Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

VespyGrabb...er.exe

windows7-x64

10

VespyGrabb...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1792s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VespyGrabberBuilder.exe

  • Size

    12.6MB

  • MD5

    fab385fb154644665f94aca9424fb0ce

  • SHA1

    8dc525108cebd97b3127129cc1633a7f31010424

  • SHA256

    c08b63c50a78ca119a5ff4fe10592a0f66289708df38349e91e645214aae7576

  • SHA512

    07def38b8590ebaa95d7213e77e3892f60f10a87cef797fa07c6feb033f08d4148024360c7c32b5f92441c41236b8a86e66cee59bb51d6fbde97b86923a640e3

  • SSDEEP

    393216:NayDfg/3Y8G6jgVINcfwt+F2CZZiLe2Wq:wyDfYPwPwtO2Mie2J

Score
10/10
growtopiazgratevasionpersistencepyinstallerratstealer

Malware Config

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

  • Detect ZGRat V1 34 IoCs
  • Growtopia

    Growtopa is an opensource modular stealer written in C#.

    stealergrowtopia
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Detects Pyinstaller 5 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VespyGrabberBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\VespyGrabberBuilder.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcgB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAZAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAYgBxACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
      "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2624
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:112
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Drops file in Windows directory
          PID:2396
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:928
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        3⤵
        • Launches sc.exe
        PID:2644
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        3⤵
        • Launches sc.exe
        PID:2084
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        3⤵
        • Launches sc.exe
        PID:2076
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "GMDTJRUT"
        3⤵
        • Launches sc.exe
        PID:684
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
        3⤵
        • Launches sc.exe
        PID:920
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "GMDTJRUT"
        3⤵
        • Launches sc.exe
        PID:2160
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        3⤵
        • Launches sc.exe
        PID:3048
    • C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp" /F
          4⤵
          • Creates scheduled task(s)
          PID:1200
    • C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
      "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
        "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2412
  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2220
  • C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:1624
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2460
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        2⤵
        • Launches sc.exe
        PID:2660
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        2⤵
        • Launches sc.exe
        PID:2576
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        2⤵
        • Launches sc.exe
        PID:2596
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        2⤵
        • Launches sc.exe
        PID:2516
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2312
    • C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      1⤵
      • Drops file in Windows directory
      PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
      Filesize

      1.2MB

      MD5

      a4720f9a650d9b0098751a9b7063c375

      SHA1

      8eef2b8988d785775161b38f95314863b27b144d

      SHA256

      6d2f6866ef34265b0c60542955986ba206b1bbb45db5f04c5584d01869573807

      SHA512

      fa3f56925cd5254530076a9947e3f21b70518da2cfc521db4b04eaa98842aba357c056b3818c5c06fa16fa9955b32857d6a4ba9546a09b6ff1062f998c82d953

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      Filesize

      4.3MB

      MD5

      749e16da9a2c38ef736e33db18a6e09b

      SHA1

      2957f352a54c27de463e22f60b07ecc14ae78ffe

      SHA256

      3bb3995012fcd488b7a502d829fc6a2ec82067192fe9900cef1bf4224fbe1857

      SHA512

      8f83be4470330f71bc45f35aa26d37ef465fb7da3efeef2222b9ba62dba72f9129680dfaeb474e3710c9ecdcc7e5e3dbe3fbcd542a345ad00c094b38c51c525a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      Filesize

      6.2MB

      MD5

      c4ae46e22416bc88411d50dbd9856ab1

      SHA1

      06fd01ac84b5f566c0493fd9f090fdb2e030f6ed

      SHA256

      754076b4f4b74bfa84fc8260144e2008587e3fdebe45f5dbcda0e862e593fc8c

      SHA512

      8dbe56eb608ec270d346dabf79ca64ab41bd596a8fbf17c6c2d13d9f58f5b30ee269ffd3ef605f0094d13d636da52f317039ea64bd810210469a8097398b8d0f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      Filesize

      5.4MB

      MD5

      825026f2b287ed6034a6145f2061eb8e

      SHA1

      1a03ac4615efb77e2f01ab53840f543a70a996bb

      SHA256

      d50dae1f4d27e37a034f086bd19e196e63ee11caab5e2628164f40d3db16670d

      SHA512

      f28aa13d0ee9604f80aaf3fb2f9faa2333f6bcf68a3cecd44f61cd674437fbc18467a993d398390456c050f5a1072a7c85dd5ab798bb2a2367a0bbddeba6a069

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      Filesize

      1.8MB

      MD5

      f06223258558d32b15057b6d51702ffc

      SHA1

      cf29bfea585fc30f5f2a03ea924cd55dad02aa10

      SHA256

      26c35afa0783fcbcea457f042b6a65df3870c0321a674a96f5b9079509ed254d

      SHA512

      ba4ed45afb9bbf034e261ef0cbbe41c97da7d607b0f4c78e914e79c053c1b179392d4890d1de25c8ad0fb7339f643e85214711815afd061c5bfece5a12b9401e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI26522\python312.dll
      Filesize

      5.4MB

      MD5

      dd27aff358d633af67d1a20624038c6a

      SHA1

      a830d0f2bcfd3180a657ac4db8c790c8dfb0b3b5

      SHA256

      6ded9b5fd0d8379f715700960a7ddfdf7ceb67019059103b9405f5bdac057156

      SHA512

      b81d0dc19e24f5811760109c2dffde3418941f94cb735d07c970ef39345d9d79fe3d5e7ab01792ea1af0b6d599a57050c5ab54f8837eaaae61eceffa531b05a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp
      Filesize

      1KB

      MD5

      7f673f709ab0e7278e38f0fd8e745cd4

      SHA1

      ac504108a274b7051e3b477bcd51c9d1a4a01c2c

      SHA256

      da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

      SHA512

      e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0HYUVDUZQBUXLV8BLDEK.temp
      Filesize

      7KB

      MD5

      e13ea1da6b850fee339fe83314b89adf

      SHA1

      dddc76defbcb2490b0e6995ba47ad104d089f673

      SHA256

      55c7f1a2324b13861174900597e3761dea5751bb38dce6732655ccef63b48fc7

      SHA512

      21be8bc9ac8ef3a66a55db132e5e5ad4e67610f38cc6cbfa4883163c2d1270f946ac8d4cceab152250c29df63f7398ef49a212d4c3f7bc4b7ced50f23a0320af

      Download Submit

    • \ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
      Filesize

      1.9MB

      MD5

      196543b959d0f41f8ffbbfafdce5f072

      SHA1

      a5969a292fc5accb64dd13983f0e2ebfdfb61781

      SHA256

      5ff9c4e4b7397f6b59b8d3268c5e8ec5d99fbda1702cc143c1e75843fa986381

      SHA512

      2b47417ed55b4582e2d76cf46727d8578dbfe4ad6a0c56d84a2d72d8e0d47ecd8cc1437e69a74626c3ee3def3209a9a37d450a5867c27b5a1e5130862f6aa4fc

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Ilkdt.exe
      Filesize

      191KB

      MD5

      e004a568b841c74855f1a8a5d43096c7

      SHA1

      b90fd74593ae9b5a48cb165b6d7602507e1aeca4

      SHA256

      d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

      SHA512

      402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      Filesize

      4.9MB

      MD5

      c108564c8fe1e2d5b11615b17c1f47d6

      SHA1

      315a4fd5ffdb581d06c66d33f2a1964c3cad61d3

      SHA256

      a3dfed0a83fd712ebd1081da4c9f2fa789cce3cd1c7e53bf9dc7ffde4ff77137

      SHA512

      4a2ccff555a1b9e64c105c741cb1b8c1e740db4d6fc2d6c1f7802c22f28fecf4cc03564e985e229df68d2eec781932e4ee1529c71985db0e661da1fda32996d8

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
      Filesize

      6.1MB

      MD5

      7799ba27987e123073807bb846e77820

      SHA1

      76635297c39d55304dfe71ecb315cb5c7f3c01f9

      SHA256

      b509f009cae3603578ca187ac24f9dd0bbfcf9c3d19a78b058580b2dc255b659

      SHA512

      6dbc2aba73cb9b27415a3b026623003db8bae5b88d1c5f7cf35857c6dea68469b15b93c9dfc0e1b65e033d8c78772f018de3149c80edbe5756c2b12c3857014b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Sahyui1337.exe
      Filesize

      316KB

      MD5

      675d9e9ab252981f2f919cf914d9681d

      SHA1

      7485f5c9da283475136df7fa8b62756efbb5dd17

      SHA256

      0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

      SHA512

      9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
      Filesize

      42KB

      MD5

      d499e979a50c958f1a67f0e2a28af43d

      SHA1

      1e5fa0824554c31f19ce01a51edb9bed86f67cf0

      SHA256

      bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

      SHA512

      668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      Filesize

      5.0MB

      MD5

      e222309197c5e633aa8e294ba4bdcd29

      SHA1

      52b3f89a3d2262bf603628093f6d1e71d9cc3820

      SHA256

      047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

      SHA512

      9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

      Download Submit

    • \Users\Admin\AppData\Local\Temp\_MEI26522\python312.dll
      Filesize

      5.0MB

      MD5

      cbfb164ae053ade07f3f4a8425de768c

      SHA1

      aaae0db43456b87ade37ca98acf4a8143bd9592e

      SHA256

      63d7430866a73f9d6a8880a8b81428c386b15d467714f1f71d15748118bb67b5

      SHA512

      e91e5450907464a65a4e7fb068550d4435224291cd483fb9001833dfb916e926e10ec2fb56e899c8aa75b20672aac109f7a03daa135b8105e94d0ce48a8faea0

      Download Submit

    • memory/1784-1735-0x0000000000F40000-0x0000000000F60000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1784-1736-0x0000000000F40000-0x0000000000F60000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2216-251-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2216-62-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2216-157-0x0000000073070000-0x000000007361B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2216-255-0x0000000073070000-0x000000007361B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2216-253-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2220-1705-0x000007FEF4C90000-0x000007FEF562D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-1709-0x0000000001300000-0x0000000001380000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-1706-0x0000000001300000-0x0000000001380000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-1710-0x000007FEF4C90000-0x000007FEF562D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-1704-0x0000000001300000-0x0000000001380000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-1707-0x0000000001300000-0x0000000001380000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-1703-0x000007FEF4C90000-0x000007FEF562D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-1702-0x00000000009D0000-0x00000000009D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2220-1700-0x0000000019FA0000-0x000000001A282000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2348-1690-0x0000000002720000-0x00000000027A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2348-1687-0x000000001B470000-0x000000001B752000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2348-1694-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2348-1693-0x0000000002720000-0x00000000027A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2348-1692-0x0000000002720000-0x00000000027A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2348-1691-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2348-1688-0x00000000027A0000-0x00000000027A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2348-1689-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2548-67-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2548-57-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2548-36-0x0000000000180000-0x0000000000190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-262-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2636-250-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2636-258-0x0000000001330000-0x00000000013B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2636-54-0x00000000013E0000-0x0000000001434000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2792-1701-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-1708-0x00000000048E0000-0x0000000004920000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2792-1672-0x00000000048E0000-0x0000000004920000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2792-66-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2792-261-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2844-73-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-68-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-79-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-83-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-85-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-87-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-256-0x00000000047A0000-0x00000000047E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2844-95-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-97-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-101-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-1669-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2844-103-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-109-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-115-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-117-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-119-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-127-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-131-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-129-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-125-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-123-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-121-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-113-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-111-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-105-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-107-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-99-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-89-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-91-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-93-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-81-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-77-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-75-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-71-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-69-0x00000000003A0000-0x0000000000405000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2844-61-0x00000000003A0000-0x000000000040C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2844-56-0x0000000073A60000-0x000000007414E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2844-35-0x0000000000060000-0x0000000000096000-memory.dmp

      Filesize

      216KB

      Download