Overview

overview

10

Static

static

10

17eb4c4e58...bd.exe

windows7-x64

10

17eb4c4e58...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17eb4c4e58353a5db52602d0ae321fbd.exe

  • Size

    1.9MB

  • MD5

    17eb4c4e58353a5db52602d0ae321fbd

  • SHA1

    791e65e864b8831b86149c079b09d04cac894e59

  • SHA256

    22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

  • SHA512

    a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

  • SSDEEP

    24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe
    "C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hk1esbkf\hk1esbkf.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "c:\Windows\System32\CSCF6159402EB3A46FCBB1E9A1D243FDD99.TMP"
        3⤵
          PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\Idle.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\lsm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J1o8y5Rq4c.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:472
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2420
          • C:\Users\All Users\Adobe\Updater6\Idle.exe
            "C:\Users\All Users\Adobe\Updater6\Idle.exe"
            3⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1556

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      3
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe
        Filesize

        1.9MB

        MD5

        17eb4c4e58353a5db52602d0ae321fbd

        SHA1

        791e65e864b8831b86149c079b09d04cac894e59

        SHA256

        22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

        SHA512

        a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\J1o8y5Rq4c.bat
        Filesize

        170B

        MD5

        1a5ea423c58bb2c31526927e225c7723

        SHA1

        4b70d9983725ab3bb215a1410cd865755108d6fc

        SHA256

        b0a520cd1a1b08803d00931587fc3284df108c116e2bbf8d502370e758853a51

        SHA512

        f4a3f8d4e8d833ab9820589c9da69a5d99b9097118138043719d640ed1de1f250b4b934e095fe546afbb08d803af816954ddbdfbce2005018fcce4edb2e62463

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESD59.tmp
        Filesize

        1KB

        MD5

        e91e5b815c11f0394d2d645f73c964fd

        SHA1

        0d00cb6d027c6090b0046d9763abd57c58d8956d

        SHA256

        dc76de7db95d0ba4df9e6e4ae0c7fe07f6aa1d1c4f6aa168a14d90fa8fc6f329

        SHA512

        1f942675fc7c80c069ee71f3f4763250032cff5ea45cd39adefee36a297455984b815e2d96c7237d74ff4ded360831c9ce6410b2b0a1f40519db7db1a9e375f1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        0cf54f666ff995a80367648a31f94f0b

        SHA1

        634d10b723d3f6815f7745bceae808b891872e50

        SHA256

        da977b17a23899f5027967aa4e7a5e84ab19d8327ed6c9f355dd2f18c504ad00

        SHA512

        f40b5fdff9b220f582f0bf219dd05a7d0dad0547a1c367d6825226ebf91f08b7a83a7ebd6fea12c4092c18beac79cb3ad14616ff0c5c1e42b5dea526c8dc456b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\hk1esbkf\hk1esbkf.0.cs
        Filesize

        390B

        MD5

        5921d9ddff616b8059bcaf7bc37d6f11

        SHA1

        4975fb2d543eb5ff3503189c60050a6b98e7d160

        SHA256

        65d992addd7c4e41506bb99cd9f572a06e1c5fe9b8a1ef3fc1e925a6a4d3472e

        SHA512

        87bb9fa0004b81f3d9280e3a0dad18f6c56ea5cca20a55f22fcae7cfebbbea788b14e47a18d5ac7289c01e38bee72e685b2b1010fdf68655f764c4842d22581a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\hk1esbkf\hk1esbkf.cmdline
        Filesize

        235B

        MD5

        f8cc380e5b266fb6d105db47f3161b3f

        SHA1

        d2df8ebc7651aee6af1769ec7c758946a145c945

        SHA256

        d778fb9976df3b24befb6cabcb1846d61cd3d275705868beb19466f6b933a925

        SHA512

        5be579a6715418d15b7dbc1e812a108a3ed28e5f147bbfc6ef3ce1d19cef6546403aa784e736a28abc25de2b7add6bde140ba306482717f7772487a86798286e

        Download Submit

      • \??\c:\Windows\System32\CSCF6159402EB3A46FCBB1E9A1D243FDD99.TMP
        Filesize

        1KB

        MD5

        3ffa0b85adc175bc535d5b61b093b6a5

        SHA1

        7fa7715f9f18aa1d9edc45935ca867602fa37894

        SHA256

        f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46

        SHA512

        d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

        Download Submit

      • memory/752-101-0x0000000001F40000-0x0000000001F48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2256-94-0x000000001B490000-0x000000001B772000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2592-146-0x0000000000150000-0x000000000033A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2852-9-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-13-0x0000000000530000-0x000000000053E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2852-22-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-19-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-16-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-18-0x0000000000A30000-0x0000000000A3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2852-34-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-30-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-15-0x0000000000540000-0x0000000000548000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2852-20-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-8-0x00000000009F0000-0x0000000000A0C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2852-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2852-11-0x0000000000A10000-0x0000000000A28000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2852-6-0x0000000000520000-0x000000000052E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2852-117-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-4-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-3-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2852-1-0x0000000000CE0000-0x0000000000ECA000-memory.dmp

        Filesize

        1.9MB

        Download