sectoprat | 18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a

Analysis

max time kernel
150s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe
Size

411KB
MD5

59b2dff217cce36f03fe67d1fdc23690
SHA1

aca10e4c6a14d1a958fcf297dd2d2743fd66f2ec
SHA256

18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a
SHA512

fb58dda71ed84a5edf6e1e0de001fbb7e5bbd2e0fa5fb2c23655ba93007b645ad2142367710b9e7f480fd2bd0a86fe43b4acaf5915756239eca31325339f8c4b
SSDEEP

6144:uLmorbLzyLZ9sZ87lJCqaVmskIctWoPvz/tquYnwuyS3pYea5f31pa:uqo/DZ8jN6LNu/8uYmfva

Score

10^/10

sectoprat stealc zgrat rat stealer trojan

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/4620-136-0x00000168567F0000-0x000001685A0E8000-memory.dmp	family_zgrat_v1
behavioral2/memory/4620-139-0x00000168747E0000-0x00000168748F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4620-143-0x0000016874960000-0x0000016874984000-memory.dmp	family_zgrat_v1

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3380-179-0x0000000001100000-0x00000000011C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3036	u34o.0.exe
244	serversystemNCQ_x64.exe
2244	u34o.1.exe
3244	TrueBurner.exe
3424	TrueBurner.exe

Loads dropped DLL 2 IoCs

pid	Process
3244	TrueBurner.exe
3424	TrueBurner.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3424 set thread context of 4788	3424	TrueBurner.exe	94
PID 4788 set thread context of 3380	4788	cmd.exe	99

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Mondemo_v5.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
236	3036	WerFault.exe	81
1112	4056	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u34o.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u34o.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u34o.1.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
244	serversystemNCQ_x64.exe
244	serversystemNCQ_x64.exe
3244	TrueBurner.exe
3424	TrueBurner.exe
3424	TrueBurner.exe
4788	cmd.exe
4788	cmd.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3380	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3424	TrueBurner.exe
4788	cmd.exe
4788	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3380	MSBuild.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
3244	TrueBurner.exe
3424	TrueBurner.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe
2244	u34o.1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3244	TrueBurner.exe
3424	TrueBurner.exe
3380	MSBuild.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3036	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	81
PID 4056 wrote to memory of 3036	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	81
PID 4056 wrote to memory of 3036	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	81
PID 4056 wrote to memory of 244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	87
PID 4056 wrote to memory of 244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	87
PID 4056 wrote to memory of 244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	87
PID 4056 wrote to memory of 2244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	88
PID 4056 wrote to memory of 2244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	88
PID 4056 wrote to memory of 2244	4056	18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe	88
PID 244 wrote to memory of 3244	244	serversystemNCQ_x64.exe	92
PID 244 wrote to memory of 3244	244	serversystemNCQ_x64.exe	92
PID 3244 wrote to memory of 3424	3244	TrueBurner.exe	93
PID 3244 wrote to memory of 3424	3244	TrueBurner.exe	93
PID 3424 wrote to memory of 4788	3424	TrueBurner.exe	94
PID 3424 wrote to memory of 4788	3424	TrueBurner.exe	94
PID 3424 wrote to memory of 4788	3424	TrueBurner.exe	94
PID 3424 wrote to memory of 4788	3424	TrueBurner.exe	94
PID 2244 wrote to memory of 4620	2244	u34o.1.exe	96
PID 2244 wrote to memory of 4620	2244	u34o.1.exe	96
PID 4788 wrote to memory of 3380	4788	cmd.exe	99
PID 4788 wrote to memory of 3380	4788	cmd.exe	99
PID 4788 wrote to memory of 3380	4788	cmd.exe	99
PID 4788 wrote to memory of 3380	4788	cmd.exe	99
PID 4788 wrote to memory of 3380	4788	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe
"C:\Users\Admin\AppData\Local\Temp\18eb5d3175e49859fc2b0836c4b7e8d0c6ab4f3d9902641446b0bf60a2755b3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\u34o.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u34o.0.exe"
  2⤵
  - Executes dropped EXE
  PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1092
    3⤵
    - Program crash
    PID:236
- C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
    C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
      C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3380
- C:\Users\Admin\AppData\Local\Temp\u34o.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u34o.1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1716
  2⤵
  - Program crash
  PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3036 -ip 3036
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4056 -ip 4056
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e707435

Filesize
9.0MB

MD5
57b5400654ece4f893bc1108f3b32676

SHA1
1548133846e49e6f822b695dd472495780bbfe29

SHA256
b68e0064d9d879d988c6447c21bf3501ab41e834a14ee67720fad9eed7aceb8c

SHA512
71457c82dc12dc53a62e0499115f1779d2195da7906dc0124ac6c856005149b8d094c1408f475d63c5e13291c58db74081be2155a218b2469b00dd897502df6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\29021e2e

Filesize
1.4MB

MD5
09c62735caec5e8de31f4caad2f8654e

SHA1
726dd82e912a26551b90bb333eb2c8e41a96b4b6

SHA256
17e2682e12b31793244d6bfb60ceecf06ca1908b54fda24afdd4700c795c95e8

SHA512
fbd269c8375d1f474d3179cca41bd1de8e5a100163fa8911ee72e1bb39315e450d4b66ed187d091a41721b6c3b3a122efc89065b1113f0f4ff5020595099ac20

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe

Filesize
5.6MB

MD5
0add242030c1c5e5e312042f2bee2e72

SHA1
8e75f3724d75df8d67e1fd555912da332da7f5d1

SHA256
3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558

SHA512
07860926b25c2e091313a57e0f9d60879229cab9516488567d617649d86c5b04deb3b1b047dd6143d3ced760086a5af4fc75a7c0e534d48ada0b7ec59dcf39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\badata_x64.dll

Filesize
4.0MB

MD5
0cf98626c6a2922bb6a4d456e47d0608

SHA1
6b71cfc583b337d40574415e9bb91b76296bab7d

SHA256
b4316ff3c60dad0a752aacf0fc88296bcc9c4dac93513d1a6dc1461f17156750

SHA512
27c37c9a0fa1ea76ed6ae9c5389012008f9d1b5523214d2d3702f9305ffa1edcc78a415641cac17adbd581bc57951e7cfdc67be5ad3de6ad0185e25a325f9465

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\cerebrum.xls

Filesize
53KB

MD5
21dc5133ac6f22266c77c65ad45b2677

SHA1
46c0ad029268c04c7ae9d5ec99381abfb789bdaa

SHA256
fe6b0bda2f3d946a786f9b33d641134e47a2418b4ff2aeb44bfd37b405765a01

SHA512
8257a818a916ca2a96a48a31cc557cfb90e90b501999232fd0b74767b40c3f9fcc45ffd807147bc47a8da09714335a86d04c2f7f8313bdba0da9a51c6abb9c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\titular.flac

Filesize
1.2MB

MD5
d6caca3c4dd5dad51521b8b0811a7ec4

SHA1
049a4f59d387f7d70be992a90711e43902390a7a

SHA256
21d4bec89486481a8d49b49f75e9e5cba53edfe8735f57c1f36285daa0a33563

SHA512
2181e441fb50e537e0e52c6229c9c330ab1eb690cfd66e6581ae314fab303ef65a629c917eaf0eef32505fe227254818cdfde5c957d73339c716f75d29bbcfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
9719f55d91e81264a38bff46fad6d4b5

SHA1
ec3fbc492593d31d158c18df0ef0c47402b4eccc

SHA256
9a859b61affa8d97d50bfb1104a87879723ba387061166eae9d7423270d0bacc

SHA512
8679710acd1090e1d96f97caed1d26bb0834bd9a269691ba62dc236308e1e2124d5e24e9eb70b6099bfdf52667aed93ac595b1f89f0c0c9391706e80ac3eb720

Download Submit
C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe

Filesize
10.9MB

MD5
e8295a7ef2d88aa3a16361a5e53feb3c

SHA1
b07a32538e0540a467203f343bb64e6536d36730

SHA256
18ec7b686d8ff469e63b2568210f5886e9e5512a651137e7fb5e8009a41a54be

SHA512
fc4da2e0f157012fa88f42d7855405e2b078a61548500501ca509937fea78a3024b14a36ea59207a1d2c0a46be54ca3919be578a01d6bd93725b87b3151d6157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD73.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADB5.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\u34o.0.exe

Filesize
270KB

MD5
016d1899b81b63815302c7cb9618484a

SHA1
ff808fb01a8e4d90f6da4d84194dbf085f0d20b4

SHA256
95156ff902d4bab5c90c9e932d4d619b1c2caaca071523bdaf4adea1ca96c2ff

SHA512
c2515006729cdb3e99de4eb87823d88a3e0c89f1918d3f16544ec6ab20126e309a54a6fb5411293db17668677cfb29a2ae1fa0912f596efc6bbbff363353b8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u34o.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/244-62-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/244-29-0x0000000000AD0000-0x000000000144D000-memory.dmp

Filesize
9.5MB

Download
memory/244-69-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/244-108-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/244-57-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/244-58-0x00007FFDC7E40000-0x00007FFDC8049000-memory.dmp

Filesize
2.0MB

Download
memory/244-59-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/2244-116-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2244-45-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2244-127-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2244-87-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3036-16-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/3036-15-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/3036-14-0x0000000003090000-0x00000000030B7000-memory.dmp

Filesize
156KB

Download
memory/3036-13-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/3244-73-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/3244-78-0x00007FFDA7170000-0x00007FFDA72EA000-memory.dmp

Filesize
1.5MB

Download
memory/3244-85-0x0000000000400000-0x0000000000B0C000-memory.dmp

Filesize
7.0MB

Download
memory/3380-212-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/3380-182-0x0000000005EE0000-0x0000000006486000-memory.dmp

Filesize
5.6MB

Download
memory/3380-186-0x0000000005A40000-0x0000000005AB6000-memory.dmp

Filesize
472KB

Download
memory/3380-187-0x0000000006AC0000-0x0000000006FEC000-memory.dmp

Filesize
5.2MB

Download
memory/3380-184-0x0000000005B10000-0x0000000005CD2000-memory.dmp

Filesize
1.8MB

Download
memory/3380-188-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/3380-179-0x0000000001100000-0x00000000011C6000-memory.dmp

Filesize
792KB

Download
memory/3380-189-0x0000000006670000-0x00000000066D6000-memory.dmp

Filesize
408KB

Download
memory/3380-180-0x00000000726D0000-0x0000000072E81000-memory.dmp

Filesize
7.7MB

Download
memory/3380-175-0x0000000072E90000-0x00000000741A7000-memory.dmp

Filesize
19.1MB

Download
memory/3380-211-0x00000000726D0000-0x0000000072E81000-memory.dmp

Filesize
7.7MB

Download
memory/3380-209-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

Filesize
40KB

Download
memory/3380-181-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/3380-185-0x0000000005930000-0x0000000005980000-memory.dmp

Filesize
320KB

Download
memory/3424-109-0x00007FFDA7170000-0x00007FFDA72EA000-memory.dmp

Filesize
1.5MB

Download
memory/3424-113-0x0000000000400000-0x0000000000B0C000-memory.dmp

Filesize
7.0MB

Download
memory/3424-88-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3424-111-0x00007FFDA7170000-0x00007FFDA72EA000-memory.dmp

Filesize
1.5MB

Download
memory/3424-110-0x00007FFDA7170000-0x00007FFDA72EA000-memory.dmp

Filesize
1.5MB

Download
memory/4056-50-0x0000000000400000-0x0000000002C49000-memory.dmp

Filesize
40.3MB

Download
memory/4056-1-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/4056-2-0x0000000004AB0000-0x0000000004B1D000-memory.dmp

Filesize
436KB

Download
memory/4056-3-0x0000000000400000-0x0000000002C49000-memory.dmp

Filesize
40.3MB

Download
memory/4056-25-0x0000000000400000-0x0000000002C49000-memory.dmp

Filesize
40.3MB

Download
memory/4056-51-0x0000000004AB0000-0x0000000004B1D000-memory.dmp

Filesize
436KB

Download
memory/4620-140-0x000001685BDF0000-0x000001685BE00000-memory.dmp

Filesize
64KB

Download
memory/4620-149-0x0000016874D40000-0x0000016874DB6000-memory.dmp

Filesize
472KB

Download
memory/4620-154-0x0000016874DC0000-0x00000168750C0000-memory.dmp

Filesize
3.0MB

Download
memory/4620-156-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4620-157-0x0000016878A30000-0x0000016878A38000-memory.dmp

Filesize
32KB

Download
memory/4620-159-0x0000016879140000-0x0000016879178000-memory.dmp

Filesize
224KB

Download
memory/4620-158-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4620-160-0x0000016879100000-0x000001687910E000-memory.dmp

Filesize
56KB

Download
memory/4620-161-0x00000168791B0000-0x00000168791BA000-memory.dmp

Filesize
40KB

Download
memory/4620-162-0x0000016879AA0000-0x0000016879AC2000-memory.dmp

Filesize
136KB

Download
memory/4620-163-0x0000016879FF0000-0x000001687A518000-memory.dmp

Filesize
5.2MB

Download
memory/4620-166-0x0000016879870000-0x00000168798C0000-memory.dmp

Filesize
320KB

Download
memory/4620-167-0x00000168791C0000-0x00000168791CC000-memory.dmp

Filesize
48KB

Download
memory/4620-168-0x00000168798C0000-0x00000168798E2000-memory.dmp

Filesize
136KB

Download
memory/4620-128-0x00007FFDA7120000-0x00007FFDA7BE2000-memory.dmp

Filesize
10.8MB

Download
memory/4620-170-0x0000016879850000-0x000001687986E000-memory.dmp

Filesize
120KB

Download
memory/4620-171-0x00007FFDA7120000-0x00007FFDA7BE2000-memory.dmp

Filesize
10.8MB

Download
memory/4620-210-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4620-136-0x00000168567F0000-0x000001685A0E8000-memory.dmp

Filesize
57.0MB

Download
memory/4620-150-0x000001685BDD0000-0x000001685BDDA000-memory.dmp

Filesize
40KB

Download
memory/4620-148-0x0000016874C60000-0x0000016874CC2000-memory.dmp

Filesize
392KB

Download
memory/4620-147-0x0000016874BE0000-0x0000016874C5A000-memory.dmp

Filesize
488KB

Download
memory/4620-145-0x0000016874B00000-0x0000016874B2A000-memory.dmp

Filesize
168KB

Download
memory/4620-146-0x0000016874B30000-0x0000016874BE2000-memory.dmp

Filesize
712KB

Download
memory/4620-183-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4620-144-0x0000016874AE0000-0x0000016874AEA000-memory.dmp

Filesize
40KB

Download
memory/4620-143-0x0000016874960000-0x0000016874984000-memory.dmp

Filesize
144KB

Download
memory/4620-142-0x00000168748F0000-0x0000016874904000-memory.dmp

Filesize
80KB

Download
memory/4620-141-0x0000016874900000-0x000001687490C000-memory.dmp

Filesize
48KB

Download
memory/4620-139-0x00000168747E0000-0x00000168748F0000-memory.dmp

Filesize
1.1MB

Download
memory/4620-138-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4620-190-0x00000168747D0000-0x00000168747E0000-memory.dmp

Filesize
64KB

Download
memory/4788-176-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/4788-132-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/4788-131-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/4788-172-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download
memory/4788-129-0x00007FFDC7E40000-0x00007FFDC8049000-memory.dmp

Filesize
2.0MB

Download
memory/4788-169-0x00000000741B0000-0x000000007432D000-memory.dmp

Filesize
1.5MB

Download