Analysis

  • max time kernel
    292s
  • max time network
    301s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/05/2024, 22:37

General

  • Target

    1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe

  • Size

    1.3MB

  • MD5

    3aa73406f878b7cb213e654a047d8399

  • SHA1

    353e7abd8a726c1be6ae7e2a44bd0f3a6d1c9566

  • SHA256

    1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990

  • SHA512

    509bf6807db0ee461bc0cd9c2c79a37a9e09ac3e43f489be5ba0cb9da60a4e4d15c5d1b2e581c455e90138cefc8638decac4f4c43c83113feb625be789c1cda9

  • SSDEEP

    24576:HNZ7Kb9pbvRPXtpsCvqrpLTZrOv7eMfLgP3BJzDWGbMf30yF+fvVH:t0bn7R/tV8tTZrOTeMfMP3BJuGbW+fvt

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 33 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3304
      • C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe
        "C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4584
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4596
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:3704
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4040
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4472
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 1151
                4⤵
                  PID:344
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "LightsListingConnectivityDown" Replica
                  4⤵
                    PID:592
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1151\R
                    4⤵
                      PID:3056
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
                      1151\Pension.pif 1151\R
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:4508
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:2216
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4464
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
                    3⤵
                    • Creates scheduled task(s)
                    PID:1984
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit
                  2⤵
                  • Drops startup file
                  PID:1292
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4912
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'
                    3⤵
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5412
              • \??\c:\windows\system32\wscript.EXE
                c:\windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1856
                • C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
                  "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:3828

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif

                      Filesize

                      872KB

                      MD5

                      6ee7ddebff0a2b78c7ac30f6e00d1d11

                      SHA1

                      f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                      SHA256

                      865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                      SHA512

                      57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\R

                      Filesize

                      898KB

                      MD5

                      082fc64ab12fe5617c2d1c39e47087e8

                      SHA1

                      b2cb6d76b71c901c9b08442c53b3d703ebfeea90

                      SHA256

                      d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb

                      SHA512

                      4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe

                      Filesize

                      63KB

                      MD5

                      b58b926c3574d28d5b7fdd2ca3ec30d5

                      SHA1

                      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                      SHA256

                      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                      SHA512

                      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Believe

                      Filesize

                      171KB

                      MD5

                      84b8963d6e0be7253c0f7439184ede19

                      SHA1

                      75c4c2de0abbab955ffdbd3b80750fd6c59db410

                      SHA256

                      f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b

                      SHA512

                      429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bios

                      Filesize

                      152KB

                      MD5

                      3826c7267e6a33cf0a5caf693ff35467

                      SHA1

                      eccec823ab4020e55d96c038e2d4d14042b36b37

                      SHA256

                      aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472

                      SHA512

                      c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Burst

                      Filesize

                      118KB

                      MD5

                      bab73e006009d7a5625e672db9ccd5db

                      SHA1

                      eeb7561ab415280608b9e9484d31eb23768150a5

                      SHA256

                      3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2

                      SHA512

                      56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Competition

                      Filesize

                      20KB

                      MD5

                      091aae3bd1f07f9e174f53c654c6ed3d

                      SHA1

                      68c2da6fca30e5c65f1b286ccf132a6ae7aa71be

                      SHA256

                      df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871

                      SHA512

                      63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cumshots

                      Filesize

                      180KB

                      MD5

                      6c623f377545d7205643ccd91755c153

                      SHA1

                      be36fe56d62c76b98507e74350a6914d327de2fd

                      SHA256

                      25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b

                      SHA512

                      48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Effect

                      Filesize

                      160KB

                      MD5

                      662fde8634083a5a8a69e1e234858975

                      SHA1

                      b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c

                      SHA256

                      94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb

                      SHA512

                      6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fancy

                      Filesize

                      11KB

                      MD5

                      a7e06544f9ad7d58c5705cf1874e03cb

                      SHA1

                      a8fff3c4f688fc4f496058d2575115241c958d78

                      SHA256

                      bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2

                      SHA512

                      b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harassment

                      Filesize

                      73KB

                      MD5

                      b5bb3d9ed2e6d7354c5725b9667fa6e8

                      SHA1

                      3742b76d1cad7ad7d6c5c52b444951f7d6830d68

                      SHA256

                      f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9

                      SHA512

                      426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heater

                      Filesize

                      173KB

                      MD5

                      6007a8ca0455cf69278da9b4b6cb9a12

                      SHA1

                      27084504d3c62f1a20ec1b6602327e7def4546fb

                      SHA256

                      7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7

                      SHA512

                      f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Historical

                      Filesize

                      113KB

                      MD5

                      8846c829752abfd71bbe95f4ee589929

                      SHA1

                      18fa430e7d3a520c20bc5ba1361eec701031924c

                      SHA256

                      92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd

                      SHA512

                      3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ict

                      Filesize

                      94KB

                      MD5

                      dbc4328fcde80bcda7e50313566525cd

                      SHA1

                      fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c

                      SHA256

                      efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85

                      SHA512

                      c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Julie

                      Filesize

                      199KB

                      MD5

                      88f4d8dbbf1686993d6bbfe5cafc7bec

                      SHA1

                      a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7

                      SHA256

                      58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84

                      SHA512

                      0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Replica

                      Filesize

                      198B

                      MD5

                      cf00f4e9240c539bbf64a1c20def7263

                      SHA1

                      9aa53cc59aaa7580a85c36a50659759683074568

                      SHA256

                      b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3

                      SHA512

                      2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rewards

                      Filesize

                      13KB

                      MD5

                      00335905a2a89de13de6c2421575eee3

                      SHA1

                      e472af8bbc0ae7729c3a298d87721ae3f079de0e

                      SHA256

                      a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d

                      SHA512

                      85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Threatening

                      Filesize

                      30KB

                      MD5

                      6804de931c9eb4b3d459ab030cda55ce

                      SHA1

                      182fc850106e372587039ff82aaac9386b0cf7d1

                      SHA256

                      9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25

                      SHA512

                      af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox

                      Filesize

                      110KB

                      MD5

                      f5f71d9e2109265bd186ec56ad0dc430

                      SHA1

                      3dba226bab4a0d6eb5347d575c4c8d40179ed048

                      SHA256

                      f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc

                      SHA512

                      1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wiring

                      Filesize

                      164KB

                      MD5

                      c186c5f5e43b21e22648d604b76b8742

                      SHA1

                      fcc8ea3bea77b4d3d8d61703429d4950f57967ad

                      SHA256

                      fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c

                      SHA512

                      e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b

                    • C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js

                      Filesize

                      184B

                      MD5

                      08c46f30149d351c591e9b3b70c9a64e

                      SHA1

                      9b63b98f4329107da1de8a049fa3cbec850b863f

                      SHA256

                      044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006

                      SHA512

                      5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jqpjuno.tbs.ps1

                      Filesize

                      1B

                      MD5

                      c4ca4238a0b923820dcc509a6f75849b

                      SHA1

                      356a192b7913b04c54574d18c28d46e6395428ab

                      SHA256

                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                      SHA512

                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                    • memory/4912-82-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-103-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-58-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-56-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-114-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-112-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-110-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-106-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-104-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-98-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-93-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-84-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-53-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-80-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-78-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-76-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-75-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-70-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-68-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-66-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-64-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-54-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-109-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-60-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-101-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-97-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-95-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-91-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-88-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-86-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-72-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-62-0x0000000005790000-0x0000000005867000-memory.dmp

                      Filesize

                      860KB

                    • memory/4912-6337-0x0000000005910000-0x0000000005976000-memory.dmp

                      Filesize

                      408KB

                    • memory/4912-49-0x0000000001370000-0x00000000013E4000-memory.dmp

                      Filesize

                      464KB

                    • memory/4912-52-0x0000000005790000-0x000000000586C000-memory.dmp

                      Filesize

                      880KB

                    • memory/5412-6342-0x00000000070B0000-0x00000000070D2000-memory.dmp

                      Filesize

                      136KB

                    • memory/5412-6343-0x00000000077B0000-0x0000000007816000-memory.dmp

                      Filesize

                      408KB

                    • memory/5412-6344-0x0000000007B20000-0x0000000007E70000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/5412-6345-0x0000000007AF0000-0x0000000007B0C000-memory.dmp

                      Filesize

                      112KB

                    • memory/5412-6346-0x0000000007FC0000-0x000000000800B000-memory.dmp

                      Filesize

                      300KB

                    • memory/5412-6347-0x0000000008240000-0x00000000082B6000-memory.dmp

                      Filesize

                      472KB

                    • memory/5412-6341-0x0000000007180000-0x00000000077A8000-memory.dmp

                      Filesize

                      6.2MB

                    • memory/5412-6362-0x0000000009380000-0x0000000009414000-memory.dmp

                      Filesize

                      592KB

                    • memory/5412-6363-0x0000000009060000-0x000000000907A000-memory.dmp

                      Filesize

                      104KB

                    • memory/5412-6364-0x00000000090E0000-0x0000000009102000-memory.dmp

                      Filesize

                      136KB

                    • memory/5412-6365-0x0000000009920000-0x0000000009E1E000-memory.dmp

                      Filesize

                      5.0MB

                    • memory/5412-6340-0x0000000006AA0000-0x0000000006AD6000-memory.dmp

                      Filesize

                      216KB