Malware Analysis Report

2025-08-10 12:33

Sample ID 240403-pr1wwsdb5y
Target 2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333
SHA256 2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333
Tags
stealc zgrat discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333

Threat Level: Known bad

The file 2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333 was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery rat spyware stealer

Stealc

Detect ZGRat V1

ZGRat

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 12:34

Reported

2024-04-03 12:37

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe
PID 3596 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe
PID 3596 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe
PID 3596 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe
PID 3596 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe
PID 3596 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe
PID 4024 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4024 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 5000 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
PID 1820 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
PID 1820 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
PID 4164 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe

"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"

C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe"

C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3596 -ip 3596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1512

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 2320

C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

"C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.251:443 download.iolo.net tcp
US 8.8.8.8:53 251.2.93.185.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3596-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/3596-2-0x00000000025D0000-0x000000000263C000-memory.dmp

memory/3596-3-0x0000000000400000-0x0000000000889000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe

MD5 9105a03d2ead89d612c53f1dc322eb9e
SHA1 af3d72c0f399ba16b678910e21eb04e8e6122bee
SHA256 c975efca05f5c6f2abc2491a6f8d3d498438622d045c7370bf6d68a53e0241a7
SHA512 4dd290c0ce5fd4414600f3c869a6ee6fba2c7b8ec856d6aed0dffb17253eb0c37b4945d2c5881d1fc40547c8f1b1ef22e63fce229ebfc19022e44b8ee87b2fcf

memory/5000-13-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/5000-14-0x0000000002470000-0x0000000002497000-memory.dmp

memory/5000-15-0x0000000000400000-0x0000000000866000-memory.dmp

memory/5000-16-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3596-64-0x0000000000400000-0x0000000000889000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/5000-98-0x0000000000400000-0x0000000000866000-memory.dmp

memory/3596-99-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/4024-100-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/3596-105-0x0000000000400000-0x0000000000889000-memory.dmp

memory/5000-137-0x0000000000400000-0x0000000000866000-memory.dmp

memory/5000-138-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/5000-139-0x0000000000400000-0x0000000000866000-memory.dmp

memory/4024-140-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4024-152-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4704-153-0x00007FFCBC9A0000-0x00007FFCBD461000-memory.dmp

memory/4704-154-0x00000292033E0000-0x0000029206CD8000-memory.dmp

memory/4704-155-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-156-0x00000292224B0000-0x00000292225C0000-memory.dmp

memory/4704-158-0x0000029208B80000-0x0000029208B8C000-memory.dmp

memory/4704-157-0x00000292070F0000-0x0000029207100000-memory.dmp

memory/4704-159-0x00000292089F0000-0x0000029208A04000-memory.dmp

memory/4704-160-0x0000029208B90000-0x0000029208BB4000-memory.dmp

memory/4704-161-0x0000029222210000-0x000002922221A000-memory.dmp

memory/4704-162-0x0000029222230000-0x000002922225A000-memory.dmp

memory/4704-163-0x00000292222C0000-0x0000029222372000-memory.dmp

memory/4704-164-0x0000029222700000-0x000002922277A000-memory.dmp

memory/4704-165-0x0000029222780000-0x00000292227E2000-memory.dmp

memory/4704-167-0x0000029222860000-0x00000292228D6000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4704-171-0x0000029222220000-0x000002922222A000-memory.dmp

memory/4704-175-0x00000292228E0000-0x0000029222BE0000-memory.dmp

memory/4704-180-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-179-0x0000029222840000-0x0000029222848000-memory.dmp

memory/4704-181-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-178-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-182-0x0000029222C50000-0x0000029222C88000-memory.dmp

memory/4704-183-0x0000029222C10000-0x0000029222C1E000-memory.dmp

memory/4704-184-0x0000029222CC0000-0x0000029222CCA000-memory.dmp

memory/4704-185-0x0000029226B50000-0x0000029226B72000-memory.dmp

memory/4704-186-0x0000029227FC0000-0x00000292284E8000-memory.dmp

memory/4704-190-0x0000029222D40000-0x0000029222D90000-memory.dmp

memory/4704-189-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-191-0x0000029222CD0000-0x0000029222CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/5000-198-0x0000000000400000-0x0000000000866000-memory.dmp

memory/4164-199-0x0000000000230000-0x0000000000250000-memory.dmp

memory/4164-200-0x0000000072580000-0x0000000072D30000-memory.dmp

memory/4164-202-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/4164-205-0x0000000072580000-0x0000000072D30000-memory.dmp

memory/4704-206-0x0000029222D90000-0x0000029222DB2000-memory.dmp

memory/4704-207-0x0000029222D20000-0x0000029222D3E000-memory.dmp

memory/4704-209-0x00007FFCBC9A0000-0x00007FFCBD461000-memory.dmp

memory/4704-210-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-211-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-212-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-213-0x00000292222B0000-0x00000292222C0000-memory.dmp

memory/4704-214-0x00000292222B0000-0x00000292222C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 12:34

Reported

2024-04-03 12:37

Platform

win11-20240221-en

Max time kernel

132s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
PID 4948 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
PID 4948 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
PID 4404 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
PID 4800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
PID 4800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
PID 3780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2588 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2588 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4212 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4212 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe

"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"

C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1040

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 2452

C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe

"C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 20.157.87.45:80 svc.iolo.com tcp
FR 185.93.2.251:443 download.iolo.net tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

memory/4948-1-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/4948-2-0x00000000026E0000-0x000000000274C000-memory.dmp

memory/4948-3-0x0000000000400000-0x0000000000889000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe

MD5 9105a03d2ead89d612c53f1dc322eb9e
SHA1 af3d72c0f399ba16b678910e21eb04e8e6122bee
SHA256 c975efca05f5c6f2abc2491a6f8d3d498438622d045c7370bf6d68a53e0241a7
SHA512 4dd290c0ce5fd4414600f3c869a6ee6fba2c7b8ec856d6aed0dffb17253eb0c37b4945d2c5881d1fc40547c8f1b1ef22e63fce229ebfc19022e44b8ee87b2fcf

memory/4404-13-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/4404-14-0x00000000009D0000-0x00000000009F7000-memory.dmp

memory/4404-15-0x0000000000400000-0x0000000000866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4212-26-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4948-27-0x0000000000400000-0x0000000000889000-memory.dmp

memory/4948-37-0x00000000026E0000-0x000000000274C000-memory.dmp

memory/4404-38-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4404-128-0x0000000000400000-0x0000000000866000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4212-134-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/3780-143-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

memory/3780-144-0x0000000071C80000-0x0000000072431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 d823a7ed09a4edc565871aa3211fa946
SHA1 719bbdec2c5800a3802c8e91a211ae104022454e
SHA256 cba0455c183b857060ace176c34c422bafb1c583718e84b89929347b3629eb1c
SHA512 0f7caa12f18938a45ee9be627be954b05ebf7c28213ccb8058676a752ac7f79049548e00763b31347c89c55d9ff34dd4e864e95026b5b96014b2397ce69cabc4

memory/4404-152-0x0000000000400000-0x0000000000866000-memory.dmp

memory/4404-153-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/3780-155-0x0000000005710000-0x0000000005720000-memory.dmp

memory/3780-157-0x0000000071C80000-0x0000000072431000-memory.dmp

memory/4212-160-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1012-161-0x00007FFC9A640000-0x00007FFC9B102000-memory.dmp

memory/1012-162-0x000002A3C0F40000-0x000002A3C4838000-memory.dmp

memory/1012-163-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-164-0x000002A3DEFE0000-0x000002A3DF0F0000-memory.dmp

memory/1012-165-0x000002A3C6450000-0x000002A3C6460000-memory.dmp

memory/1012-166-0x000002A3DECF0000-0x000002A3DECFC000-memory.dmp

memory/1012-167-0x000002A3DECE0000-0x000002A3DECF4000-memory.dmp

memory/1012-168-0x000002A3DED50000-0x000002A3DED74000-memory.dmp

memory/1012-169-0x000002A3DED80000-0x000002A3DED8A000-memory.dmp

memory/1012-170-0x000002A3DF2E0000-0x000002A3DF392000-memory.dmp

memory/1012-171-0x000002A3DF0F0000-0x000002A3DF11A000-memory.dmp

memory/1012-172-0x000002A3DF390000-0x000002A3DF40A000-memory.dmp

memory/1012-173-0x000002A3DF120000-0x000002A3DF182000-memory.dmp

memory/1012-174-0x000002A3DF490000-0x000002A3DF506000-memory.dmp

memory/1012-175-0x000002A3C65F0000-0x000002A3C65FA000-memory.dmp

memory/1012-179-0x000002A3DF510000-0x000002A3DF810000-memory.dmp

memory/1012-181-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-182-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-184-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-183-0x000002A3E38F0000-0x000002A3E38F8000-memory.dmp

memory/1012-185-0x000002A3E3870000-0x000002A3E38A8000-memory.dmp

memory/1012-186-0x000002A3E3840000-0x000002A3E384E000-memory.dmp

memory/1012-187-0x000002A3E41D0000-0x000002A3E41DA000-memory.dmp

memory/1012-188-0x000002A3E41E0000-0x000002A3E4202000-memory.dmp

memory/1012-189-0x000002A3E4730000-0x000002A3E4C58000-memory.dmp

memory/1012-192-0x000002A3E3FA0000-0x000002A3E3FF0000-memory.dmp

memory/1012-194-0x000002A3E3F50000-0x000002A3E3F5C000-memory.dmp

memory/1012-193-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-195-0x000002A3E3FF0000-0x000002A3E4012000-memory.dmp

memory/1012-196-0x000002A3E4020000-0x000002A3E403E000-memory.dmp

memory/1012-198-0x00007FFC9A640000-0x00007FFC9B102000-memory.dmp

memory/1012-199-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-200-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-201-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-202-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp

memory/1012-203-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp