Malware Analysis Report

2025-01-03 05:02

Sample ID 240105-efcd2saec5
Target 42af7513c4f90b903faea61ef6f3730e
SHA256 e04b61d1ca799559e8e22b4df62e49c134934fad3e9efe55d7336d171e4009d7
Tags
zgrat rat bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e04b61d1ca799559e8e22b4df62e49c134934fad3e9efe55d7336d171e4009d7

Threat Level: Known bad

The file 42af7513c4f90b903faea61ef6f3730e was found to be: Known bad.

Malicious Activity Summary

zgrat rat bitrat trojan

BitRAT

Detect ZGRat V1

ZGRat

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 03:52

Reported

2024-01-05 03:55

Platform

win7-20231215-en

Max time kernel

0s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

"C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp

Files

memory/1992-0-0x00000000002D0000-0x000000000051E000-memory.dmp

memory/1992-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/1992-2-0x0000000004580000-0x00000000045C0000-memory.dmp

memory/2328-5-0x000000006FE10000-0x00000000703BB000-memory.dmp

memory/2328-9-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2328-8-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2328-7-0x000000006FE10000-0x00000000703BB000-memory.dmp

memory/2328-6-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2328-10-0x000000006FE10000-0x00000000703BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LFRKQ2I9LTB8QBRMLIUY.temp

MD5 f194a34d8debfa0823a215a37bc1d9f9
SHA1 74ff9592e37907cdab3f98f3a0ff1605f0b9e688
SHA256 0969ecadde5434130e7e21d8185830cb6e4fdbd5c578590d595f2de61dd7ca94
SHA512 4c0e4d0371472efa7135bce813f1f1b1f1704ae56057ab8c27f2a324fc1b846abdb04644260bf49bc80066200e2ea074955c24583d845701c99753e6e0b28849

memory/2148-17-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/2148-20-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/2148-19-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2148-18-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2148-16-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2148-21-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2340-28-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/2340-31-0x0000000002E40000-0x0000000002E80000-memory.dmp

memory/2340-30-0x0000000002E40000-0x0000000002E80000-memory.dmp

memory/2340-29-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/2340-32-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/2660-39-0x0000000002B30000-0x0000000002B70000-memory.dmp

memory/2660-40-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2660-38-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2660-41-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2520-47-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/2520-49-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/2520-50-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

memory/2520-48-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2520-51-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/1992-57-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2028-60-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/1992-63-0x0000000004580000-0x00000000045C0000-memory.dmp

memory/2028-62-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/2028-61-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/2028-59-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/2028-58-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2220-70-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2220-71-0x0000000002120000-0x0000000002160000-memory.dmp

memory/2220-74-0x0000000002120000-0x0000000002160000-memory.dmp

memory/2220-73-0x0000000002120000-0x0000000002160000-memory.dmp

memory/2220-72-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2028-64-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2276-81-0x000000006FE40000-0x00000000703EB000-memory.dmp

memory/2276-85-0x0000000002E80000-0x0000000002EC0000-memory.dmp

memory/2276-84-0x0000000002E80000-0x0000000002EC0000-memory.dmp

memory/2276-83-0x000000006FE40000-0x00000000703EB000-memory.dmp

memory/2276-82-0x0000000002E80000-0x0000000002EC0000-memory.dmp

memory/2220-75-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/2276-86-0x000000006FE40000-0x00000000703EB000-memory.dmp

memory/1668-94-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/1668-96-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/1668-95-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/1668-93-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/1668-92-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/112-105-0x0000000002C40000-0x0000000002C80000-memory.dmp

memory/112-108-0x0000000002C40000-0x0000000002C80000-memory.dmp

memory/112-107-0x0000000002C40000-0x0000000002C80000-memory.dmp

memory/112-106-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/112-104-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/1668-97-0x000000006FEB0000-0x000000007045B000-memory.dmp

memory/1992-110-0x0000000009070000-0x0000000009294000-memory.dmp

memory/1992-112-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-120-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-128-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-134-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-142-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-150-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-156-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-164-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-170-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-174-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-172-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-168-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-175-0x00000000050E0000-0x0000000005152000-memory.dmp

memory/1992-166-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-162-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-160-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-158-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-154-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-152-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-148-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-146-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-144-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-140-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-138-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-136-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-132-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-130-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-126-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-124-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-122-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-118-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-116-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-114-0x0000000009070000-0x000000000928F000-memory.dmp

memory/1992-111-0x0000000009070000-0x000000000928F000-memory.dmp

memory/112-109-0x000000006FE80000-0x000000007042B000-memory.dmp

memory/1992-2561-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 03:52

Reported

2024-01-05 03:57

Platform

win10v2004-20231215-en

Max time kernel

58s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

"C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
SE 185.157.160.147:1975 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
SE 185.157.160.147:1975 tcp
GB 87.248.204.0:80 tcp
GB 87.248.204.0:80 tcp
GB 87.248.204.0:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.134.221.88.in-addr.arpa udp

Files

memory/4708-0-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4708-1-0x00000000000D0000-0x000000000031E000-memory.dmp

memory/4708-2-0x0000000005370000-0x0000000005914000-memory.dmp

memory/4708-3-0x0000000004CF0000-0x0000000004D82000-memory.dmp

memory/4708-4-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/4708-5-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

memory/756-7-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/756-6-0x0000000004B50000-0x0000000004B86000-memory.dmp

memory/756-8-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/756-9-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/756-10-0x0000000005280000-0x00000000058A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54wiaoku.m2v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/756-18-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/756-17-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/756-11-0x0000000005240000-0x0000000005262000-memory.dmp

memory/756-23-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/756-25-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/756-24-0x0000000006110000-0x000000000612E000-memory.dmp

memory/756-26-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/3460-28-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3460-30-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/3460-29-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3460-27-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/3460-40-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4236-42-0x0000000000F10000-0x0000000000F20000-memory.dmp

memory/4236-41-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4708-43-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4424-53-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4708-55-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/4424-54-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/4752-58-0x0000000002870000-0x0000000002880000-memory.dmp

memory/4424-60-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4236-59-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4752-57-0x0000000002870000-0x0000000002880000-memory.dmp

memory/4752-56-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2240-70-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2632-71-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2632-72-0x0000000004930000-0x0000000004940000-memory.dmp

memory/2632-75-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2204-77-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2204-78-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2204-76-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4752-74-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2632-73-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1844-88-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4708-100-0x0000000006370000-0x0000000006594000-memory.dmp

memory/4708-101-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-104-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-106-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-102-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-108-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-112-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-114-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-116-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-122-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-124-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-130-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-132-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-138-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-136-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-142-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-146-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-150-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-154-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-156-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-160-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-162-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-164-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-158-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-165-0x0000000006970000-0x00000000069E6000-memory.dmp

memory/4708-152-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-148-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-144-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-140-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-134-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-128-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-126-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-120-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-118-0x0000000006370000-0x000000000658F000-memory.dmp

memory/4708-110-0x0000000006370000-0x000000000658F000-memory.dmp

memory/1844-99-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2204-89-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4708-166-0x00000000025B0000-0x0000000002622000-memory.dmp

memory/4708-2551-0x00000000069F0000-0x0000000006A0E000-memory.dmp

memory/4708-2558-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2812-2557-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2812-2560-0x0000000074F20000-0x0000000074F59000-memory.dmp

memory/2812-2568-0x00000000752A0000-0x00000000752D9000-memory.dmp

memory/2812-2569-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2812-2572-0x00000000752A0000-0x00000000752D9000-memory.dmp

memory/2812-2575-0x00000000752A0000-0x00000000752D9000-memory.dmp