Overview

overview

10

Static

static

10

22ed346e6e...e1.exe

windows7-x64

10

22ed346e6e...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

  • Size

    1.9MB

  • MD5

    17eb4c4e58353a5db52602d0ae321fbd

  • SHA1

    791e65e864b8831b86149c079b09d04cac894e59

  • SHA256

    22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

  • SHA512

    a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

  • SSDEEP

    24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
    "C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wscultq1\wscultq1.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19E7.tmp" "c:\Windows\System32\CSCBE992E9A261F429DAEEBA6F6E1226FEE.TMP"
        3⤵
          PID:2508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ko-KR\explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dwm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:488
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nd9ASnzjaH.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1548
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2016
            • C:\Program Files\Google\dwm.exe
              "C:\Program Files\Google\dwm.exe"
              3⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\ko-KR\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\System32\ko-KR\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\ko-KR\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2804
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:864

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Modify Registry

        3
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsass.exe
          Filesize

          1.9MB

          MD5

          17eb4c4e58353a5db52602d0ae321fbd

          SHA1

          791e65e864b8831b86149c079b09d04cac894e59

          SHA256

          22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

          SHA512

          a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES19E7.tmp
          Filesize

          1KB

          MD5

          3cb4cbeab2d85f3e90a4519c3b2cc748

          SHA1

          2e8ec5b139c794de15127a123b8b1da2e23694cd

          SHA256

          43125523873bed13bf8d2af4b197f0385f9335e4cd2661fb8985329b9611ded3

          SHA512

          ec75754d4422a45bf2bde0164717861d40c6192aeb16be1c88897590467770ca9685c3c5ec746da4b0cea63eae69ab40e2ef0cceb7f360649ef90c9f477f76db

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nd9ASnzjaH.bat
          Filesize

          207B

          MD5

          cb9b4ef133724278be52a22590bc2cbf

          SHA1

          4a24fb21a255bc29f300a7c2509ec20eebd1f4d8

          SHA256

          63f1d0053faf0e4f96ce6cf2d385e1e55081e15614b5255e0b00db4884bea8d6

          SHA512

          37dad5f36eee839a660094183798018fea6f184b3a1213336434c51a822a4dee6dbbb3e1918680c1b5e95364494926dd86b06176ac5814b5124f44408208900d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          af3efe4ae0bb9f42cddbd62dc40bc5fc

          SHA1

          2fcf1ff3969484b84c0268afa8dc12c1b2cb4e50

          SHA256

          4194ec7f5eb7688c9dfe0cca6043c604b96a4e1207c26660f472fc3148388827

          SHA512

          1f4ca01e6dfc23318ffa065d1ca2694f371798e2e5cd372bb2bfb7c9c6faa9b3c4d53f8d37a9ce0f0296a2b9ab032459b8e771505d48e569c20287f4ef073de0

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wscultq1\wscultq1.0.cs
          Filesize

          404B

          MD5

          f975755d7714ffe41e3200b073a0069a

          SHA1

          9d46ac17f4b02e3af9e7c13a8311924cf20463e4

          SHA256

          45c220cb9d2440b74a14007ac40b8f21b304621ff69c39b99dbd818e24e96020

          SHA512

          502bb6f10c72b8d5064fe2a1e9d363d6267641a9f455e40e5b7c6d56d6da40603b76d28e6b8e3102131d7c8e16e360036b09d5dc9bde660dd320d99708b0e98f

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wscultq1\wscultq1.cmdline
          Filesize

          235B

          MD5

          d3273fc5f214fde3626d0bdc0f3c9b01

          SHA1

          e92fe755e409eadf07d828723341c94ded21e8ba

          SHA256

          f1bbb9751c506815b276f82883bc17d5d578e8576e5787f178d1370e146ca1c0

          SHA512

          e118a94cf42ffcac450a3e1e7fc38c38a9c4cb08a760820814ff31e141c09a657dfe581562c4e2691cbd038c2ae849891c9176ab6c5efc210e25b2b13d22f6ca

          Download Submit

        • \??\c:\Windows\System32\CSCBE992E9A261F429DAEEBA6F6E1226FEE.TMP
          Filesize

          1KB

          MD5

          984924caf6574026769de34f35c2358e

          SHA1

          6dd41e492235d812252231912aa025f47fa7a9e7

          SHA256

          2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

          SHA512

          5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

          Download Submit

        • memory/2120-61-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2120-62-0x0000000002390000-0x0000000002398000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2496-146-0x0000000001230000-0x000000000141A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2960-8-0x00000000006F0000-0x000000000070C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2960-17-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-10-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-23-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-30-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-21-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-20-0x0000000000540000-0x000000000054C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2960-18-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-16-0x0000000000530000-0x0000000000538000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2960-14-0x0000000000520000-0x000000000052E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2960-12-0x0000000000A30000-0x0000000000A48000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2960-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2960-9-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-6-0x0000000000510000-0x000000000051E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2960-4-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-3-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-142-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2960-1-0x0000000000E10000-0x0000000000FFA000-memory.dmp

          Filesize

          1.9MB

          Download