Overview

overview

10

Static

static

10

1991d51d2e...56.exe

windows7-x64

10

1991d51d2e...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe

  • Size

    2.2MB

  • MD5

    506cd587919d4bb571795ea1c1e64d80

  • SHA1

    c04c19373251eb40197975fbf901ff802e92e22d

  • SHA256

    1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256

  • SHA512

    ab9577410cb2eb1e0fd3e71c2c5d3d13a38563db70e7017734f5067171442b561b1297bf339ddfa54ae266c720a383c7e4c7a63b23a6cdb433651b7ed8cbc30b

  • SSDEEP

    24576:2TbBv5rUyXVl6fDEs25370/5lJHI2cxaSzXykO0eW66f3XEWpEmEQ/2VmCthZ2yt:IBJEECrHjxdXZsUWzuUQME46LMEQ70

Score
10/10
zgratevasionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
    "C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\HyperchainserverRefBroker\15rdJvHs8fLqyO2NujCXYGmVvYkYhVqPlDU.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\HyperchainserverRefBroker\aChfOVIZNk46BVBd6tQOJDuZO9i8SfzQwF1KcbSw3gaIMh1jz.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:4968
        • C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe
          "C:\HyperchainserverRefBroker/hyperportServerFontdhcp.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvruf24u\gvruf24u.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC4.tmp" "c:\Windows\System32\CSC49505DBA1C7F4E5C8295467BA5ADD.TMP"
              6⤵
                PID:396
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdrrHire7S.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2124
                • C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe
                  "C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperportServerFontdhcp" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 5 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 9 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2020
      • C:\Windows\system32\chcp.com
        chcp 65001
        1⤵
          PID:4144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\HyperchainserverRefBroker\15rdJvHs8fLqyO2NujCXYGmVvYkYhVqPlDU.vbe
          Filesize

          252B

          MD5

          4a61f0d242786b7e9caa34fa552a0791

          SHA1

          47a7114f25574bf8ba482e561c395c2d942f40d8

          SHA256

          5db96d7ae442161d7e6b12f9bd1380030d7e951cdebfb198bdd3bf76ce514c2f

          SHA512

          4262524a95b9a7756d327ae338d065565c38dd3548679b21ed7593293f2e8703084439dff9fb44d7c8667115adeda4f262ccbbe43dd39e215d77e51369ddd042

          Download Submit

        • C:\HyperchainserverRefBroker\aChfOVIZNk46BVBd6tQOJDuZO9i8SfzQwF1KcbSw3gaIMh1jz.bat
          Filesize

          210B

          MD5

          bdec11d125abfe788f5249bd9f8e8453

          SHA1

          e5850a47337f36270fdc5bb49c57a4f81358730b

          SHA256

          836e8052513d49530612a8f405e1eeef196834e6431b345eaebd09dc23693c50

          SHA512

          9c8418bec2565a82f200d40cf9254d3219f9f81da1a55e1d4c88bab0de3947986c94168c4db53c6e49191030c81c9284ecb4c3429d3d0cfe48421a26de7c623f

          Download Submit

        • C:\HyperchainserverRefBroker\dwm.exe
          Filesize

          412KB

          MD5

          3a4f6040758ab110510d0394c69a15cf

          SHA1

          17aab858dfaf1aca771c95cd1cda6cfa1a464b7c

          SHA256

          f5f402ea1a46680dfe81dccc757c24da05b411b66e10bc45cd0ae4ef65baa129

          SHA512

          28f987cd0341f52237d53aef2efaa1fa3662a1e982d6f4b3ae2f3944ef6e3a8c207cf70a6aca50f57954dbf3c8b0f4922552b1789f84d327ca06594c9ad3f0e0

          Download Submit

        • C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe
          Filesize

          399KB

          MD5

          2afbfe897f8baf58dc2c6a4bd4cfc918

          SHA1

          ca8102cb40ec5eac8ad3c35243cabc3ab286656a

          SHA256

          0b1c50c3a0a4c7045b7e427a76dd8fac5b5d5d04dd2dc1c781c3072b42a8c5ed

          SHA512

          2c6943ab0468e7dbaa15a2f302e1c0360bb47044a308c12c2419d3e7919a8f72250c0df2a9953f1b3486a2b1f471e02dae7d0f6f6564a00b0e5c72894b44262f

          Download Submit

        • C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe
          Filesize

          406KB

          MD5

          8c357fefc799b17ab591e2ed9a1a25da

          SHA1

          6d54f3b1c85615a6407f00501f1cf35bd0be68e0

          SHA256

          9616f8c7d5fd6e85c9ea2fc214830324b137236c152e2def75297548317ebcb7

          SHA512

          a1a2bf500874afef2b58d49f3f63556ec0d311c53f75b5103e702f807a8440d29e6ba8d545506d88686fb72d0a188f87d956a6c9d04e34fff754c235650eab40

          Download Submit

        • C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe
          Filesize

          424KB

          MD5

          4f9c20cbcc54f92d48b8b93657ce536d

          SHA1

          03d87bc44a6debc93d531c842b0af0960e6a0e84

          SHA256

          7c1dfef42365e412be181a04391143b707d0b5d2113c39804faa07404487ef3b

          SHA512

          8ed757c140ad1bc16ed25d1a33f715d4aed1ab056b30de31361198d40ad3cd3b17e903a75f0d546fa4f24aa20a7f7a2f2930a6e926b6a17ab5341b7bec58f349

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperportServerFontdhcp.exe.log
          Filesize

          1KB

          MD5

          af6acd95d59de87c04642509c30e81c1

          SHA1

          f9549ae93fdb0a5861a79a08f60aa81c4b32377b

          SHA256

          7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

          SHA512

          93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES4AC4.tmp
          Filesize

          1KB

          MD5

          4deda59dc214656e93b7a83296e37499

          SHA1

          bb0f8dc9c03dc728b8517d32d8df1881fa80c5c8

          SHA256

          995de7014dbe3c924ef35f923bc9de7c483991bc5fe45ad8eebbf28e7fbcd1f6

          SHA512

          0f6c6a9dde35f4e91e42701646eb47c42f5b03582a567dcece675a2a2792fbb27a9285e9a5bc90d479fb1c36fd25f31d19033b17d107b983e5915a5968c96530

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tdrrHire7S.bat
          Filesize

          232B

          MD5

          d3399ccb3dc4ceab7d158ffb06bb9a5c

          SHA1

          0b9cbfeda68430712d67d5edff7cf35c510de68d

          SHA256

          21ca6ef3266ebc7a667f01eff6d33264915710a4e0d3b465574372d96a8dd1a4

          SHA512

          408ff37deb7b4682210df6b1f48f0d0303ecffefd9e2a3478d575c3a970021ccfcb854dda318c9d218fbd57c0679507c9c1c4d5cf7453db68ff401cf64965ad5

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gvruf24u\gvruf24u.0.cs
          Filesize

          412B

          MD5

          a57269c8170ac8313d9a29456b442b03

          SHA1

          a9ac1dcc033ddff745f0fa1d4e18dade56f1b14e

          SHA256

          ffc05f9adfa7e0709fd7dc3da58a74d344e283610ec4e2e8ceb21e891375c24c

          SHA512

          a0832a9cf25ad09c5b8f8a83bdfdf1d24711ef02d202d1b84be4845dfbd0c16ba6445815030e9133d03be8881b8587c846dbb6bfb96e2ade1ba36d7d7802807d

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gvruf24u\gvruf24u.cmdline
          Filesize

          235B

          MD5

          78fd2e419c844d4d736c78e4fe8e5e7c

          SHA1

          6414a5f4cd1936c5eec76aee93f90370305ea077

          SHA256

          61a0b0309788d610849070d33d8ec95ae8633a4b13a24156e6545f41bf6106a9

          SHA512

          153bc7f81e59d1eb3d83e01c8e74c14d7c1b8d7f2b0dd6d96edfe925199498a99e58da15e45e038b67037bbc46c20bd055d61f077c91c1b14017dfce1f809f6b

          Download Submit

        • \??\c:\Windows\System32\CSC49505DBA1C7F4E5C8295467BA5ADD.TMP
          Filesize

          1KB

          MD5

          5bc7fffeb74f6ba57a2071934d353745

          SHA1

          fb8fae919b698ac12d3ec7d66cdb691f5763c146

          SHA256

          5146249f8fbc8b152593329b29ba45f4c96ff5eef3c1885dd4f2c4ed36804285

          SHA512

          e053f2d895ffc4324bca69ead2366f51f94e1dcd9bd43ed712068f73a45df02d39bdf29699b8401b03d7f2d5646d779197d027af21e0f317f232bf3e05526ac8

          Download Submit

        • memory/2856-78-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-72-0x00007FF9FDC50000-0x00007FF9FE711000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2856-123-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-122-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-95-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-94-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/2856-88-0x00007FF9FDC50000-0x00007FF9FE711000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2856-89-0x00007FFA1AF60000-0x00007FFA1AF61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-91-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-92-0x00007FFA1AF50000-0x00007FFA1AF51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-90-0x00007FFA1AF40000-0x00007FFA1AF41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-85-0x00007FFA1AF70000-0x00007FFA1AF71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-79-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/2856-80-0x00007FFA1AF90000-0x00007FFA1AF91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-81-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/2856-83-0x00007FFA1AF80000-0x00007FFA1AF81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-76-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/2856-75-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-74-0x0000000002D60000-0x0000000002D61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2856-73-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4448-22-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4448-19-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4448-68-0x00007FF9FDFA0000-0x00007FF9FEA61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4448-13-0x00007FF9FDFA0000-0x00007FF9FEA61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4448-69-0x00007FFA1AFA0000-0x00007FFA1B05E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4448-15-0x00000000013A0000-0x00000000013A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-16-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4448-12-0x0000000000A20000-0x0000000000C0C000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/4448-18-0x0000000001420000-0x000000000142E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4448-21-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4448-25-0x0000000002E50000-0x0000000002E6C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4448-14-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4448-20-0x00007FFA1AF90000-0x00007FFA1AF91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-29-0x0000000002E70000-0x0000000002E88000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4448-23-0x00007FFA1AF80000-0x00007FFA1AF81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-26-0x000000001B910000-0x000000001B960000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4448-27-0x00007FFA1AF70000-0x00007FFA1AF71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-33-0x0000000002E30000-0x0000000002E3E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4448-35-0x00007FFA1AF50000-0x00007FFA1AF51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-31-0x0000000001430000-0x000000000143C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4448-37-0x0000000002E40000-0x0000000002E4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4448-38-0x00007FFA1AF40000-0x00007FFA1AF41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-34-0x00007FFA1AF60000-0x00007FFA1AF61000-memory.dmp

          Filesize

          4KB

          Download