sectoprat | 6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe
Size

415KB
MD5

e5275f8122aab0d7a885a8061a48d4be
SHA1

ef0bd3810a033fe75c4037277aa6d5d6f1f1b50b
SHA256

6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a
SHA512

da3ec68b20d7c041e1822392772f9b503d8e45de9f9f22d4a97fb9af31c70e069bb333f2edfd6fb7b7561584c4d7c550fa2cc8271211e13be26fd2cace3dbad3
SSDEEP

6144:VaNECqw6PzNoNBIoZDDf/id53ndJaFxLVZ54gVKsIJ56:VaNd67Ovh+itSLsO6

Score

10^/10

sectoprat stealc zgrat rat stealer trojan

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2464-191-0x000001B8C57F0000-0x000001B8C90E8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-193-0x000001B8E39D0000-0x000001B8E3AE0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-197-0x000001B8E37B0000-0x000001B8E37D4000-memory.dmp	family_zgrat_v1

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3664-147-0x0000000000950000-0x0000000000A16000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	u2w0.1.exe

Executes dropped EXE 5 IoCs

pid	Process
2044	u2w0.0.exe
4456	Qg_Appv5.exe
4860	ptInst.exe
4536	ptInst.exe
3548	u2w0.1.exe

Loads dropped DLL 9 IoCs

pid	Process
4860	ptInst.exe
4860	ptInst.exe
4860	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 4924	4536	ptInst.exe	107
PID 4924 set thread context of 3664	4924	cmd.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1944	2044	WerFault.exe	93
2688	3744	WerFault.exe	85

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2w0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2w0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2w0.1.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4456	Qg_Appv5.exe
4456	Qg_Appv5.exe
4456	Qg_Appv5.exe
4456	Qg_Appv5.exe
4456	Qg_Appv5.exe
4860	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4536	ptInst.exe
4924	cmd.exe
4924	cmd.exe
4924	cmd.exe
4924	cmd.exe
3664	MSBuild.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4536	ptInst.exe
4924	cmd.exe
4924	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	MSBuild.exe
Token: SeDebugPrivilege	2464	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe
3548	u2w0.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3664	MSBuild.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2044	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	93
PID 3744 wrote to memory of 2044	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	93
PID 3744 wrote to memory of 2044	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	93
PID 3744 wrote to memory of 4456	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	104
PID 3744 wrote to memory of 4456	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	104
PID 3744 wrote to memory of 4456	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	104
PID 4456 wrote to memory of 4860	4456	Qg_Appv5.exe	105
PID 4456 wrote to memory of 4860	4456	Qg_Appv5.exe	105
PID 4456 wrote to memory of 4860	4456	Qg_Appv5.exe	105
PID 4860 wrote to memory of 4536	4860	ptInst.exe	106
PID 4860 wrote to memory of 4536	4860	ptInst.exe	106
PID 4860 wrote to memory of 4536	4860	ptInst.exe	106
PID 4536 wrote to memory of 4924	4536	ptInst.exe	107
PID 4536 wrote to memory of 4924	4536	ptInst.exe	107
PID 4536 wrote to memory of 4924	4536	ptInst.exe	107
PID 4536 wrote to memory of 4924	4536	ptInst.exe	107
PID 4924 wrote to memory of 3664	4924	cmd.exe	114
PID 4924 wrote to memory of 3664	4924	cmd.exe	114
PID 4924 wrote to memory of 3664	4924	cmd.exe	114
PID 4924 wrote to memory of 3664	4924	cmd.exe	114
PID 3744 wrote to memory of 3548	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	115
PID 3744 wrote to memory of 3548	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	115
PID 3744 wrote to memory of 3548	3744	6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe	115
PID 4924 wrote to memory of 3664	4924	cmd.exe	114
PID 3548 wrote to memory of 2464	3548	u2w0.1.exe	118
PID 3548 wrote to memory of 2464	3548	u2w0.1.exe	118

C:\Users\Admin\AppData\Local\Temp\6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe
"C:\Users\Admin\AppData\Local\Temp\6e7769e568d74e614b7db671d0dde4fda876c191826d534bebefc59c6f681a1a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\u2w0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u2w0.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1276
    3⤵
    - Program crash
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
    C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
      C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3664
- C:\Users\Admin\AppData\Local\Temp\u2w0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\u2w0.1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1672
  2⤵
  - Program crash
  PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2044 -ip 2044
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3744 -ip 3744
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe

Filesize
7.6MB

MD5
862bf3003dca41d88ac49a6846149623

SHA1
b34f1d42dd0649d6b83f9a92124a554f48df0434

SHA256
50c10789db130a98c63e6e7f6e23b1c89b38c5ea4678f1e06fd1796fba25c75c

SHA512
fe5ab7888633dbfecca57ecd1732360796c2f19c62fc4282e2a92e9b8b440cc01e25b7a0c6a608cf9c2e9c9e3c49a8509a08851afcaef7e1afc21c0abcc2c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\WCLDll.dll

Filesize
590KB

MD5
63206e3b4f1fa4dcfbe1f2cc5d0c4e9d

SHA1
fe731b2e9c296d9ecc75ed96c2d29fe46c7cd924

SHA256
8f5b8645b5e5ea48acc411b21a1b3cd56d2660ac931989b9f064c8ff82039885

SHA512
32bdcce9e8e7f1ebe50e114f65f762391d52f482a112515ccb16b09653b93873528ea1a7473a2512075bf8f729997a65f455bf6599482e997b85e06a2f87f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\cosmetician.mpeg

Filesize
79KB

MD5
8e1bbc6d6c4d207393b59853f73945ae

SHA1
b66d632eae41267175bf5332d43a785dd929d79f

SHA256
b04725aaa99b27e04c02bec7d98fb4511331ea53761272325fff9c27a679e279

SHA512
1b45a7be00f54498df289641745ca6ee99e11d63100fb838b96c2d9412f8b5f0ea5aa8b964f32a4f9182cd599765f5ca08b91e8e8eecd06d1c53543284a59001

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\msvcp140.dll

Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe

Filesize
938KB

MD5
b15bac961f62448c872e1dc6d3931016

SHA1
1dcb61babb08fe5db711e379cb67335357a5db82

SHA256
bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5

SHA512
932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\quersprung.vhd

Filesize
1.3MB

MD5
3bee67dd0e04559c8fdc7761336dee47

SHA1
027ef9dca01fb928db79e57b418130165f06ed5f

SHA256
57745aba2885cf8bf770e7e9195697c05e35333417ca23af153367bf31cbf812

SHA512
35fb66f98a57b0d14c3044a91abac3e0670d516edfd691d6670df034e8454c550d3d2e702ab90cd32b70fcba8aeb2e02b7b3a07b6a340a932738968473f77dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\vcruntime140.dll

Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae0694ee

Filesize
3.8MB

MD5
13418f74a7ce25cdd6997c9fcb718a0e

SHA1
f4c880821fee72c37c882b1e8ebf100efcafe31c

SHA256
a890935a36903669f35522c85c75e296404a4595453f060398cb64c5b0d6dfd0

SHA512
59017162877bbbdf823450a946e3e54e9130d8ebbf5baba24471c68a10d1fad3452be08c693cd7a78d0bf2fcfd6d3086edeec1a379f9b53fd66bb246c128d4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb2f1e85

Filesize
1.4MB

MD5
f521d0853daf51aa3d072e0e3f2d1999

SHA1
2548d34595d9502baeb2b9c41496b8b5040f7bae

SHA256
71eeffc1085f1fed3fbdd84d328e92020900a1f9fe4ff8fec383f7f5ca5a5b6e

SHA512
a9311e7844becb3ef03d33ba34ba047220fdb55b36587af76c45b81751a81b503e10b522d26051b6a8b49de9065ecc974741cf5098e42ae011acc32b0d0b0610

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
c6dd4a2b678d77b29d9fa67b35932c61

SHA1
97b0caaa4b77a80c7b110acb514505e4bbd9333d

SHA256
43e7e7ec7d2a8c7e62f84bffcf696d3e372b312e2aff15d8f8a2981f9f2b3596

SHA512
599e69d09f0f3d0d0a754941a798244c4864505c3703cd5e0fdfd3535968c60f0657b5bdfa88fda8c6a5e4ec9284a447c7a8f9cc87dacb1e52661f6248c2781c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D1C.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D3F.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2w0.0.exe

Filesize
270KB

MD5
0951f2c80179ee8fc3ce96f8113ffe42

SHA1
cca70fa747800d42b722743b00cb1b3f71f63f61

SHA256
6a15721740f9ba4bce8940122998d69c51e0a4bb9ae84b3be0cc9a6d39283320

SHA512
721f180c9a14b8e18d59f4051eee9f9ba9adc4babb950aad796407f2b4d066f9af6a646cef54616c1289f3788f640f6a4c3e6dccdd2fe3bde79fced7f5aef1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2w0.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/2044-17-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/2044-16-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/2044-15-0x0000000002CB0000-0x0000000002CD7000-memory.dmp

Filesize
156KB

Download
memory/2044-14-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/2464-202-0x000001B8E3CD0000-0x000001B8E3D32000-memory.dmp

Filesize
392KB

Download
memory/2464-212-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-233-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-232-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-231-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-230-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-229-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-228-0x00007FF898F20000-0x00007FF8999E1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-224-0x000001B8E9130000-0x000001B8E914E000-memory.dmp

Filesize
120KB

Download
memory/2464-223-0x000001B8E9100000-0x000001B8E9122000-memory.dmp

Filesize
136KB

Download
memory/2464-221-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-222-0x000001B8E9060000-0x000001B8E906C000-memory.dmp

Filesize
48KB

Download
memory/2464-220-0x000001B8E90B0000-0x000001B8E9100000-memory.dmp

Filesize
320KB

Download
memory/2464-217-0x000001B8E9800000-0x000001B8E9D28000-memory.dmp

Filesize
5.2MB

Download
memory/2464-216-0x000001B8E9040000-0x000001B8E9062000-memory.dmp

Filesize
136KB

Download
memory/2464-215-0x000001B8E92C0000-0x000001B8E92CA000-memory.dmp

Filesize
40KB

Download
memory/2464-214-0x000001B8E8130000-0x000001B8E813E000-memory.dmp

Filesize
56KB

Download
memory/2464-213-0x000001B8E8160000-0x000001B8E8198000-memory.dmp

Filesize
224KB

Download
memory/2464-211-0x000001B8E8820000-0x000001B8E8828000-memory.dmp

Filesize
32KB

Download
memory/2464-190-0x00007FF898F20000-0x00007FF8999E1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-210-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/2464-208-0x000001B8E3E30000-0x000001B8E4130000-memory.dmp

Filesize
3.0MB

Download
memory/2464-204-0x000001B8E37F0000-0x000001B8E37FA000-memory.dmp

Filesize
40KB

Download
memory/2464-203-0x000001B8E3DB0000-0x000001B8E3E26000-memory.dmp

Filesize
472KB

Download
memory/2464-201-0x000001B8E3840000-0x000001B8E38BA000-memory.dmp

Filesize
488KB

Download
memory/2464-191-0x000001B8C57F0000-0x000001B8C90E8000-memory.dmp

Filesize
57.0MB

Download
memory/2464-200-0x000001B8E3C20000-0x000001B8E3CD2000-memory.dmp

Filesize
712KB

Download
memory/2464-199-0x000001B8E3810000-0x000001B8E383A000-memory.dmp

Filesize
168KB

Download
memory/2464-198-0x000001B8E37E0000-0x000001B8E37EA000-memory.dmp

Filesize
40KB

Download
memory/2464-197-0x000001B8E37B0000-0x000001B8E37D4000-memory.dmp

Filesize
144KB

Download
memory/2464-196-0x000001B8E3730000-0x000001B8E3744000-memory.dmp

Filesize
80KB

Download
memory/2464-194-0x000001B8CAF30000-0x000001B8CAF40000-memory.dmp

Filesize
64KB

Download
memory/2464-195-0x000001B8E3750000-0x000001B8E375C000-memory.dmp

Filesize
48KB

Download
memory/2464-193-0x000001B8E39D0000-0x000001B8E3AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2464-192-0x000001B8E3740000-0x000001B8E3750000-memory.dmp

Filesize
64KB

Download
memory/3548-124-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3548-177-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3548-189-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3664-176-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/3664-147-0x0000000000950000-0x0000000000A16000-memory.dmp

Filesize
792KB

Download
memory/3664-225-0x0000000070EC0000-0x0000000071670000-memory.dmp

Filesize
7.7MB

Download
memory/3664-227-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3664-107-0x0000000071850000-0x0000000072AA4000-memory.dmp

Filesize
18.3MB

Download
memory/3664-157-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3664-156-0x00000000056E0000-0x00000000056FE000-memory.dmp

Filesize
120KB

Download
memory/3664-155-0x0000000006320000-0x000000000684C000-memory.dmp

Filesize
5.2MB

Download
memory/3664-154-0x0000000005210000-0x0000000005286000-memory.dmp

Filesize
472KB

Download
memory/3664-153-0x0000000005060000-0x00000000050B0000-memory.dmp

Filesize
320KB

Download
memory/3664-152-0x0000000005510000-0x00000000056D2000-memory.dmp

Filesize
1.8MB

Download
memory/3664-151-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3664-150-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/3664-149-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/3664-148-0x0000000070EC0000-0x0000000071670000-memory.dmp

Filesize
7.7MB

Download
memory/3744-99-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/3744-2-0x0000000002EC0000-0x0000000002F2E000-memory.dmp

Filesize
440KB

Download
memory/3744-121-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/3744-13-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/3744-3-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/3744-18-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/3744-1-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/3744-19-0x0000000002EC0000-0x0000000002F2E000-memory.dmp

Filesize
440KB

Download
memory/4456-45-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4456-36-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/4456-42-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4456-35-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4456-43-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/4456-94-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4456-93-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4456-56-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4536-91-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/4536-90-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4536-92-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4536-95-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4860-69-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/4860-68-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4924-97-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4924-100-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/4924-103-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4924-104-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download
memory/4924-110-0x0000000072E20000-0x0000000072F9B000-memory.dmp

Filesize
1.5MB

Download