zgrat | 1933f809c3459991a94f70f1381e2e26335207959a9cef0fad842f53331462a6

Analysis

max time kernel
145s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412cd1f80bd9c600e3b4dc093e917f00.exe
Size

736KB
MD5

412cd1f80bd9c600e3b4dc093e917f00
SHA1

00afca16a90495345bc729115ef7bf6d69d25577
SHA256

1933f809c3459991a94f70f1381e2e26335207959a9cef0fad842f53331462a6
SHA512

0a4ed04d17b350cdf9cb7b36182caa5c2e14118338914735cf38754ce0ee745f58b11f7accc735e1d56c6ebcf21a00625b0360e467e370ffd4ba12cbad6c92fd
SSDEEP

12288:kPIyPKREnm9jLV2QjcZpF2w4qkzR9leeW1ZwiTVmFZDr4tsb9c5kjIMC1m+UT49R:uXCRpPjcH/4pRicFB0tsb9cUJi2TSR

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral2/memory/456-80-0x0000000008B50000-0x0000000008BC0000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-84-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-82-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-90-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-96-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-100-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-112-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-118-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-120-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-132-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-142-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-144-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-140-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-138-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-136-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-134-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-130-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-128-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-126-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-124-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-122-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-116-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-114-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-110-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-108-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-106-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-104-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-102-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-98-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-94-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-92-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-88-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-86-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/456-81-0x0000000008B50000-0x0000000008BBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3788-2098-0x0000000000400000-0x000000000042A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	412cd1f80bd9c600e3b4dc093e917f00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zan = "\"C:\\Users\\Admin\\AppData\\Roaming\\zan.exe\""	412cd1f80bd9c600e3b4dc093e917f00.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	412cd1f80bd9c600e3b4dc093e917f00.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1556	PING.EXE
3096	PING.EXE
1660	PING.EXE
4812	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4072	powershell.exe
4072	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
456	412cd1f80bd9c600e3b4dc093e917f00.exe
456	412cd1f80bd9c600e3b4dc093e917f00.exe
4048	powershell.exe
4048	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	456	412cd1f80bd9c600e3b4dc093e917f00.exe
Token: SeDebugPrivilege	4048	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4072	456	412cd1f80bd9c600e3b4dc093e917f00.exe	91
PID 456 wrote to memory of 4072	456	412cd1f80bd9c600e3b4dc093e917f00.exe	91
PID 456 wrote to memory of 4072	456	412cd1f80bd9c600e3b4dc093e917f00.exe	91
PID 4072 wrote to memory of 3096	4072	powershell.exe	97
PID 4072 wrote to memory of 3096	4072	powershell.exe	97
PID 4072 wrote to memory of 3096	4072	powershell.exe	97
PID 456 wrote to memory of 1756	456	412cd1f80bd9c600e3b4dc093e917f00.exe	100
PID 456 wrote to memory of 1756	456	412cd1f80bd9c600e3b4dc093e917f00.exe	100
PID 456 wrote to memory of 1756	456	412cd1f80bd9c600e3b4dc093e917f00.exe	100
PID 1756 wrote to memory of 1660	1756	powershell.exe	101
PID 1756 wrote to memory of 1660	1756	powershell.exe	101
PID 1756 wrote to memory of 1660	1756	powershell.exe	101
PID 456 wrote to memory of 4388	456	412cd1f80bd9c600e3b4dc093e917f00.exe	104
PID 456 wrote to memory of 4388	456	412cd1f80bd9c600e3b4dc093e917f00.exe	104
PID 456 wrote to memory of 4388	456	412cd1f80bd9c600e3b4dc093e917f00.exe	104
PID 4388 wrote to memory of 4812	4388	powershell.exe	106
PID 4388 wrote to memory of 4812	4388	powershell.exe	106
PID 4388 wrote to memory of 4812	4388	powershell.exe	106
PID 456 wrote to memory of 3020	456	412cd1f80bd9c600e3b4dc093e917f00.exe	107
PID 456 wrote to memory of 3020	456	412cd1f80bd9c600e3b4dc093e917f00.exe	107
PID 456 wrote to memory of 3020	456	412cd1f80bd9c600e3b4dc093e917f00.exe	107
PID 3020 wrote to memory of 1556	3020	powershell.exe	109
PID 3020 wrote to memory of 1556	3020	powershell.exe	109
PID 3020 wrote to memory of 1556	3020	powershell.exe	109
PID 456 wrote to memory of 4972	456	412cd1f80bd9c600e3b4dc093e917f00.exe	114
PID 456 wrote to memory of 4972	456	412cd1f80bd9c600e3b4dc093e917f00.exe	114
PID 456 wrote to memory of 4972	456	412cd1f80bd9c600e3b4dc093e917f00.exe	114
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 456 wrote to memory of 3788	456	412cd1f80bd9c600e3b4dc093e917f00.exe	115
PID 4972 wrote to memory of 4048	4972	WScript.exe	117
PID 4972 wrote to memory of 4048	4972	WScript.exe	117
PID 4972 wrote to memory of 4048	4972	WScript.exe	117

C:\Users\Admin\AppData\Local\Temp\412cd1f80bd9c600e3b4dc093e917f00.exe
"C:\Users\Admin\AppData\Local\Temp\412cd1f80bd9c600e3b4dc093e917f00.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" gooogle.com
    3⤵
    - Runs ping.exe
    PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" gooogle.com
    3⤵
    - Runs ping.exe
    PID:1660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" gooogle.com
    3⤵
    - Runs ping.exe
    PID:4812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" gooogle.com
    3⤵
    - Runs ping.exe
    PID:1556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Zwoqghbfujejrlbnxyxjpk.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\zan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- C:\Users\Admin\AppData\Local\Temp\412cd1f80bd9c600e3b4dc093e917f00.exe
  C:\Users\Admin\AppData\Local\Temp\412cd1f80bd9c600e3b4dc093e917f00.exe
  2⤵
  PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\412cd1f80bd9c600e3b4dc093e917f00.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2da2c520dc0fd2183ede789d842f1f2e

SHA1
1dddcbe6ab071c0ae694df86a9820937fa640283

SHA256
c6c945ad3335b1c239838d1251a66e1a5c95965ae75f0ac7b665bc7058cb7314

SHA512
28033529de697924c1f97367fd766d2868adc9f80ef73b04ccc52f8147221efc3eb230b39e030bb43aeda23358b80564615a10bd40d9b266d7c99f0abda6ba1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2731c255f8b0516cdbc2247ca140f189

SHA1
fbe43abdb08fb2ce43474fdb8ca06043583afb1a

SHA256
53f92e9691553a0d57b476257acbbbfa59fa5d24e4e308e50b85910faa9f625e

SHA512
b3978c15aefae20b302c73ade7231f0a6b1b0477946768b4f21c694fc43bb3057cd01460704e38dbfcc4a40ecb24fcab8f19eb00b2ef99375d164383aecf0988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
91e970c5d2e9b2a58f5f0539717c6385

SHA1
fc96ade17389801d20304705a8ec9f8dd1881edf

SHA256
174dfda41f9e88bdbdac3a3c3a13883b6fef5b7cf174049514b300bb285dbdf5

SHA512
b471d0bab5c3740bb2bad041099cbacbe56dde659c0aa9e2454914f10d335a7e7184068d19647060028b81abc084dae8105ca579dc0547ae01fd88e999b55558

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Zwoqghbfujejrlbnxyxjpk.vbs

Filesize
133B

MD5
8c4e15ac045e0f9cc0183631dcc6b372

SHA1
52a3853edf3f0aa2801029a06fa684fbfd906d4d

SHA256
c37b436fa8d7434761205a036be573203a055c1021fd0bd70563585cb0720571

SHA512
17bdbc1ae26286e3dae1435ccc7d1e194ef3657224d184fd8448a3afeb2020b43db9bbbcd58e5c6fce8d2b2df234bd83816aa05161e69d0f0849df4ad3a6c5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgkm1r0u.n4i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/456-140-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-142-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-1-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/456-2096-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/456-2-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/456-3-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/456-81-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-86-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-88-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-92-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-94-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-130-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-110-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-114-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-116-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-39-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/456-40-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/456-122-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-124-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-6-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/456-46-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/456-128-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-126-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-106-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-5-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/456-98-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-4-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/456-102-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-104-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-112-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-136-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-138-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-79-0x0000000008190000-0x00000000081EC000-memory.dmp

Filesize
368KB

Download
memory/456-80-0x0000000008B50000-0x0000000008BC0000-memory.dmp

Filesize
448KB

Download
memory/456-84-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-82-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-90-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-96-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-100-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-134-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-118-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-120-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-132-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-108-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-144-0x0000000008B50000-0x0000000008BBA000-memory.dmp

Filesize
424KB

Download
memory/456-0-0x0000000000CD0000-0x0000000000D8E000-memory.dmp

Filesize
760KB

Download
memory/1756-44-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1756-41-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1756-29-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1756-28-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1756-27-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3020-77-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-65-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3020-66-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3020-67-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3020-222-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3020-225-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3788-2098-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3788-2097-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3788-2140-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3788-2099-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4048-2128-0x0000000007380000-0x0000000007423000-memory.dmp

Filesize
652KB

Download
memory/4048-2113-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/4048-2111-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/4048-2139-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4048-2137-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/4048-2136-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/4048-2135-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/4048-2134-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/4048-2133-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/4048-2117-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/4048-2132-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/4048-2131-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/4048-2130-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/4048-2129-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/4048-2101-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4048-2100-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4048-2115-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

Filesize
64KB

Download
memory/4048-2116-0x00000000066F0000-0x0000000006722000-memory.dmp

Filesize
200KB

Download
memory/4048-2127-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/4048-2114-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4072-11-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/4072-13-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4072-25-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/4072-26-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/4072-8-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4072-24-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/4072-10-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4072-9-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4072-61-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4072-12-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/4072-7-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/4072-19-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4388-49-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/4388-64-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4388-48-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/4388-47-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download