Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

936f370ea3...cs.exe

windows7-x64

10

936f370ea3...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    936f370ea30246c1cb165a2f0d7fa0e0_NeikiAnalytics.exe

  • Size

    3.7MB

  • MD5

    936f370ea30246c1cb165a2f0d7fa0e0

  • SHA1

    c574b5c7a2a62cf46c9c858baba96b5c80bfd116

  • SHA256

    4f2800a2203fd748bed3bcc1286a2476e0ce7fe6957d148b8490bcc818ac7ecb

  • SHA512

    b8338ed098fe15b8dbf4d465de636d3f490a1a469bcd50e136611f1393156c815bb328ccc4a39d36c151b9c9bf5db8f05daf7d21927e61b7c2605b10baea3dd1

  • SSDEEP

    6144:F76vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvl:F2

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\936f370ea30246c1cb165a2f0d7fa0e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\936f370ea30246c1cb165a2f0d7fa0e0_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\936f370ea30246c1cb165a2f0d7fa0e0_NeikiAnalytics
      2⤵
        PID:2116
      • C:\Windows\SysWOW64\msng.exe
        "C:\Windows\system32\msng.exe" fuckystart
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe http://www.OpenClose.ir
          3⤵
            PID:3984
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4884
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.openclose.ir/
          2⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefa4946f8,0x7ffefa494708,0x7ffefa494718
            3⤵
              PID:3844
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
              3⤵
                PID:4712
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3632
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
                3⤵
                  PID:676
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                  3⤵
                    PID:2696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                    3⤵
                      PID:4352
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
                      3⤵
                        PID:3852
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
                        3⤵
                          PID:3068
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                          3⤵
                            PID:224
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3148
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
                            3⤵
                              PID:2888
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                              3⤵
                                PID:1920
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                                3⤵
                                  PID:5228
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
                                  3⤵
                                    PID:5584
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
                                    3⤵
                                      PID:2280
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
                                      3⤵
                                        PID:1192
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12029975628506828663,5508362413389436544,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
                                        3⤵
                                          PID:3464
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1308
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3708

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          439b5e04ca18c7fb02cf406e6eb24167

                                          SHA1

                                          e0c5bb6216903934726e3570b7d63295b9d28987

                                          SHA256

                                          247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                          SHA512

                                          d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          a8e767fd33edd97d306efb6905f93252

                                          SHA1

                                          a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                          SHA256

                                          c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                          SHA512

                                          07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          5KB

                                          MD5

                                          0e3e59127a5d0eef4c13611afb39163f

                                          SHA1

                                          6537b197866ab927d880d68c70e2b2ae1d56c21f

                                          SHA256

                                          5b778333dbd56e457063d08f9aa42e055c5940d0f5ad0a1fbb2eaf604e9811e7

                                          SHA512

                                          34a3b725241dc0854e6946e89e8e594697b9f63b73781e8ee5340e5461d38fdc46b532b6b6953bf3b9c932ee0f33c85e8f61a7b6fe244eec049e24067f1e68f0

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          91555f1c241fe2f7948bb1adbf914769

                                          SHA1

                                          d83d1e0f7b4f60acd4b4be569b3b6681f2086fb9

                                          SHA256

                                          c0a190aae1be7dd6733a94ed8c9d24c2a5e808d291a2e7dfb52f12c834c6e0ea

                                          SHA512

                                          3b3d9f68c1253d5ace6c25f2d2a1149afc2618c180c900bca4bc37c32c0abf3c4c58a38f5349ae11728178ffdcd83460793973d4502a645ed1fd5cd834d1c2e4

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          25c3679d17638e8c9934307ea6d07811

                                          SHA1

                                          a54573af802e9217a8cdec1925c1bb12e6a8de5c

                                          SHA256

                                          4850416a268fbe39b6522b465ed3eacb0c3e00ad62990c2ee83ced1218cc4660

                                          SHA512

                                          01a5fef27020f6c13d5b52a259479c5aa0f2dd23226167fc16ed7d164bac70531395f3f72c444e3dd4330cf025e8b9272e7e0054681aacc542d92af70ce5aae8

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          11KB

                                          MD5

                                          3a79dcd0ef07046199b0f480d121c49a

                                          SHA1

                                          a9e468db9726ef12e05c43419f5aa1dccc2fa74f

                                          SHA256

                                          2392a0f28a195a8524d6275e1e5378b72e7383bd34350d7142fc818355f08cd5

                                          SHA512

                                          ae97d3b30bdf70f77a890dd48d27ad410dc4c6b51b6d09b85656a2f4d003bfdb8ffa510294639e4c216638aa700cfc7470d606c9c86391b35bd012737708b0c6

                                          Download Submit

                                        • C:\Windows\SysWOW64\msng.exe
                                          Filesize

                                          3.7MB

                                          MD5

                                          936f370ea30246c1cb165a2f0d7fa0e0

                                          SHA1

                                          c574b5c7a2a62cf46c9c858baba96b5c80bfd116

                                          SHA256

                                          4f2800a2203fd748bed3bcc1286a2476e0ce7fe6957d148b8490bcc818ac7ecb

                                          SHA512

                                          b8338ed098fe15b8dbf4d465de636d3f490a1a469bcd50e136611f1393156c815bb328ccc4a39d36c151b9c9bf5db8f05daf7d21927e61b7c2605b10baea3dd1

                                          Download Submit

                                        • C:\Windows\SysWOW64\rundII32.exe
                                          Filesize

                                          60KB

                                          MD5

                                          889b99c52a60dd49227c5e485a016679

                                          SHA1

                                          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                                          SHA256

                                          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                                          SHA512

                                          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                                          Download Submit

                                        • C:\~0002ftd.tmp
                                          Filesize

                                          83B

                                          MD5

                                          a3c8845418fe51afaa72bf0cd9dd5f46

                                          SHA1

                                          629dc72dd0a3a3de435e787c4b1a56cc80e28f26

                                          SHA256

                                          8fb05fec00bdf9d18215d004479d013d87c30259a4af64008e4367e740bf21f6

                                          SHA512

                                          351643a739368002c98bac6f7858169396726f4e995d8613e29af50cd85a45165c04de632b6090da2aaf39e27232fbbbc2bb9ab0590a88148b6b1797820a682e

                                          Download Submit

                                        • memory/1332-15-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/1332-0-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-152-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-257-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-20-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-318-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-363-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-472-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-660-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-882-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-969-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-1165-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-1263-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-1352-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/4156-1443-0x0000000000400000-0x00000000007D8000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download