Overview

overview

10

Static

static

10

JKKHJKHJKHJ.exe

windows7-x64

10

JKKHJKHJKHJ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1200s
  • max time network
    1204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2023 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JKKHJKHJKHJ.exe

  • Size

    63KB

  • MD5

    36a2e6b4dea8833ac9642279cc0f2f51

  • SHA1

    c646179ba316daabb09406d3705a4f4248b5e0a9

  • SHA256

    870a1845baec61018280036e11dc9bdea8de069760fe0a713395c6258a496e61

  • SHA512

    27eb6c352ccb66de04a45b1961e872a6c4a1e88faedd8480c81e319bc8c9c63ff48849b8fbba05efc21d64d1b79f761442f5a765b2e40fe5b28c1c860fe16602

  • SSDEEP

    768:Ns02C46poI3iPgqUiz9JmoAk25GV6iB1+E0Smv7mqb2ntpwH1obC9johPGKDpqKX:nEIoRp2erBlibbwwAGKDpqKmY7

Score
10/10
arrowratasyncratvenom clientsvenomhvncpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

wasted9sss1-57562.portmap.host:57562

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    BBN BNMBN.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

arrowrat

Botnet

VenomHVNC

C2

wasted9sss1-57562.portmap.host:57562

Mutex

uSzDNutNI.exe

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Async RAT payload 3 IoCs
    rat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JKKHJKHJKHJ.exe
    "C:\Users\Admin\AppData\Local\Temp\JKKHJKHJKHJ.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "BBN BNMBN" /tr '"C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "BBN BNMBN" /tr '"C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3252
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD02.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3556
      • C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe
        "C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Users\Admin\AppData\Local\Temp\ClientH.exe
              "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                7⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:3132
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC wasted9sss1-57562.portmap.host 57562 uSzDNutNI.exe
                7⤵
                  PID:4444
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC wasted9sss1-57562.portmap.host 57562 uSzDNutNI.exe
                  7⤵
                    PID:2856
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1696
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:436
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 436 -s 4084
          2⤵
          • Program crash
          PID:2052
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 408 -p 436 -ip 436
        1⤵
          PID:2736
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1768
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1768 -s 3804
            2⤵
            • Program crash
            PID:2236
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 184 -p 1768 -ip 1768
          1⤵
            PID:316
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4500
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 4500 -s 3588
              2⤵
              • Program crash
              PID:3964
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 552 -p 4500 -ip 4500
            1⤵
              PID:3792
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:3436
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3436 -s 3528
                2⤵
                • Program crash
                PID:1416
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 524 -p 3436 -ip 3436
              1⤵
                PID:3136
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:1276
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 1276 -s 3548
                  2⤵
                  • Program crash
                  PID:1328
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 496 -p 1276 -ip 1276
                1⤵
                  PID:4772
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies registry class
                  PID:316

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
                  Filesize

                  36KB

                  MD5

                  8aaad0f4eb7d3c65f81c6e6b496ba889

                  SHA1

                  231237a501b9433c292991e4ec200b25c1589050

                  SHA256

                  813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                  SHA512

                  1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                  Filesize

                  36KB

                  MD5

                  406347732c383e23c3b1af590a47bccd

                  SHA1

                  fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

                  SHA256

                  e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

                  SHA512

                  18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ClientH.exe
                  Filesize

                  90KB

                  MD5

                  5ac5cf4a09a5c6dfd82669a0e24f675d

                  SHA1

                  4f0993bfd2245da594000bb7c2d2bd7d02b60d53

                  SHA256

                  6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051

                  SHA512

                  e0317cf9a5a495f5e90a88f4a96517626a30c016b7374db41bc79a8bcb0920fcf7691ca3cf48c712b8bc2db075d734ca7cacc771e8f604297600187afe314d3f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ClientH.exe
                  Filesize

                  90KB

                  MD5

                  5ac5cf4a09a5c6dfd82669a0e24f675d

                  SHA1

                  4f0993bfd2245da594000bb7c2d2bd7d02b60d53

                  SHA256

                  6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051

                  SHA512

                  e0317cf9a5a495f5e90a88f4a96517626a30c016b7374db41bc79a8bcb0920fcf7691ca3cf48c712b8bc2db075d734ca7cacc771e8f604297600187afe314d3f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lub1ypls.cxp.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpDD02.tmp.bat
                  Filesize

                  153B

                  MD5

                  54f416825f0cf6e8bf73f4f1006be76f

                  SHA1

                  3c6ede9fb153eef49588a64f006bd0001f1e0bab

                  SHA256

                  972cfda00069a09face356e944a68be13142fa7d008db85039585b8841eb30c0

                  SHA512

                  ca9765697df41059edf28a9c6b7ec80cb0bf3625ad68c6f7de7f52e289f9fafe29db8a037c482b2bc0ce865ddfbe4d3aec643b440379d67850a940b283a1125e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe
                  Filesize

                  63KB

                  MD5

                  36a2e6b4dea8833ac9642279cc0f2f51

                  SHA1

                  c646179ba316daabb09406d3705a4f4248b5e0a9

                  SHA256

                  870a1845baec61018280036e11dc9bdea8de069760fe0a713395c6258a496e61

                  SHA512

                  27eb6c352ccb66de04a45b1961e872a6c4a1e88faedd8480c81e319bc8c9c63ff48849b8fbba05efc21d64d1b79f761442f5a765b2e40fe5b28c1c860fe16602

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\BBN BNMBN.exe
                  Filesize

                  63KB

                  MD5

                  36a2e6b4dea8833ac9642279cc0f2f51

                  SHA1

                  c646179ba316daabb09406d3705a4f4248b5e0a9

                  SHA256

                  870a1845baec61018280036e11dc9bdea8de069760fe0a713395c6258a496e61

                  SHA512

                  27eb6c352ccb66de04a45b1961e872a6c4a1e88faedd8480c81e319bc8c9c63ff48849b8fbba05efc21d64d1b79f761442f5a765b2e40fe5b28c1c860fe16602

                  Download Submit

                • memory/436-197-0x000001B499480000-0x000001B4994A0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/436-199-0x000001B499920000-0x000001B499940000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/436-194-0x000001B4994D0000-0x000001B4994F0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1276-274-0x000001DFDB4D0000-0x000001DFDB4F0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1276-277-0x000001DFDB490000-0x000001DFDB4B0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1276-281-0x000001DFDB8E0000-0x000001DFDB900000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1472-154-0x00007FFEF1890000-0x00007FFEF1A85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/1472-156-0x000000001AF60000-0x000000001AF7E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/1472-155-0x000000001C0C0000-0x000000001C136000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1472-153-0x000000001AF80000-0x000000001AF90000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1472-152-0x00007FFED3070000-0x00007FFED3B31000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1472-149-0x00007FFEF1890000-0x00007FFEF1A85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/1472-148-0x000000001AF80000-0x000000001AF90000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1472-147-0x00007FFED3070000-0x00007FFED3B31000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1660-160-0x00000223335E0000-0x00000223335F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1660-159-0x00007FFED3070000-0x00007FFED3B31000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1660-170-0x00000223335E0000-0x00000223335F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1660-158-0x00000223335F0000-0x0000022333612000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1660-175-0x00007FFED3070000-0x00007FFED3B31000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1768-219-0x00000297063D0000-0x00000297063F0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1768-217-0x0000029706410000-0x0000029706430000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1768-222-0x0000029706A20000-0x0000029706A40000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2856-184-0x00000000747C0000-0x0000000074F70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2856-185-0x0000000005860000-0x00000000058F2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/2856-180-0x0000000000400000-0x0000000000410000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2856-208-0x00000000747C0000-0x0000000074F70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2856-209-0x0000000005B00000-0x0000000005B10000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2856-186-0x0000000005B00000-0x0000000005B10000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3024-134-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3024-135-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3024-133-0x0000000000350000-0x0000000000366000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3024-136-0x00007FFEF1890000-0x00007FFEF1A85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3024-141-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3024-142-0x00007FFEF1890000-0x00007FFEF1A85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3132-187-0x00000000037F0000-0x00000000037F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3436-259-0x000001BF95B20000-0x000001BF95B40000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3436-263-0x000001BF957E0000-0x000001BF95800000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3436-266-0x000001BF95EF0000-0x000001BF95F10000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4500-241-0x000001EA4CC50000-0x000001EA4CC70000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4500-243-0x000001F24E060000-0x000001F24E080000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4500-238-0x000001EA4CC90000-0x000001EA4CCB0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4548-176-0x00000000747C0000-0x0000000074F70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4548-177-0x00000000001C0000-0x00000000001DC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4548-178-0x0000000004F40000-0x00000000054E4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4548-179-0x0000000004B80000-0x0000000004C1C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4548-183-0x00000000747C0000-0x0000000074F70000-memory.dmp

                  Filesize

                  7.7MB

                  Download