Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

240410-cqsgxabh56 10

10-04-2024 02:17

240410-cqrwdabh54 10

10-04-2024 02:17

240410-cqrklsbh53 10

13-05-2023 22:56

230513-2wtplahg95 10

Analysis

  • max time kernel
    1199s
  • max time network
    1207s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-04-2024 02:17

General

  • Target

    qsteemp.exe

  • Size

    165KB

  • MD5

    90cd3202af31b431dcc5e47cf3b8c0d7

  • SHA1

    747f68fb8f122241059c219eeeeadac61e8215be

  • SHA256

    e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

  • SHA512

    b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

  • SSDEEP

    3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score
10/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Executes dropped EXE 42 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
    "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:5020
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3808
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:232
        • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
          "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpABB1.tmp" -C "C:\Users\Admin\AppData\Local\6kfrvwd31o"
            4⤵
              PID:3176
            • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
              "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:3344
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3936
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3112
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2428
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:420
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1596
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1884
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4172
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3176
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3220
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2180
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1008
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3592
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2648
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3544
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3180
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4764
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1364
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1288
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3284
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3892
      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdesc-consensus

        Filesize

        2.7MB

        MD5

        814f8cba43d923834b0d0027591e52bf

        SHA1

        2814b4faa0221b252164fbf9586051c07faa050f

        SHA256

        406d96a4788b07a0c4bda0e289d04472bc92a13f3b5b51e7478d095986735597

        SHA512

        45d866ec699d731eb7a50669bfa2fb469652b92d92b4546d373777192bff9d2201095ec9e13079ff422b4a7a15175142aa7d2abb57aaf4262b3e837340677069

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdescs.new

        Filesize

        13.4MB

        MD5

        e9a80e0013a3a8f99768963ae8c2ccc6

        SHA1

        7556cd3c575af7d9cc65f39463e7dc27296443ab

        SHA256

        09b9e0689a6a13671afff5ba529e588ac283a2bd2c4199d2019a2701ea936c01

        SHA512

        09bfc0438a093e694f06bf9def2f204a907aa02ef066a339882a4ff198c81b246122de23a15bc8a656ed6153e767ff028ec18c8d5413d29106709c44843b5ec9

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\host\hostname

        Filesize

        64B

        MD5

        0098d7d3e0621832410bc7058a596638

        SHA1

        e315b34be25e8d5050a95dbb11bfae746aee2ade

        SHA256

        31edd775d9b2f8606fde507e47e73b62e26d0b0ca20f958e9cc5976fd30274aa

        SHA512

        2373f0663c195a8a207de196194aab2a57e78217964e71e3e5c2c09bb3871f9bb56f81e73bae33b675c8fa0cae5933abf55f10440be00fd7a847965a4dd3f2f9

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

        Filesize

        4B

        MD5

        2ef35a8b78b572a47f56846acbeef5d3

        SHA1

        9270ef04bcf46fd89b1a3fc6622dae8f87858e55

        SHA256

        6d9eed144ee7038c5d3d1b16fc6f63fdfcdb34b0c9344f8026d7b99a092d86bd

        SHA512

        a415848b2f56bb9c1a71c1e715b7386c2f9bba0639a2a95a485058ee6118997bed0777d0681866248b6940cb9ef5aa52fff0f13b3070d5203347af380ce03289

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe

        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

      • C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt

        Filesize

        218B

        MD5

        2388627b3b289e54ee49dbcbc23633cb

        SHA1

        bb812f52a12bf862f01c2667ae1268f6faec5673

        SHA256

        fa56cfc3a98511da2713c2b710a56196cb4c40ba5f26f9a0acaf4e274af068f4

        SHA512

        956ea262dd3a0d17fa839b66dfb73ec0973ef087cebeccc0121a0de7af80217dce415a482724a1ced7e8a5ffaa4b8ee59e471c10eb6f70bcc05dbae32b51f319

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

        Filesize

        1KB

        MD5

        081b644082c51f2ff0f00087877003b5

        SHA1

        2eeb0a8a592e5327873f5a6704031c1ff6d0bd31

        SHA256

        cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac

        SHA512

        95621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff

      • C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

        Filesize

        165KB

        MD5

        90cd3202af31b431dcc5e47cf3b8c0d7

        SHA1

        747f68fb8f122241059c219eeeeadac61e8215be

        SHA256

        e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

        SHA512

        b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

      • C:\Users\Admin\AppData\Local\Temp\tmpABB1.tmp

        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

      • memory/420-106-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/420-108-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/952-0-0x0000029A2BF50000-0x0000029A2BF80000-memory.dmp

        Filesize

        192KB

      • memory/952-6-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/952-2-0x0000029A46660000-0x0000029A46670000-memory.dmp

        Filesize

        64KB

      • memory/952-1-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/968-267-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/968-269-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/1232-81-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/1232-84-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/1232-82-0x00000284EF630000-0x00000284EF640000-memory.dmp

        Filesize

        64KB

      • memory/1596-293-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/1596-287-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2036-242-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2036-244-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2280-222-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2280-224-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2292-160-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2292-163-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2292-161-0x00000284792E0000-0x00000284792F0000-memory.dmp

        Filesize

        64KB

      • memory/2360-12-0x000001AB6F000000-0x000001AB6F010000-memory.dmp

        Filesize

        64KB

      • memory/2360-65-0x000001AB6F000000-0x000001AB6F010000-memory.dmp

        Filesize

        64KB

      • memory/2360-64-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2360-11-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2524-94-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2524-96-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2780-236-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2780-230-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2812-141-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2812-139-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2944-173-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/2944-175-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3052-147-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3052-148-0x000001F8C02F0000-0x000001F8C0300000-memory.dmp

        Filesize

        64KB

      • memory/3052-150-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3084-210-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3084-212-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3444-116-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3444-114-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3956-28-0x000001BD29D40000-0x000001BD29D50000-memory.dmp

        Filesize

        64KB

      • memory/3956-45-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/3956-19-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4012-187-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4012-185-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4780-255-0x000001BE533F0000-0x000001BE53400000-memory.dmp

        Filesize

        64KB

      • memory/4780-254-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4780-257-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4800-279-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4800-281-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4812-126-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4812-127-0x0000029D3F090000-0x0000029D3F0A0000-memory.dmp

        Filesize

        64KB

      • memory/4812-129-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4952-204-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB

      • memory/4952-202-0x0000025D48420000-0x0000025D48430000-memory.dmp

        Filesize

        64KB

      • memory/4952-201-0x00007FFDD4470000-0x00007FFDD4F32000-memory.dmp

        Filesize

        10.8MB