Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 09:02

General

  • Target

    872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe

  • Size

    8.7MB

  • MD5

    57ec49d438753f3bdfec6a616258b370

  • SHA1

    a34f757f5f2bd4763f04206c0d0cd32ab4491117

  • SHA256

    872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638

  • SHA512

    88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a

  • SSDEEP

    196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
    "C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"
      2⤵
      • Executes dropped EXE
      PID:4540
    • C:\Users\Admin\AppData\Local\Temp\leetcrack.exe
      "C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe
        "C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"
        3⤵
        • Executes dropped EXE
        PID:1080
      • C:\Users\Admin\AppData\Local\Temp\portmonitor.exe
        "C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:5768
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Webnet\x9qTsv13UFeYw.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Webnet\portmonitor.exe
              "C:\Webnet/portmonitor.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4680
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hofjtci1\hofjtci1.cmdline"
                7⤵
                • Drops file in Program Files directory
                • Suspicious use of WriteProcessMemory
                PID:5184
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8354.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC19D8DC4283B74AAC89C59649471FDEEA.TMP"
                  8⤵
                    PID:2328
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\113dalzk\113dalzk.cmdline"
                  7⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845E.tmp" "c:\Windows\System32\CSC9824FA945D1A4950A9E09A524E62DFA.TMP"
                    8⤵
                      PID:4788
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TbEbrizJLh.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3040
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:5100
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • Runs ping.exe
                        PID:3944
                      • C:\Webnet\SearchApp.exe
                        "C:\Webnet\SearchApp.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Webnet\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Webnet\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Webnet\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5124
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Webnet\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Webnet\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:6048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Webnet\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4092
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 13 /tr "'C:\Webnet\portmonitor.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 5 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:864
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
          1⤵
          • Executes dropped EXE
          PID:1452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

          Filesize

          4KB

          MD5

          77666d5b2a9d1709e3ff6b6e02609ff4

          SHA1

          a9f433f3d7709c02d006a776b7bcd89062e589a1

          SHA256

          320f05c3a244e24908bd99490b048fdd0d8744a201b2d653c9afc496b991a061

          SHA512

          9fe92cf69f12bfeee0795abe4180efd7df20843987a34854bfbefcbbc0bb3961b6e932b634d5a9f73b811ae4cb128bff3f854c0e868a848fee3776dae33d1c21

        • C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe

          Filesize

          5.2MB

          MD5

          b86bbb42b26e72a601087f68cda89208

          SHA1

          baca49e35da3b83cd56ba579d61f98e9b137debe

          SHA256

          320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

          SHA512

          e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

        • C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe

          Filesize

          8KB

          MD5

          068a3a015a2821ab745a03dbae612233

          SHA1

          91c358a556d51466918c76c01ead079a484ce35a

          SHA256

          d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67

          SHA512

          d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e

        • C:\Users\Admin\AppData\Local\Temp\RES8354.tmp

          Filesize

          1KB

          MD5

          3f7f12a802ec221d7e553e871cd4a627

          SHA1

          20ebb3696b088892cc965a20daff36a8b6826aea

          SHA256

          45a26e37cc9e4ef709622f3c64587b3c15668f2d5c4b7de5e155a6231d82293a

          SHA512

          e26dcd59009655a0657463c9d618b8f0869f7c843dbd7707f90c01b1284d2e06a444d72031d8c845e22b3ff39aa45ff7e00c8f84f07a461b5fe6257ef1651b9a

        • C:\Users\Admin\AppData\Local\Temp\RES845E.tmp

          Filesize

          1KB

          MD5

          a72f269178edd490635df246b7384a7d

          SHA1

          a3a3ed78dfa3998714553f20cbec2db1f16d2e25

          SHA256

          479ccfcb11241ed75a8f2704775c685a30e4c5d35a4d1a222d4314b22ef1f132

          SHA512

          8fcedbfa0c8920df7d8dca7e33de083455cfd664299816f8806faeca991fa6e3a397056893b1b066ec5d11b05a2b4dc57caecbf3a866c66b773675f5e751a813

        • C:\Users\Admin\AppData\Local\Temp\TbEbrizJLh.bat

          Filesize

          151B

          MD5

          9379eb20f91c508bc6e0a3749f0f38ff

          SHA1

          8266e696956d8cffcf3cbdc732288fc95e1b68ac

          SHA256

          6288d3b5e70b60024c3fdf26c97838988271183a9f2985d03f10d32e79f2922d

          SHA512

          c7c10c95ed64cdbd76fd939033eb5eb19406535789ee787a863c206faba0a63c5d5c5e7935aba1727dc7166b197322b75823c440b7f43fc10cf7f65a859e4b58

        • C:\Users\Admin\AppData\Local\Temp\leetcrack.exe

          Filesize

          8.7MB

          MD5

          93144ffd83e528ff8651605be2d2c1a4

          SHA1

          6c661ce690ecd3ecd21c8953e410543fcf8a69ad

          SHA256

          4ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60

          SHA512

          5236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c

        • C:\Users\Admin\AppData\Local\Temp\portmonitor.exe

          Filesize

          3.8MB

          MD5

          3d686dda8f890bef092779bc682dec10

          SHA1

          2e6f12de7a5d4febe798a63b2f8914458741bf7f

          SHA256

          af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4

          SHA512

          cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58

        • C:\Webnet\portmonitor.exe

          Filesize

          3.5MB

          MD5

          aa6c98cd853bf585a410394fd10817dc

          SHA1

          ceab1865997ae2c6e070a9c6adf6b129cf2ad383

          SHA256

          fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b

          SHA512

          2ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562

        • C:\Webnet\x9qTsv13UFeYw.bat

          Filesize

          84B

          MD5

          5bcb417bd38f4db1936b88b262c0f7ad

          SHA1

          d724fa06c67a7740497576d08b2c9b5b77c7eca4

          SHA256

          f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07

          SHA512

          9706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c

        • C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe

          Filesize

          209B

          MD5

          1fefc5b72cd89c9f83dcf8a47b254f58

          SHA1

          909c965e493baab2203bac16be714cfb88a75f0d

          SHA256

          7f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c

          SHA512

          5bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca

        • \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC19D8DC4283B74AAC89C59649471FDEEA.TMP

          Filesize

          1KB

          MD5

          b5189fb271be514bec128e0d0809c04e

          SHA1

          5dd625d27ed30fca234ec097ad66f6c13a7edcbe

          SHA256

          e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

          SHA512

          f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

        • \??\c:\Users\Admin\AppData\Local\Temp\113dalzk\113dalzk.0.cs

          Filesize

          355B

          MD5

          4a88c1a08f32f2f69886bd04f0bb3dce

          SHA1

          183b2c1b3b799b4aa1883f3af8869d4d32d490ba

          SHA256

          2e1b5a4db4030229b944a37208b2340528489afb590f411f4fabbe4b04ba713e

          SHA512

          8bac6f60703a4feda0e0c6f4baf353675d4af8b923bc5bd51bb0fbf45765f85e994673a798cca12032c369b1424336d879eeece12e03c94d267fe8ef34ad71ce

        • \??\c:\Users\Admin\AppData\Local\Temp\113dalzk\113dalzk.cmdline

          Filesize

          235B

          MD5

          6b14c97de41579855af6ad09b7eaca23

          SHA1

          c0ab10a36fe1b4cae19283b48f53f293e578c35b

          SHA256

          f3b0fa2219036728caf273d9b70a3a8442a02a6ee71c7fe2542e7d7c1d6c2dfb

          SHA512

          2f4213130ceccff4176cab1a1b8184b5366345cea0b0138362321c8636b79fa334cfe7c5182deba9f74dc417a96d47195aeb1f6396d787d1c9f9d53d7525c5f3

        • \??\c:\Users\Admin\AppData\Local\Temp\hofjtci1\hofjtci1.0.cs

          Filesize

          385B

          MD5

          4bcb37439a962a056c57a90ff996e5f0

          SHA1

          b018f33cce9536612005626c705ba912a8fefaca

          SHA256

          7b2ada0f67d3834cbbf3d36533719ece1ec21671f25da9192553d50abd2465a6

          SHA512

          4421a51291898a6b3a22861e353a27fe26548c8f14121e131da39cb5f05600dacc5cae426f7261ce7affd3145724345d360b3b423acaacdfd371194c5ba9d135

        • \??\c:\Users\Admin\AppData\Local\Temp\hofjtci1\hofjtci1.cmdline

          Filesize

          265B

          MD5

          eb869701a0b74929ba0cecdf57c79858

          SHA1

          2f23bc845c93e23587c51e7d74e02b3723008edf

          SHA256

          4852118935afc1c3ac3a9bd7bc2896b2698d558e6dee23b78604133fe651266f

          SHA512

          2f64aac2488ab1d1b95c4cc53ed8defe72b0d428ab0e1e5c7324b2972c770eeeb14bc3d7a4a36369e73cc5a3181e997e8fa4797616b3318c0b16495aad6bd0fc

        • \??\c:\Windows\System32\CSC9824FA945D1A4950A9E09A524E62DFA.TMP

          Filesize

          1KB

          MD5

          188249e3f31caa0264351fc374794895

          SHA1

          323a707d1a37ac8cbae6d6e502cc850f69ae2e15

          SHA256

          1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

          SHA512

          28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

        • memory/1080-35-0x00007FF73A660000-0x00007FF73B28A000-memory.dmp

          Filesize

          12.2MB

        • memory/2296-165-0x000000001CA30000-0x000000001CA38000-memory.dmp

          Filesize

          32KB

        • memory/2296-164-0x000000001D1A0000-0x000000001D249000-memory.dmp

          Filesize

          676KB

        • memory/4680-55-0x000000001BD50000-0x000000001BD6C000-memory.dmp

          Filesize

          112KB

        • memory/4680-72-0x000000001D470000-0x000000001D486000-memory.dmp

          Filesize

          88KB

        • memory/4680-75-0x000000001D9E0000-0x000000001DF08000-memory.dmp

          Filesize

          5.2MB

        • memory/4680-77-0x000000001BE00000-0x000000001BE0E000-memory.dmp

          Filesize

          56KB

        • memory/4680-79-0x000000001BE60000-0x000000001BE70000-memory.dmp

          Filesize

          64KB

        • memory/4680-81-0x000000001D430000-0x000000001D440000-memory.dmp

          Filesize

          64KB

        • memory/4680-83-0x000000001D510000-0x000000001D56A000-memory.dmp

          Filesize

          360KB

        • memory/4680-85-0x000000001D440000-0x000000001D44E000-memory.dmp

          Filesize

          56KB

        • memory/4680-87-0x000000001D4B0000-0x000000001D4C0000-memory.dmp

          Filesize

          64KB

        • memory/4680-89-0x000000001D4C0000-0x000000001D4CE000-memory.dmp

          Filesize

          56KB

        • memory/4680-91-0x000000001D4F0000-0x000000001D508000-memory.dmp

          Filesize

          96KB

        • memory/4680-93-0x000000001D4D0000-0x000000001D4DC000-memory.dmp

          Filesize

          48KB

        • memory/4680-95-0x000000001D7C0000-0x000000001D80E000-memory.dmp

          Filesize

          312KB

        • memory/4680-74-0x000000001D490000-0x000000001D4A2000-memory.dmp

          Filesize

          72KB

        • memory/4680-70-0x000000001BDD0000-0x000000001BDE0000-memory.dmp

          Filesize

          64KB

        • memory/4680-68-0x000000001D450000-0x000000001D462000-memory.dmp

          Filesize

          72KB

        • memory/4680-66-0x000000001BDC0000-0x000000001BDCE000-memory.dmp

          Filesize

          56KB

        • memory/4680-64-0x000000001BD70000-0x000000001BD80000-memory.dmp

          Filesize

          64KB

        • memory/4680-62-0x000000001BD40000-0x000000001BD50000-memory.dmp

          Filesize

          64KB

        • memory/4680-60-0x000000001BDE0000-0x000000001BDF8000-memory.dmp

          Filesize

          96KB

        • memory/4680-58-0x000000001BD30000-0x000000001BD40000-memory.dmp

          Filesize

          64KB

        • memory/4680-136-0x000000001E010000-0x000000001E0B9000-memory.dmp

          Filesize

          676KB

        • memory/4680-56-0x000000001BE10000-0x000000001BE60000-memory.dmp

          Filesize

          320KB

        • memory/4680-53-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

          Filesize

          56KB

        • memory/4680-51-0x000000001BD90000-0x000000001BDB6000-memory.dmp

          Filesize

          152KB

        • memory/4680-49-0x0000000000EA0000-0x000000000122E000-memory.dmp

          Filesize

          3.6MB