zgrat | e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41965fc5d071ce4b42bba9b7c486f784.exe
Size

4.9MB
MD5

41965fc5d071ce4b42bba9b7c486f784
SHA1

e1c90feba42abe5c4ae88d86ae75e021f55afb0b
SHA256

e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
SHA512

7ccc5337e0ef03eec69d950af1bf698a53f324e176a8fd05cfb4dc978774663de60637f10f00db4976596867612889d335a7b2b4ffa0a3caf68354c34d4515d9
SSDEEP

49152:36PaeNTtXgpSTeCrkJ9rV/FZjRrZHFqtgJIHiSynJpwjIcOJFSNTUyzL41:kagT+4TaWTUF

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4120-53-0x0000000008070000-0x00000000080DC000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-54-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-55-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-57-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-59-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-61-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-65-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-63-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-69-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-71-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-73-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-67-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-81-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-79-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-85-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-93-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-97-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-103-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-101-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-115-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-117-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-113-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-111-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-109-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-107-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-105-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-99-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-95-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-91-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-89-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-87-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-83-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-77-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4120-75-0x0000000008070000-0x00000000080D6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	41965fc5d071ce4b42bba9b7c486f784.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	System.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4120	System.pif
608	BF1PureCracker0.exe
4848	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4848	RegAsm.exe
4848	RegAsm.exe
4848	RegAsm.exe
4848	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 4848	4120	System.pif	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	System.pif

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4120	System.pif
4120	System.pif
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	System.pif
Token: SeShutdownPrivilege	4848	RegAsm.exe
Token: SeDebugPrivilege	1804	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4848	RegAsm.exe
4848	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4120	4480	41965fc5d071ce4b42bba9b7c486f784.exe	91
PID 4480 wrote to memory of 4120	4480	41965fc5d071ce4b42bba9b7c486f784.exe	91
PID 4480 wrote to memory of 4120	4480	41965fc5d071ce4b42bba9b7c486f784.exe	91
PID 4480 wrote to memory of 608	4480	41965fc5d071ce4b42bba9b7c486f784.exe	93
PID 4480 wrote to memory of 608	4480	41965fc5d071ce4b42bba9b7c486f784.exe	93
PID 4120 wrote to memory of 1876	4120	System.pif	105
PID 4120 wrote to memory of 1876	4120	System.pif	105
PID 4120 wrote to memory of 1876	4120	System.pif	105
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 4120 wrote to memory of 4848	4120	System.pif	107
PID 1876 wrote to memory of 1804	1876	WScript.exe	108
PID 1876 wrote to memory of 1804	1876	WScript.exe	108
PID 1876 wrote to memory of 1804	1876	WScript.exe	108

C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe
"C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4848
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
  2⤵
  - Executes dropped EXE
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

Filesize
383KB

MD5
c2a78b5610d2abd529688c420bde478e

SHA1
7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a

SHA256
36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c

SHA512
b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

Filesize
72KB

MD5
1204ab09202811083417dcc5728ace36

SHA1
4ac4ca5e6c330cb17fbf8d1bd34b46ebe7ac86f7

SHA256
46a751d7c3e087fbea754749bc437dcaa5536a0b233f2fcf28a89b70140adfd5

SHA512
d9fc5b6691f86bdc0bc77caec6a7fe7a2f44f9690bf05948d4e22bdee0823acc70c6e051220af99f0b2c9a02eefcd9551aee5c64b5408d156c5e0afb60cbfd75

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

Filesize
216KB

MD5
d30f6fb490a820dcdd9c7da971036393

SHA1
177b1b912fb09efacce8bae24fca35ea514f131b

SHA256
be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b

SHA512
332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

Filesize
2.2MB

MD5
74ff1365744d94e18eac9294de845798

SHA1
1839dee90d909dda325e14b5d9eb85cb4e8f537f

SHA256
6e0ab157f3969069ce7425f0f192077b6ebd354bbdfc5bfc3aabb18bd35aa7ac

SHA512
52507fb4c49c442328efed9c5bcc7780a802de22b06d2766ef9fc10c9abf0e8ba0db779062305ff548f477c8b419521320c41206aae717642ece5dc568e5bdd2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

Filesize
1.4MB

MD5
16f856d08fc8d9b8b356eb77b028ad1b

SHA1
12d15256b94b037094d4ffac6ef0b9651ded7de3

SHA256
c182c1abe045779bfbebcfa7640cec521fe9dd1a29fe562bcaf613f48060f470

SHA512
f81fcf04b47d70c8a6bd33ed7a481d178adbbd3f043d4b0e768dc4a410f4268d69be89f0660e9608c28570d951e25a5da8dea0973d125ae44814349e0e94ac80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs

Filesize
186B

MD5
0d6555dc02c45b1e49ac39075c65cebe

SHA1
2fb0e4464b16db957a06353e14345e0f5a5ba4be

SHA256
368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f

SHA512
775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgspl442.4ys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe

Filesize
2.9MB

MD5
9fd1f52d41b0b6b9f4441b215f4e86c3

SHA1
54110e365dfca0db91c49013504a728abf202666

SHA256
75ea1039db1ca61e21610977cb3570684ee256b43b0416ad6b2ce1d947201219

SHA512
bedb8ba5cdf40e845af81ff57db126c62c14deeb514cc80db09c56c206a2cf1783f2913483068bf90497400af274b154cb564535e23e6cdbc59837b7158ac970

Download Submit
memory/608-49-0x00000245B62B0000-0x00000245B62C0000-memory.dmp

Filesize
64KB

Download
memory/608-48-0x00007FFE35C60000-0x00007FFE36721000-memory.dmp

Filesize
10.8MB

Download
memory/608-30-0x00000245B44C0000-0x00000245B4526000-memory.dmp

Filesize
408KB

Download
memory/608-42-0x00000245B62B0000-0x00000245B62C0000-memory.dmp

Filesize
64KB

Download
memory/608-43-0x00000245B6240000-0x00000245B627C000-memory.dmp

Filesize
240KB

Download
memory/608-36-0x00000245B4900000-0x00000245B490A000-memory.dmp

Filesize
40KB

Download
memory/608-31-0x00000245B48D0000-0x00000245B48E8000-memory.dmp

Filesize
96KB

Download
memory/608-38-0x00000245B62C0000-0x00000245B6308000-memory.dmp

Filesize
288KB

Download
memory/608-33-0x00007FFE35C60000-0x00007FFE36721000-memory.dmp

Filesize
10.8MB

Download
memory/608-35-0x00000245B6390000-0x00000245B640C000-memory.dmp

Filesize
496KB

Download
memory/1804-2041-0x0000000006F30000-0x0000000006FD3000-memory.dmp

Filesize
652KB

Download
memory/1804-2018-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/1804-2046-0x0000000007240000-0x0000000007251000-memory.dmp

Filesize
68KB

Download
memory/1804-2047-0x00000000072A0000-0x00000000072AE000-memory.dmp

Filesize
56KB

Download
memory/1804-2044-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/1804-2043-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/1804-2042-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/1804-2048-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/1804-2040-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/1804-2030-0x0000000070450000-0x000000007049C000-memory.dmp

Filesize
304KB

Download
memory/1804-2029-0x0000000006EF0000-0x0000000006F22000-memory.dmp

Filesize
200KB

Download
memory/1804-2028-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1804-2019-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/1804-2045-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/1804-2017-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-2053-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1804-2007-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1804-2006-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/1804-2005-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/1804-2002-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/1804-2001-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1804-1999-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1804-2000-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1804-1998-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/1804-2049-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/1804-2050-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/4120-50-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/4120-67-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-111-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-109-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-107-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-105-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-99-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-95-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-91-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-89-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-87-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-83-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-77-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-75-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-117-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-115-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-101-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-1995-0x0000000072BC0000-0x0000000073370000-memory.dmp

Filesize
7.7MB

Download
memory/4120-103-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-97-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-93-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-85-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-79-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-32-0x0000000000F60000-0x000000000124C000-memory.dmp

Filesize
2.9MB

Download
memory/4120-81-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-113-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-73-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-71-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-69-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-63-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-65-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-41-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-61-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-59-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-57-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-55-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-54-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4120-53-0x0000000008070000-0x00000000080DC000-memory.dmp

Filesize
432KB

Download
memory/4120-52-0x0000000007370000-0x000000000757A000-memory.dmp

Filesize
2.0MB

Download
memory/4120-51-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/4120-47-0x0000000072BC0000-0x0000000073370000-memory.dmp

Filesize
7.7MB

Download
memory/4120-46-0x0000000005C40000-0x0000000005C4A000-memory.dmp

Filesize
40KB

Download
memory/4120-45-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/4120-44-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/4120-40-0x0000000072BC0000-0x0000000073370000-memory.dmp

Filesize
7.7MB

Download
memory/4848-2027-0x0000000070130000-0x0000000070169000-memory.dmp

Filesize
228KB

Download
memory/4848-2004-0x00000000717B0000-0x00000000717E9000-memory.dmp

Filesize
228KB

Download
memory/4848-2056-0x0000000075330000-0x0000000075369000-memory.dmp

Filesize
228KB

Download
memory/4848-2059-0x0000000075330000-0x0000000075369000-memory.dmp

Filesize
228KB

Download