Overview

overview

10

Static

static

10

xone.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 16:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    xone.exe

  • Size

    2.1MB

  • MD5

    9fafa70510322de8516d8f59aa30c499

  • SHA1

    be43d0f2c29898c4a748df955390bb3f892755cd

  • SHA256

    f2ae5ae9670add7474b7f3e3106bb0a4058085584d48f921dd542aab708232a5

  • SHA512

    78c7cf4726baa0d601083b65ccac6225f40b69ed82d4b78b67ae1d3f6b15657c6dea632d8554f5fefdebe8f543d43659f2b122bee639411bec30b97e4dc4820d

  • SSDEEP

    24576:STbBv5rUVNy+O8bJJymZUUmZiT2xo+1tbqGBEDhdFKjN05xaFxSdET0VDhSBA17l:0Bp+3yr4+1NqGyVSN0x2ot77ZeohWYv

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xone.exe
    "C:\Users\Admin\AppData\Local\Temp\xone.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BlockdriverrefPerfCrt\TMrreM1iPd3AI.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\BlockdriverrefPerfCrt\0Qdz5o6iqetCkm6PT3k4DAd0Paopm.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\BlockdriverrefPerfCrt\BridgeComponentwebSavesbroker.exe
          "C:\BlockdriverrefPerfCrt/BridgeComponentwebSavesbroker.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0rdc5lap\0rdc5lap.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC719.tmp" "c:\Windows\System32\CSC24C2D99239342C895A0D485BAF29C56.TMP"
              6⤵
                PID:3388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3912
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4212
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/BlockdriverrefPerfCrt/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3816
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4620
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1408
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3756
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2860
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3484
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4652
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\TrustedInstaller.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockdriverrefPerfCrt\OfficeClickToRun.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3724
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\backgroundTaskHost.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2420
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\bin\backgroundTaskHost.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5048
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockdriverrefPerfCrt\BridgeComponentwebSavesbroker.exe'
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2396
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WINlgsBMqf.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2872
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:5796
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:5768
                • C:\Recovery\WindowsRE\sihost.exe
                  "C:\Recovery\WindowsRE\sihost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:7008
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3448
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
          "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
          2⤵
            PID:2460
          • C:\Windows\SysWOW64\unregmp2.exe
            "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2944
            • C:\Windows\system32\unregmp2.exe
              "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
              3⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              PID:220

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\BlockdriverrefPerfCrt\0Qdz5o6iqetCkm6PT3k4DAd0Paopm.bat
                Filesize

                118B

                MD5

                6b7960dcf8e2f69fc3dfe0400abf7c39

                SHA1

                e5f5beaea83f5c5d290f5b157f9be9054d9d9d96

                SHA256

                a7813336dd218294f4d1955bbe810a1d32861f5866531afd16eb69ce3d3abc2d

                SHA512

                5f8bdf7eb898206641b031955874e7881da4422ded11758f19ea54e9256db0751f85021408532c58023a071279f4b623011312beedbab5f65f2e1be42b7cc3f3

                Download Submit

              • C:\BlockdriverrefPerfCrt\BridgeComponentwebSavesbroker.exe
                Filesize

                1.8MB

                MD5

                30a041d58bf7290708e258ea1d6a74a0

                SHA1

                b7808bed1c837b2f9dae92b72f8cb6103df3c215

                SHA256

                e9231ba39baa22eba2f1281575ed4ef94c0f8a333098945e50b1c84239e9ea28

                SHA512

                edd81f6acba66450cdf4782388f33ec0ad75afb40e0c6020941fece5449764952793b67f230d117f8122770c2a7e98610a6000ae45d3d40b10401ab2dc107040

                Download Submit

              • C:\BlockdriverrefPerfCrt\TMrreM1iPd3AI.vbe
                Filesize

                229B

                MD5

                7ae1205f885b1574f23c17f870560bb3

                SHA1

                172795a0ab685fe323eaf6d8017c2e5923c9cdbc

                SHA256

                ceddcb35ff4ed809633edd3b85e7bfa4b132f1615d2ce129a98916f85a00533d

                SHA512

                4861184dd949893276b74301a3e8a410972d110b638e15ec1e522b8d22344381d37bf3cb3bea13382cfaba3540d1ed4c9930b5889f91099ad44aabb7d11499cf

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                Filesize

                256KB

                MD5

                ab57d6576bac817e24e09b125a2fc42f

                SHA1

                0fbec340b8ec1256b89d115f2598853a281312ba

                SHA256

                1f85be4464de03096c5272ec692fb71cd9f0f6ac485c4f47a984513b3990c5ac

                SHA512

                d3d1077369971f56eae10b2737552e93658df660fa06b627606c2ee5c8cbff2d0247401ff259d95ce1bc6757e79d869a7acc3bbcf1eadc1a1eaafc9be4d17faa

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                Filesize

                9KB

                MD5

                7050d5ae8acfbe560fa11073fef8185d

                SHA1

                5bc38e77ff06785fe0aec5a345c4ccd15752560e

                SHA256

                cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                SHA512

                a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                bd5940f08d0be56e65e5f2aaf47c538e

                SHA1

                d7e31b87866e5e383ab5499da64aba50f03e8443

                SHA256

                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                SHA512

                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                c6c940df49fc678d1c74fea3c57a32f9

                SHA1

                79edd715358a82e6d29970998ff2e9b235ea4217

                SHA256

                4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

                SHA512

                3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                c08b1e85a14ccf4c7a1153c7ded341a8

                SHA1

                df27102b22b8642c89e1d2b830abe077d21158f0

                SHA256

                b021b02062bad9c855c6eef058358fcf3606d6cd8ca0e6b940e2215cb16c9693

                SHA512

                40fc0de345ec7c3ce98b8d9e17bf77104301aa15e4e316bc6e0ca5eced8d6c264b92fe06753fb2729cfb34d2c5d64533f69a544cafb91330256102d5930b86b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                c571f748f85a6794b16e8e8ef10687ab

                SHA1

                becf11b355e41d6a51f2d97053c4d5319ee9d179

                SHA256

                c21d26af506fe324d5d7245d317b5eb2786dd1f9b99d020f79622b1c1bf3f937

                SHA512

                61ffd7c2e4b4feff2a09d82beea627fc11742359995c2c0abce0214ccdfe8a86bd9dffcf6bf84560ffbe768e69fdefa1d144a0cfb5146408562e24656d1cfee0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                61e06aa7c42c7b2a752516bcbb242cc1

                SHA1

                02c54f8b171ef48cad21819c20b360448418a068

                SHA256

                5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

                SHA512

                03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESC719.tmp
                Filesize

                1KB

                MD5

                d6d7349e034159ead3756c3d2f158fd3

                SHA1

                e34e5439a02a0a4208e23871f9cf7abf08a1b38a

                SHA256

                c0d59c87d0c3ec65577e8b081adab3a6b4cfa4f672514162196b29cd28280aff

                SHA512

                d0633f17d5515842312c5194a2076d1eb617e7669c4cbb239ecf7a9c434c845c947bcf5d11eaab0ebb67a8ae85d32431956b0552c576a39c23fd2a719941a2cf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\WINlgsBMqf.bat
                Filesize

                160B

                MD5

                aafa578c4f87ab4f81d8734d57742856

                SHA1

                5ab9e72fb40c1abdfb1eda57f7e3fb5b5233c429

                SHA256

                b37254c86d60dd1522f796f1793c94275d3af90383ae4d4f93b4d74a3a16bf13

                SHA512

                6d046a71bcb9fdfde7d22606fc88d19cf42d3214be25b8c681090e5e5f61dfa42d9a77d79675d4fc5fce8bd9186bd582c5d74610b54e482b86b34d0d3d8ed8ce

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjgh0vgn.2r0.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                Filesize

                1KB

                MD5

                a37c5f47cbccdac173cc9c9fab4e6018

                SHA1

                32e58564d9a0fc17f29f85b33ea599dc080d8f54

                SHA256

                8f9379a563a2c31e94fe19c798e83460a829fda7ee468720ac3d2393b383bb0f

                SHA512

                7a4342fddc92f1dfcddfccf83843a0d802d94ba9db74f9eb48ba4ed331987b14ca8e81932097bea369bdd053372d8e8c271faac4a7f841892d1f6e6ee10c8779

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0rdc5lap\0rdc5lap.0.cs
                Filesize

                418B

                MD5

                cff9ce82522ef0cfe58e5ee102a6f32e

                SHA1

                503f58be32e17a726371fad195a4f5b4941e12f1

                SHA256

                bdf2b3e815957fb68026cc99ffc896e830cd74f899fc066a92f13955cc190061

                SHA512

                98bcbe80ec6f920c5aa3ed4e38c4b0fb953e53dd3a7c69985596d5fed2f97f4a4f094924a2b4e829744cb7df69589891eb28db77949e8b1255f0b643e295224c

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0rdc5lap\0rdc5lap.cmdline
                Filesize

                235B

                MD5

                9d7da6b2d46ae2b63ec894785a29c11d

                SHA1

                743030264f04cc2a00dc7bdad4f80f1542cc6965

                SHA256

                9cd8f152ad85452d294ab53af6707bc2bb935b18bfe5f7dbfa6619afff3fe396

                SHA512

                2dbfb7c6ea5404cb3cc04ef222002971dff7bf0b251d7a99dfa5bffcf70e689cfa3e667af4d5e6eca920bdd9530f36f62ac0e9651c24f4962795c9ac7274584e

                Download Submit

              • \??\c:\Windows\System32\CSC24C2D99239342C895A0D485BAF29C56.TMP
                Filesize

                1KB

                MD5

                e92d6163c5c559e0cbdce8febce805ad

                SHA1

                ac0a33efa2f0d956906c678bf53e29f228b9cfd2

                SHA256

                766b92de44044fd18d43b4c0d80edb9952ad23c11c48d13756d3dc71f49cf0f9

                SHA512

                f48a0bc1ece5786078dff2a8bed5d58d518965ee5ab072699a5c07f53c94d2161896f9103763d49f1fdcc07d39fdabbb85b6a5d7c2d986983e9d72fd422e0590

                Download Submit

              • memory/1408-299-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1424-65-0x00007FFC8D300000-0x00007FFC8D301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1424-56-0x00007FFC8D320000-0x00007FFC8D321000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1424-12-0x0000000000320000-0x00000000004FA000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1424-61-0x000000001B470000-0x000000001B488000-memory.dmp

                Filesize

                96KB

                Download

              • memory/1424-62-0x00007FFC8D310000-0x00007FFC8D311000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1424-59-0x000000001B4C0000-0x000000001B510000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1424-58-0x000000001B450000-0x000000001B46C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/1424-94-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1424-96-0x00007FFC8D3E0000-0x00007FFC8D49E000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1424-25-0x000000001B140000-0x000000001B150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1424-55-0x00007FFC8D3E0000-0x00007FFC8D49E000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1424-54-0x000000001B140000-0x000000001B150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1424-52-0x0000000002590000-0x000000000259E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1424-64-0x000000001B000000-0x000000001B00C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/1424-53-0x00007FFC8D330000-0x00007FFC8D331000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1424-50-0x00007FFC8D3E0000-0x00007FFC8D49E000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1424-40-0x000000001B140000-0x000000001B150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1424-13-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1424-26-0x0000000002540000-0x0000000002541000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2016-100-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2016-290-0x000001E5FA660000-0x000001E5FA670000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2016-291-0x000001E5FA660000-0x000001E5FA670000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2396-308-0x000002197C7F0000-0x000002197C800000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2396-293-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2420-292-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2860-301-0x00000209E4270000-0x00000209E4280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2860-300-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3484-277-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3484-110-0x0000024347A80000-0x0000024347AA2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3484-309-0x000002435FBB0000-0x000002435FBC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3484-297-0x000002435FBB0000-0x000002435FBC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3484-294-0x000002435FBB0000-0x000002435FBC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3572-281-0x000001D535A10000-0x000001D535A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3572-95-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3724-99-0x000001FBFD690000-0x000001FBFD6A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3724-98-0x000001FBFD690000-0x000001FBFD6A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3724-97-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3756-282-0x000001B8EAEC0000-0x000001B8EAED0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3756-283-0x000001B8EAEC0000-0x000001B8EAED0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3756-307-0x000001B8EAEC0000-0x000001B8EAED0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3808-305-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3816-284-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3836-306-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3912-120-0x0000027299AA0000-0x0000027299AB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3912-164-0x0000027299AA0000-0x0000027299AB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3912-111-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3988-236-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3988-310-0x0000020E065E0000-0x0000020E065F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3988-295-0x0000020E065E0000-0x0000020E065F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3988-278-0x0000020E065E0000-0x0000020E065F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4212-289-0x000002B84F580000-0x000002B84F590000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4212-288-0x000002B84F580000-0x000002B84F590000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4212-287-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4540-285-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4540-312-0x0000015671BD0000-0x0000015671BE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4540-286-0x0000015671BD0000-0x0000015671BE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-280-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4620-298-0x00000293226A0000-0x00000293226B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-296-0x00000293226A0000-0x00000293226B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4652-311-0x000002361DF80000-0x000002361DF90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4652-302-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/5048-304-0x00000203F9D40000-0x00000203F9D50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5048-303-0x00007FFC6EA20000-0x00007FFC6F4E1000-memory.dmp

                Filesize

                10.8MB

                Download