Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64e589ec7b...ab.exe

windows10-2004-x64

7

64e589ec7b...ab.exe

windows7-x64

8

64e589ec7b...ab.exe

windows10-1703-x64

8

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows11-21h2-x64

1

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

  • max time kernel
    597s
  • max time network
    602s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

  • Size

    5.3MB

  • MD5

    63552c60caeefe5f2d0e4028b3cc65d3

  • SHA1

    dbed3040d53495a6afda01bfb8399376792eb48c

  • SHA256

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

  • SHA512

    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

  • SSDEEP

    98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 10 IoCs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
    "C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4380
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:876
      • C:\Users\Admin\AppData\Local\Temp\~tl2E5F.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl2E5F.tmp
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:400
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3708
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4576
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:2600
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:540
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3116
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:2240
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4540
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:4112
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:752
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4480
                • C:\Users\Admin\AppData\Local\Temp\~tl17A6.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl17A6.tmp
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2920
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:4520
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3720
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:3008
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1764
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3672
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4024
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
                PID:3652
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:4572
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:428
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3844
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4664
              • C:\Windows\TEMP\~tlC90B.tmp
                C:\Windows\TEMP\~tlC90B.tmp
                2⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3264
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                    PID:4800
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:4044
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:2840
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1324
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1532

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                34f595487e6bfd1d11c7de88ee50356a

                SHA1

                4caad088c15766cc0fa1f42009260e9a02f953bb

                SHA256

                0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                SHA512

                10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                22310ad6749d8cc38284aa616efcd100

                SHA1

                440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                SHA256

                55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                SHA512

                2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                9c740b7699e2363ac4ecdf496520ca35

                SHA1

                aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

                SHA256

                be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

                SHA512

                8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                712B

                MD5

                0c4aba724b6e2e852ad1b3e4bd4742a7

                SHA1

                4fdf869d8d30c9403dae1aaafb965ed4471a35dc

                SHA256

                7e8b152b09973c3b059b0be784420d281cfcfac2c169bf6144e3ffc9c197f6d9

                SHA512

                e28ea2ea91826f5396090bf3b881f59f6e51fa58e30d1c328104c3917103087a71c63c21841151b11ba2e8bb8ea897f305aa5878f1843533d17572e7c69788e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                2e907f77659a6601fcc408274894da2e

                SHA1

                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                SHA256

                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                SHA512

                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                d65ebc84c6b0b52901fb46f5e2b83ab5

                SHA1

                d036a0c3eb9e1616d0f7f5ca41171060c13a3095

                SHA256

                d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

                SHA512

                88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rkh5mgh5.vym.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\~tl17A6.tmp
                Filesize

                393KB

                MD5

                9dbdd43a2e0b032604943c252eaf634a

                SHA1

                9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                SHA256

                33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                SHA512

                b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                385KB

                MD5

                e802c96760e48c5139995ffb2d891f90

                SHA1

                bba3d278c0eb1094a26e5d2f4c099ad685371578

                SHA256

                cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                SHA512

                97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                5.3MB

                MD5

                63552c60caeefe5f2d0e4028b3cc65d3

                SHA1

                dbed3040d53495a6afda01bfb8399376792eb48c

                SHA256

                64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

                SHA512

                caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                4KB

                MD5

                bdb25c22d14ec917e30faf353826c5de

                SHA1

                6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                SHA256

                e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                SHA512

                b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                b42c70c1dbf0d1d477ec86902db9e986

                SHA1

                1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                SHA256

                8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                SHA512

                57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                2b24135c275cd88473601b97234e4c4d

                SHA1

                5aac75438f222f430ab9b95f80f22a5626c498fa

                SHA256

                f66b5a12ca819afeb838fe912093d4c3cab6287fddad1ae516052a83a35b8983

                SHA512

                274f62312c4734c8ea7ec02411a3f0e179871b76660f487a3b0a7b9934675e414ca5bc7f3bf89d133aca52b947e8e309cdc3c5fa066e47516ce55414e498ffbd

                Download Submit

              • memory/752-155-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/752-179-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/876-72-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/876-79-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/876-73-0x0000026770000000-0x0000026770010000-memory.dmp

                Filesize

                64KB

                Download

              • memory/876-74-0x0000026770000000-0x0000026770010000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1764-197-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1764-221-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1764-198-0x000001A81BF10000-0x000001A81BF20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1996-64-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1996-65-0x0000013D744C0000-0x0000013D744D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1996-67-0x0000013D744C0000-0x0000013D744D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1996-78-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2920-196-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2920-193-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2920-194-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2920-195-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2920-191-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2920-226-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3068-110-0x0000024438D10000-0x0000024438D20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3068-135-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3068-109-0x0000024438D10000-0x0000024438D20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3068-108-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3116-154-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3116-150-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3116-187-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3116-192-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3116-151-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3244-3-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3244-4-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3244-5-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3244-47-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3244-0-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3264-319-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3604-17-0x000001D276E20000-0x000001D276E30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3604-18-0x000001D276E20000-0x000001D276E30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3604-16-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3604-33-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3604-6-0x000001D278ED0000-0x000001D278EF2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3672-215-0x0000025C88840000-0x0000025C88850000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3672-209-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3672-224-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3844-289-0x000001DDD44C0000-0x000001DDD4575000-memory.dmp

                Filesize

                724KB

                Download

              • memory/3844-290-0x000001DDD4580000-0x000001DDD458A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3844-244-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3844-245-0x000001DDBB8E0000-0x000001DDBB8F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3844-274-0x000001DDBB8E0000-0x000001DDBB8F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3844-268-0x00007FF462670000-0x00007FF462680000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3844-279-0x000001DDD44A0000-0x000001DDD44BC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3844-292-0x000001DDD46D0000-0x000001DDD46DA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3844-297-0x000001DDBB8E0000-0x000001DDBB8F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3844-296-0x000001DDD4720000-0x000001DDD472A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3844-295-0x000001DDD4710000-0x000001DDD4716000-memory.dmp

                Filesize

                24KB

                Download

              • memory/3844-293-0x000001DDD4730000-0x000001DDD474A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4024-306-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4024-243-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4024-314-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4024-241-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4480-175-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4480-176-0x000001FBD2C00000-0x000001FBD2C10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4480-177-0x000001FBD2C00000-0x000001FBD2C10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4480-182-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4500-29-0x00000241771D0000-0x00000241771E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4500-19-0x00000241771D0000-0x00000241771E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4500-38-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4500-34-0x00000241771D0000-0x00000241771E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4500-30-0x00007FFD004E0000-0x00007FFD00FA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4576-137-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4576-121-0x00007FFD008D0000-0x00007FFD01391000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4576-123-0x00000206E8C60000-0x00000206E8C70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4576-122-0x00000206E8C60000-0x00000206E8C70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4664-298-0x00000269736A0000-0x00000269736B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4664-291-0x0000026973E00000-0x0000026973E1C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/4664-260-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4664-294-0x0000026973DF0000-0x0000026973DF8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4664-262-0x00000269736A0000-0x00000269736B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4664-269-0x00007FF41AF10000-0x00007FF41AF20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4664-261-0x00000269736A0000-0x00000269736B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4688-91-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/4688-100-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/4688-83-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/4688-92-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/4688-104-0x0000000140000000-0x0000000140644400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/4952-153-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4952-105-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4952-106-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4952-103-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4952-107-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download