Analysis Overview
SHA256
f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d
Threat Level: Known bad
The file f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Stealc
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Program crash
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 00:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 00:08
Reported
2024-05-09 00:13
Platform
win7-20240419-en
Max time kernel
287s
Max time network
290s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1co.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1co.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1co.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe
"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"
C:\Users\Admin\AppData\Local\Temp\u1co.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1co.0.exe"
C:\Users\Admin\AppData\Local\Temp\u1co.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1co.1.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:80 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
memory/1752-1-0x0000000000400000-0x0000000002B23000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1co.0.exe
| MD5 | 816cbc57fc20eb01645497ed35bdeb19 |
| SHA1 | 3222b725c5031a12b310ef8c1b8bb120b345c80e |
| SHA256 | c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53 |
| SHA512 | 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e |
\Users\Admin\AppData\Local\Temp\u1co.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1752-33-0x0000000000400000-0x0000000002B23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 28c7db1dbeddb75836051eede132b078 |
| SHA1 | de05706069f790932238d3da647f7a9f515c0df1 |
| SHA256 | 16176168324a2a8d177f35845d3b44422f170dde47c0adce3279ce9e7b6ef095 |
| SHA512 | 9e5f576e76527bdc54bed8cb8e150978850874af1919c1dc4f70fc2053b50a670342d9b127c4dbe2c931bd9269dfd5840885962deb4d346c6ace374db03c69f7 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | c97009ae578183ddaaeb2e08b0ad389f |
| SHA1 | eb3ff1c848451332fa1cac617cf969a783cbc8e1 |
| SHA256 | 6816905dc255011fd4666673ec89590ea8c9754b8f2709e4e52f459a5be2be13 |
| SHA512 | 94e849c91b2759a2f1d6af0a51480adf87a86d48274a11e8a228f23490499e1b499fadf10f6399b230202986bb61322c9924626c156c9a5325c3c2ff867ebe43 |
memory/2444-59-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2640-69-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2904-70-0x0000000000DE0000-0x0000000004614000-memory.dmp
memory/2904-71-0x000000001EEB0000-0x000000001EFBA000-memory.dmp
memory/2904-72-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2904-73-0x000000001E010000-0x000000001E01C000-memory.dmp
memory/2904-74-0x0000000000AD0000-0x0000000000AE4000-memory.dmp
memory/2904-75-0x000000001E130000-0x000000001E154000-memory.dmp
memory/2904-77-0x000000001E160000-0x000000001E16A000-memory.dmp
memory/2904-78-0x000000001E210000-0x000000001E23A000-memory.dmp
memory/2904-79-0x000000001EDE0000-0x000000001EE92000-memory.dmp
memory/2904-80-0x0000000000260000-0x000000000026A000-memory.dmp
memory/2904-84-0x000000001FD50000-0x0000000020050000-memory.dmp
memory/2904-86-0x0000000000280000-0x000000000028A000-memory.dmp
memory/2904-87-0x00000000007F0000-0x00000000007FA000-memory.dmp
memory/2904-88-0x000000001E240000-0x000000001E2A2000-memory.dmp
memory/2904-89-0x0000000000AA0000-0x0000000000AC2000-memory.dmp
memory/2904-92-0x0000000000AC0000-0x0000000000ACC000-memory.dmp
memory/2904-98-0x0000000000280000-0x000000000028A000-memory.dmp
memory/2904-97-0x0000000000280000-0x000000000028A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cb82900d7c0d19605a9c1adc1be5fc0aee77ab3bfdbb4ee40526b56ef2d7a2ce\233e66b09bd94fe0886ed005362d2a26.tmp
| MD5 | 8b2ab52db65998bb7a328ee92c2bafbd |
| SHA1 | e5836f9c94dbf702fd60fb9c84bcae2bdb4b1ebe |
| SHA256 | 852bf8fa90883762af60659a52bef265d31ca760235de84900bc53fe267146fc |
| SHA512 | 4ccc8849271d63ff177a7682d39f4c8c454742cacb546c205331a1924303e91d4da378f3968e3157674aabb486e7b34f9e3d8585836ca55530f4918694f44fe9 |
memory/2444-111-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2444-120-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2444-129-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2444-133-0x0000000000400000-0x0000000002574000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 00:08
Reported
2024-05-09 00:13
Platform
win10-20240404-en
Max time kernel
296s
Max time network
299s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3po.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3po.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3po.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3po.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe
"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"
C:\Users\Admin\AppData\Local\Temp\u3po.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3po.0.exe"
C:\Users\Admin\AppData\Local\Temp\u3po.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3po.1.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1072
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 251.2.93.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 20.157.87.45:80 | tcp | |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4812-1-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/4812-2-0x0000000002C80000-0x0000000002CEC000-memory.dmp
memory/4812-3-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3po.0.exe
| MD5 | 816cbc57fc20eb01645497ed35bdeb19 |
| SHA1 | 3222b725c5031a12b310ef8c1b8bb120b345c80e |
| SHA256 | c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53 |
| SHA512 | 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e |
memory/4812-17-0x0000000000400000-0x000000000046F000-memory.dmp
memory/4812-16-0x0000000002C80000-0x0000000002CEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3po.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4812-12-0x0000000000400000-0x0000000002B23000-memory.dmp
memory/4812-15-0x0000000000400000-0x0000000002B23000-memory.dmp
memory/4412-26-0x0000000000400000-0x0000000002574000-memory.dmp
memory/1608-42-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4412-52-0x0000000000400000-0x0000000002574000-memory.dmp
memory/1608-55-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4468-56-0x0000020B10400000-0x0000020B13C34000-memory.dmp
memory/4468-59-0x0000020B15A70000-0x0000020B15A7C000-memory.dmp
memory/4468-58-0x0000020B15A20000-0x0000020B15A30000-memory.dmp
memory/4468-57-0x0000020B2E4B0000-0x0000020B2E5BA000-memory.dmp
memory/4468-60-0x0000020B15A60000-0x0000020B15A74000-memory.dmp
memory/4468-61-0x0000020B2E2D0000-0x0000020B2E2F4000-memory.dmp
memory/4468-63-0x0000020B2E300000-0x0000020B2E32A000-memory.dmp
memory/4468-64-0x0000020B2E7F0000-0x0000020B2E8A2000-memory.dmp
memory/4468-65-0x0000020B2E8A0000-0x0000020B2E8F0000-memory.dmp
memory/4468-66-0x0000020B2E360000-0x0000020B2E382000-memory.dmp
memory/4468-62-0x0000020B2E2B0000-0x0000020B2E2BA000-memory.dmp
memory/4468-67-0x0000020B15A40000-0x0000020B15A4A000-memory.dmp
memory/4468-71-0x0000020B2E8F0000-0x0000020B2EBF0000-memory.dmp
memory/4468-73-0x0000020B32A40000-0x0000020B32A48000-memory.dmp
memory/4468-75-0x0000020B32AA0000-0x0000020B32AA8000-memory.dmp
memory/4468-74-0x0000020B32AC0000-0x0000020B32AF8000-memory.dmp
memory/4468-76-0x0000020B333D0000-0x0000020B333DA000-memory.dmp
memory/4468-78-0x0000020B33450000-0x0000020B33472000-memory.dmp
memory/4468-77-0x0000020B333F0000-0x0000020B33452000-memory.dmp
memory/4468-79-0x0000020B339A0000-0x0000020B33EC6000-memory.dmp
memory/4468-82-0x0000020B333E0000-0x0000020B333EC000-memory.dmp
memory/4468-83-0x0000020B33530000-0x0000020B335A6000-memory.dmp
memory/4468-85-0x0000020B33490000-0x0000020B334AE000-memory.dmp
memory/4412-88-0x0000000000400000-0x0000000002574000-memory.dmp
memory/4412-90-0x0000000000400000-0x0000000002574000-memory.dmp
memory/4412-92-0x0000000000400000-0x0000000002574000-memory.dmp