Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

61c51c7ab2...34.exe

windows7-x64

10

61c51c7ab2...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe

  • Size

    7.2MB

  • MD5

    5446af14bfb2bf63ec1b409a0752f2bb

  • SHA1

    2d0ed53f2bab261a09e50e35b95f896ddf6dd688

  • SHA256

    61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434

  • SHA512

    3f96ff6656d7937fe3be66688c5559a238be9e0277373dd8a325f2e36fbd50095285ae8da8db0b59f0706b9514bdf54f2f66da81caf4d2818b9c9d20d5cff436

  • SSDEEP

    49152:OSa5+lvH/3ehlWOU9Hl73KkPjOMVMC21gt9dmFF9KINW1FQr7qrzW+x30rY6yTK4:A0X3IWbXPjObC9CFAArmGm3U0KFK/j

Score
10/10
zgratexecutionrat

Malware Config

Signatures

  • Detect ZGRat V1 32 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
    "C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
      "C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Users\Admin\AppData\Local\Temp\Logger.exe
        "C:\Users\Admin\AppData\Local\Temp\Logger.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Users\Admin\AppData\Local\Temp\1.exe
          "C:\Users\Admin\AppData\Local\Temp\1.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:564
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0RJCdW5lNw.bat"
            5⤵
              PID:1440
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3028
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:1972
                • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe
                  "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "11" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "11" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0RJCdW5lNw.bat
        Filesize

        180B

        MD5

        49168cbe79fef45b3267f2fb8b04cb5e

        SHA1

        9b435d8123be497da255b95ccf637d4279e2ede0

        SHA256

        1199b4492b1a22fb54a2963c971055ad2b5e2b50f988b8e95a67eefceb413c2e

        SHA512

        e477a5b1b34d48a68aa61cb9a71527d626fbf2eb982f0b73e3162ef6810caeff9df923e1551739c1eb34c8b2e9a48f75277c6fef37507477e117dcc6f41eaa0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1.exe
        Filesize

        6.3MB

        MD5

        4e2c3489ec26807d69f9171479886188

        SHA1

        40f8c57e6918d1626177810c6f1b5a65d9bf93d1

        SHA256

        33466d0c92e0fb64d98b89ca503976b86cfd5400c387aeb9dd66f096b4c14ca9

        SHA512

        0ed949039d77b4777f8da9ede1e245b22759fa2bd86ec90692c216263a27693264f926ad256336a8b4e2e688c05deb4790ba0a2799479213a9cb9960787f0d3e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        6b0ff0bcaa1475cf1cf37764d19a39b1

        SHA1

        3ef5cc58ea8a0453c6988a3e009e23e56fd824e8

        SHA256

        706e2cf96d28c8638f187f068839f583b4bd53447467cbdb25461917a56d518c

        SHA512

        b2b3359ada26ecb3035ed5fa6194521578ccafc88eaddbebca28f9c1a3d934b6b36bb70623ed64cf034e8d6237e0025162d3e9d781baebcd49058bc82f83912c

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Logger.exe
        Filesize

        6.6MB

        MD5

        48bfaeb0285f1b090cbf09e2feb6ad10

        SHA1

        67d25ecce37f5a70ec950758351e81593b99ed05

        SHA256

        d8c19254251b41d6f815582ba4c018994cae3bdf3677e198a88138a43aaaf15e

        SHA512

        f8f19c480a72dcb1a88585a94c95767dfdaab0320aafd46f61309385fd9f7e68a8b392801ab243e7c545f43cd9e23366aa94814a05d9f9a0b604c22ab81ad08d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Province Hacks.exe
        Filesize

        6.9MB

        MD5

        d22490055518bbf8d44579a00453da46

        SHA1

        d738768635f9646c71b98befc3bf2a4c9f5c29e3

        SHA256

        ee2c37126091fa67a5b5abbf7ac2a4271514ec7620aef87b34d42e80c576cd0a

        SHA512

        ecdd5baf602b3e9e59f15b47ad3925026568be9fdf1d384cc3dbae2b292abbf1878cbd1f919cf680442c65a9299c3496d9f03fed8b8504ba34f805e5ef984f08

        Download Submit

      • memory/1268-3723-0x000000001B6A0000-0x000000001B982000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1404-9-0x0000000000400000-0x0000000000B37000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/1472-3738-0x00000000003C0000-0x0000000000A10000-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2184-21-0x0000000000400000-0x0000000000AF3000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2604-44-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-32-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-54-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-90-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-88-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-84-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-82-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-80-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-78-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-76-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-74-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-72-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-70-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-68-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-66-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-64-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-62-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-60-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-58-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-56-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-52-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-48-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-46-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-50-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-42-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-40-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-38-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-36-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-34-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-87-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-31-0x000000001BDC0000-0x000000001C147000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2604-3588-0x0000000000AD0000-0x0000000000AF6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2604-3590-0x0000000000410000-0x000000000041E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2604-3594-0x0000000000420000-0x0000000000430000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3592-0x0000000000550000-0x000000000056C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2604-3596-0x0000000000B00000-0x0000000000B18000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2604-3598-0x0000000000430000-0x0000000000440000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3600-0x0000000000710000-0x0000000000720000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3602-0x0000000000720000-0x000000000072E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2604-3606-0x0000000000A40000-0x0000000000A50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3610-0x00000000026E0000-0x00000000026F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2604-3612-0x0000000000B20000-0x0000000000B2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2604-3616-0x0000000002590000-0x00000000025A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3618-0x000000001AD30000-0x000000001AD8A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2604-3622-0x000000001AC20000-0x000000001AC30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3624-0x000000001AC30000-0x000000001AC3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2604-3626-0x000000001AC60000-0x000000001AC78000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2604-3620-0x0000000002700000-0x000000000270E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2604-3630-0x000000001AEE0000-0x000000001AF2E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2604-3628-0x000000001AC40000-0x000000001AC4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2604-3614-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-3608-0x00000000026C0000-0x00000000026D6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2604-3604-0x00000000026A0000-0x00000000026B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2604-30-0x000000001BDC0000-0x000000001C14E000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/2604-29-0x0000000000B30000-0x0000000001180000-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2928-3734-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3068-27-0x0000000000400000-0x0000000000A98000-memory.dmp

        Filesize

        6.6MB

        Download