zgrat | ee2f4598d9f48283bdd46bb0c9bd70f250a257e89bcfc2fc03275b913230d358

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 13:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe
Size

20.4MB
MD5

88cc26f5d63af5fcfdc36accae0db04f
SHA1

46d7627f0a00cd378684555e30d7bfbe78687143
SHA256

ee2f4598d9f48283bdd46bb0c9bd70f250a257e89bcfc2fc03275b913230d358
SHA512

3cd33e09524223a1baf882671eacb8033b354a03993c2d2ed7a4ba04796f9b518b5d5b92c93210492f0228bbbb057538bbf23507d10fd8112dce38b359f92cb5
SSDEEP

393216:WDfxovk0AJIh+vncZ9YvMQRVbjUU+5+NBoTRdDzWjWl2xEIYYOoq:WVovkNJIh+vXMwVb3+5+Xo1dva9FYYFq

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e11-4.dat	family_zgrat_v1
behavioral2/files/0x0008000000022e11-6.dat	family_zgrat_v1
behavioral2/memory/3336-7-0x0000000000400000-0x0000000001865000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0008000000022e11-8.dat	family_zgrat_v1
behavioral2/files/0x0003000000022335-19.dat	family_zgrat_v1
behavioral2/files/0x0003000000022335-20.dat	family_zgrat_v1
behavioral2/memory/3224-21-0x0000000000C20000-0x0000000000FA8000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000022e34-114.dat	family_zgrat_v1
behavioral2/files/0x000c000000022e32-132.dat	family_zgrat_v1
behavioral2/files/0x000c000000022e32-133.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	HyperDriverIntocrtDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3860	Nursultan.exe
3224	HyperDriverIntocrtDll.exe
3600	MoUsoCoreWorker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd	HyperDriverIntocrtDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe	HyperDriverIntocrtDll.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe	HyperDriverIntocrtDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\1f93f77a7f4778	HyperDriverIntocrtDll.exe
File created	C:\Program Files\Windows Portable Devices\taskhostw.exe	HyperDriverIntocrtDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	Nursultan.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	HyperDriverIntocrtDll.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe
3224	HyperDriverIntocrtDll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3600	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	HyperDriverIntocrtDll.exe
Token: SeDebugPrivilege	3600	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 3860	3336	88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe	86
PID 3336 wrote to memory of 3860	3336	88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe	86
PID 3336 wrote to memory of 3860	3336	88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe	86
PID 3860 wrote to memory of 2024	3860	Nursultan.exe	89
PID 3860 wrote to memory of 2024	3860	Nursultan.exe	89
PID 3860 wrote to memory of 2024	3860	Nursultan.exe	89
PID 2024 wrote to memory of 4152	2024	WScript.exe	93
PID 2024 wrote to memory of 4152	2024	WScript.exe	93
PID 2024 wrote to memory of 4152	2024	WScript.exe	93
PID 4152 wrote to memory of 3224	4152	cmd.exe	95
PID 4152 wrote to memory of 3224	4152	cmd.exe	95
PID 3224 wrote to memory of 3900	3224	HyperDriverIntocrtDll.exe	98
PID 3224 wrote to memory of 3900	3224	HyperDriverIntocrtDll.exe	98
PID 3900 wrote to memory of 3216	3900	cmd.exe	100
PID 3900 wrote to memory of 3216	3900	cmd.exe	100
PID 3900 wrote to memory of 1108	3900	cmd.exe	101
PID 3900 wrote to memory of 1108	3900	cmd.exe	101
PID 3900 wrote to memory of 3600	3900	cmd.exe	102
PID 3900 wrote to memory of 3600	3900	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe
"C:\Users\Admin\AppData\Local\Temp\88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ComponentSavesmonitordll\4R9Rg51iS3uwufB6AmlFTJfH4UnV5i8D9fFIGn1EV7sKuTgZgKEMxEZz4Pb.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ComponentSavesmonitordll\UEE5DygFrJCmvXGMhlwQJ.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
        
        "C:\ComponentSavesmonitordll/HyperDriverIntocrtDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g2o01mrQ46.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1108
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentSavesmonitordll\4R9Rg51iS3uwufB6AmlFTJfH4UnV5i8D9fFIGn1EV7sKuTgZgKEMxEZz4Pb.vbe

Filesize
223B

MD5
f8a786f4c014917d7813e05e5a8dcdf0

SHA1
e136d8e4d9ac5223810dab7b51937266647ca104

SHA256
f90b392e0e4fec9e3a7993d75aca2919e04d294347957452f1196a04a738bdb7

SHA512
2cb0be5d04d002aabcddd3d9794f13b264ea852e0c800e3ddc5f9992552cc5b2c718d0d34023ae1285df2e65801f4cc7adc005a41d9ca03f114ffc7a2a1056ab

Download Submit
C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe

Filesize
3.5MB

MD5
0f9b1f324db2774c14c2257eeed247fe

SHA1
52dcd3675150cf90e2ebc27bf745f700f747b758

SHA256
d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

SHA512
7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

Download Submit
C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe

Filesize
3.5MB

MD5
0f9b1f324db2774c14c2257eeed247fe

SHA1
52dcd3675150cf90e2ebc27bf745f700f747b758

SHA256
d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

SHA512
7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

Download Submit
C:\ComponentSavesmonitordll\UEE5DygFrJCmvXGMhlwQJ.bat

Filesize
101B

MD5
8ac9a3a332f136cefbe9c27eab65a4c7

SHA1
8aef4996baf542b09f11692cc91c3aa9a6d85bbe

SHA256
3a9ed449a604fded1dbbef4ff997dc7ed5d9366c262eaf6c687d2c0dffbaa1b3

SHA512
4928cb40bc3ebdcbf4b1d155d6581eaafdd2f37c2029bb8a7c35302ba6da6bbd414d3d7ec43b7b120874dcd7c0e168573c055be111663626998960a335d7afe7

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe

Filesize
3.5MB

MD5
0f9b1f324db2774c14c2257eeed247fe

SHA1
52dcd3675150cf90e2ebc27bf745f700f747b758

SHA256
d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

SHA512
7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe

Filesize
3.5MB

MD5
0f9b1f324db2774c14c2257eeed247fe

SHA1
52dcd3675150cf90e2ebc27bf745f700f747b758

SHA256
d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

SHA512
7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
3.5MB

MD5
0f9b1f324db2774c14c2257eeed247fe

SHA1
52dcd3675150cf90e2ebc27bf745f700f747b758

SHA256
d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

SHA512
7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
4.0MB

MD5
10ac3ea14e236503bc422f963d20d510

SHA1
bdde4479f4fd0c87e918a71a42138aa2811e6f1a

SHA256
339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

SHA512
81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
4.0MB

MD5
10ac3ea14e236503bc422f963d20d510

SHA1
bdde4479f4fd0c87e918a71a42138aa2811e6f1a

SHA256
339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

SHA512
81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
4.0MB

MD5
10ac3ea14e236503bc422f963d20d510

SHA1
bdde4479f4fd0c87e918a71a42138aa2811e6f1a

SHA256
339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

SHA512
81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2o01mrQ46.bat

Filesize
199B

MD5
9da83e9792d06e1783df2afedff23e5c

SHA1
6521e6d26ef4d30dcad41a2e1fc11735ff525d9b

SHA256
186632ed2ce6a6ab05cdc3ccae3023c47513357a881beeb64c32940a804422ea

SHA512
a3e9cec7dfcf7c45f6b4dad21274e5c0c16eca1b0312e8f830aac2449019a5a10147e72d0159a5ba29ff5a3d95d2ffc227c1156364b0b57f07e9d900b0905fb1

Download Submit
memory/3224-62-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/3224-71-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

Filesize
72KB

Download
memory/3224-29-0x00007FFE89810000-0x00007FFE898CE000-memory.dmp

Filesize
760KB

Download
memory/3224-28-0x000000001BD10000-0x000000001BD36000-memory.dmp

Filesize
152KB

Download
memory/3224-30-0x00007FFE89810000-0x00007FFE898CE000-memory.dmp

Filesize
760KB

Download
memory/3224-32-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/3224-33-0x00007FFE897F0000-0x00007FFE897F1000-memory.dmp

Filesize
4KB

Download
memory/3224-35-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/3224-36-0x00007FFE6C420000-0x00007FFE6CEE1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-39-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/3224-37-0x00007FFE897E0000-0x00007FFE897E1000-memory.dmp

Filesize
4KB

Download
memory/3224-40-0x00007FFE897D0000-0x00007FFE897D1000-memory.dmp

Filesize
4KB

Download
memory/3224-41-0x00007FFE897C0000-0x00007FFE897C1000-memory.dmp

Filesize
4KB

Download
memory/3224-43-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/3224-44-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-47-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

Filesize
56KB

Download
memory/3224-46-0x00007FFE897B0000-0x00007FFE897B1000-memory.dmp

Filesize
4KB

Download
memory/3224-50-0x00007FFE897A0000-0x00007FFE897A1000-memory.dmp

Filesize
4KB

Download
memory/3224-49-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/3224-52-0x000000001BD40000-0x000000001BD4E000-memory.dmp

Filesize
56KB

Download
memory/3224-53-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-57-0x00007FFE89780000-0x00007FFE89781000-memory.dmp

Filesize
4KB

Download
memory/3224-56-0x000000001D140000-0x000000001D152000-memory.dmp

Filesize
72KB

Download
memory/3224-54-0x00007FFE89790000-0x00007FFE89791000-memory.dmp

Filesize
4KB

Download
memory/3224-59-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/3224-60-0x00007FFE89810000-0x00007FFE898CE000-memory.dmp

Filesize
760KB

Download
memory/3224-63-0x00007FFE89710000-0x00007FFE89711000-memory.dmp

Filesize
4KB

Download
memory/3224-25-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-65-0x00007FFE89810000-0x00007FFE898CE000-memory.dmp

Filesize
760KB

Download
memory/3224-64-0x00007FFE89700000-0x00007FFE89701000-memory.dmp

Filesize
4KB

Download
memory/3224-68-0x000000001D180000-0x000000001D196000-memory.dmp

Filesize
88KB

Download
memory/3224-66-0x00007FFE896F0000-0x00007FFE896F1000-memory.dmp

Filesize
4KB

Download
memory/3224-69-0x00007FFE896E0000-0x00007FFE896E1000-memory.dmp

Filesize
4KB

Download
memory/3224-26-0x00007FFE89800000-0x00007FFE89801000-memory.dmp

Filesize
4KB

Download
memory/3224-72-0x000000001D6F0000-0x000000001DC18000-memory.dmp

Filesize
5.2MB

Download
memory/3224-73-0x00007FFE896D0000-0x00007FFE896D1000-memory.dmp

Filesize
4KB

Download
memory/3224-76-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-75-0x000000001BD70000-0x000000001BD7E000-memory.dmp

Filesize
56KB

Download
memory/3224-78-0x000000001D160000-0x000000001D16C000-memory.dmp

Filesize
48KB

Download
memory/3224-79-0x00007FFE896C0000-0x00007FFE896C1000-memory.dmp

Filesize
4KB

Download
memory/3224-82-0x000000001D170000-0x000000001D17C000-memory.dmp

Filesize
48KB

Download
memory/3224-80-0x00007FFE89270000-0x00007FFE89271000-memory.dmp

Filesize
4KB

Download
memory/3224-85-0x000000001D1C0000-0x000000001D1D0000-memory.dmp

Filesize
64KB

Download
memory/3224-83-0x00007FFE89260000-0x00007FFE89261000-memory.dmp

Filesize
4KB

Download
memory/3224-88-0x000000001D1D0000-0x000000001D1E0000-memory.dmp

Filesize
64KB

Download
memory/3224-86-0x00007FFE89250000-0x00007FFE89251000-memory.dmp

Filesize
4KB

Download
memory/3224-89-0x00007FFE89240000-0x00007FFE89241000-memory.dmp

Filesize
4KB

Download
memory/3224-91-0x000000001D240000-0x000000001D29A000-memory.dmp

Filesize
360KB

Download
memory/3224-93-0x000000001D1E0000-0x000000001D1EE000-memory.dmp

Filesize
56KB

Download
memory/3224-94-0x00007FFE89230000-0x00007FFE89231000-memory.dmp

Filesize
4KB

Download
memory/3224-95-0x00007FFE89220000-0x00007FFE89221000-memory.dmp

Filesize
4KB

Download
memory/3224-97-0x000000001D1F0000-0x000000001D200000-memory.dmp

Filesize
64KB

Download
memory/3224-98-0x00007FFE89210000-0x00007FFE89211000-memory.dmp

Filesize
4KB

Download
memory/3224-100-0x000000001D200000-0x000000001D20E000-memory.dmp

Filesize
56KB

Download
memory/3224-101-0x00007FFE89200000-0x00007FFE89201000-memory.dmp

Filesize
4KB

Download
memory/3224-103-0x000000001D4A0000-0x000000001D4B8000-memory.dmp

Filesize
96KB

Download
memory/3224-104-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-105-0x00007FFE891F0000-0x00007FFE891F1000-memory.dmp

Filesize
4KB

Download
memory/3224-107-0x000000001D210000-0x000000001D21C000-memory.dmp

Filesize
48KB

Download
memory/3224-108-0x00007FFE891E0000-0x00007FFE891E1000-memory.dmp

Filesize
4KB

Download
memory/3224-24-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/3224-127-0x000000001D4C0000-0x000000001D50E000-memory.dmp

Filesize
312KB

Download
memory/3224-23-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/3224-21-0x0000000000C20000-0x0000000000FA8000-memory.dmp

Filesize
3.5MB

Download
memory/3224-22-0x00007FFE6C420000-0x00007FFE6CEE1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-7-0x0000000000400000-0x0000000001865000-memory.dmp

Filesize
20.4MB

Download
memory/3600-192-0x000000001EAB0000-0x000000001EAFE000-memory.dmp

Filesize
312KB

Download