52cc4400d902444f64db776527bee76af07c3c87865a09429f43fbfc778bc4cedb6e6b47ff87730bed7537a07d32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bly2mkzy.vah.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~tl741E.tmp
            Filesize

            393KB

            MD5

            9dbdd43a2e0b032604943c252eaf634a

            SHA1

            9584dc66f3c1cce4210fdf827a1b4e2bb22263af

            SHA256

            33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

            SHA512

            b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~tl9007.tmp
            Filesize

            385KB

            MD5

            e802c96760e48c5139995ffb2d891f90

            SHA1

            bba3d278c0eb1094a26e5d2f4c099ad685371578

            SHA256

            cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

            SHA512

            97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
            Filesize

            2.6MB

            MD5

            e7634067c1219da664e2c13a622988bf

            SHA1

            b354b3912ec59fefecdaa660af50c679b136b6ca

            SHA256

            e1f51b61149b811c5029caaa39ddf54faa18fcd18bbcf432155ad324fbc0fdb7

            SHA512

            b61ea1448ec13e88c66e043c0f99d95a2626e631841bec0b0e2e1dd6cbbcb8f8587d414f3ad32794ccdadf7c763910ed844220684f3edc71109f47fe4353c944

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
            Filesize

            7.8MB

            MD5

            3d315351bdaada2981a6a538c3a4a0ee

            SHA1

            4f8037408234c77084febafad461c70de2b031b6

            SHA256

            5b2507f85ea4755ac4cc1a96b246402e246979d1a059b78707a6aed7e3159fd2

            SHA512

            0815202976f5535f66d970c7e6de0a7d7fb1306a6b951624d9263fe8a2b2aefd073716312818e2a94385cd0c21e5e90b4daa9e829adc6b881e2c9f61273c9ad4

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            5.3MB

            MD5

            63552c60caeefe5f2d0e4028b3cc65d3

            SHA1

            dbed3040d53495a6afda01bfb8399376792eb48c

            SHA256

            64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

            SHA512

            caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

            Download Submit

          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            70b3ee3839890cd6e33de100160aa0f3

            SHA1

            ea985ff7cc4164f5f436cb0ab193bd598fd51a49

            SHA256

            fe9953998fabade77ae9294bb7fedfe83a59e7289a7dece404a8c82f15f7e46e

            SHA512

            5f12857006e4f6fe1130f2135a13575f606d3d7863cdcfdd207443bbfb9039b3b041cfb48ea5dd8daec318a7287891d3bfb2086c23bf6b0aa09bc254330274da

            Download Submit

          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            a2827d30b5145524f58d64c51b70c3f4

            SHA1

            8f4fecc26fded0f5c4c8c8ae948ce5d8d665c8dc

            SHA256

            cbf45dc2498ce9f494b7eba11d06f1516e54a986861ad4a6617716f90580172d

            SHA512

            a77b18e822eec9904329ba20e220de2389cdba1a94967b3ca04d4463e209a9744b0c84cded6d012247bae321fc71e8cbd36b8ad760a302aa9753598e082dff21

            Download Submit

          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            302a7c179ef577c237c5418fb770fd27

            SHA1

            343ef00d1357a8d2ff6e1143541a8a29435ed30c

            SHA256

            9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

            SHA512

            f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

            Download Submit

          • memory/684-576-0x000001DA68EA0000-0x000001DA68EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/684-540-0x000001DA68EA0000-0x000001DA68EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/684-536-0x00007FFF34470000-0x00007FFF34E5C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/684-539-0x000001DA68EA0000-0x000001DA68EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/752-407-0x00007FFF345D0000-0x00007FFF34FBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/752-309-0x00007FFF345D0000-0x00007FFF34FBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/752-312-0x000001A92A430000-0x000001A92A440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/752-348-0x000001A92A430000-0x000001A92A440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/752-400-0x000001A92A430000-0x000001A92A440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1064-57-0x000001F77DF30000-0x000001F77DF40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1064-25-0x000001F77E230000-0x000001F77E2A6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/1064-20-0x000001F77DF30000-0x000001F77DF40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1064-18-0x000001F77E080000-0x000001F77E0A2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1064-15-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1064-103-0x000001F77DF30000-0x000001F77DF40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1064-110-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1152-521-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1152-417-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1152-415-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1152-529-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2652-319-0x000001A1E7180000-0x000001A1E7190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2652-320-0x000001A1E7180000-0x000001A1E7190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2652-397-0x000001A1E7180000-0x000001A1E7190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2652-316-0x00007FFF345D0000-0x00007FFF34FBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2652-406-0x00007FFF345D0000-0x00007FFF34FBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2652-358-0x000001A1E7180000-0x000001A1E7190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3516-416-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3516-306-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3516-301-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3516-304-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3516-305-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3516-303-0x0000000140000000-0x000000014015E400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3588-478-0x00000266FB1B0000-0x00000266FB1C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3588-515-0x00000266FB1B0000-0x00000266FB1C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3588-519-0x00007FFF343D0000-0x00007FFF34DBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3588-433-0x00000266FB1B0000-0x00000266FB1C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3588-434-0x00000266FB1B0000-0x00000266FB1C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3588-430-0x00007FFF343D0000-0x00007FFF34DBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3908-421-0x00007FFF343D0000-0x00007FFF34DBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3908-512-0x00007FFF343D0000-0x00007FFF34DBC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3908-501-0x0000028ABBC60000-0x0000028ABBC70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3908-448-0x0000028ABBC60000-0x0000028ABBC70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3908-423-0x0000028ABBC60000-0x0000028ABBC70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3908-424-0x0000028ABBC60000-0x0000028ABBC70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4024-0-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4024-6-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4024-118-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4024-5-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4024-3-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4072-17-0x00000256FA6C0000-0x00000256FA6D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-98-0x00000256FA6C0000-0x00000256FA6D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-580-0x000002D74FC80000-0x000002D74FC90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-16-0x00000256FA6C0000-0x00000256FA6D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-50-0x00000256FA6C0000-0x00000256FA6D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-19-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4072-544-0x00007FFF34470000-0x00007FFF34E5C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4072-546-0x000002D74FC80000-0x000002D74FC90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-104-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4412-226-0x0000000015840000-0x0000000015D3C000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/4412-276-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4412-260-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4412-277-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4412-279-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4412-123-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4412-302-0x0000000140000000-0x0000000140644400-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/4452-141-0x0000026065320000-0x0000026065330000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4452-134-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4452-225-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4452-217-0x0000026065320000-0x0000026065330000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4452-168-0x0000026065320000-0x0000026065330000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4452-138-0x0000026065320000-0x0000026065330000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4720-533-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-528-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-532-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-531-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-636-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-637-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4720-530-0x0000000140000000-0x0000000140170400-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/5028-132-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/5028-136-0x000001AD28D60000-0x000001AD28D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5028-140-0x000001AD28D60000-0x000001AD28D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5028-171-0x000001AD28D60000-0x000001AD28D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5028-216-0x000001AD28D60000-0x000001AD28D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5028-224-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

            Filesize

            9.9MB

            Download