zgrat | 35f53c5cca6b39903694aff2fa966bce4165c79ea707c54200096d5756a3ef05

Analysis

max time kernel
178s
max time network
241s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

526a60e929f138a26e787599b03b11e3.exe
Size

2.3MB
MD5

526a60e929f138a26e787599b03b11e3
SHA1

7b114fda367c8b1d01b56bbcd62b3270244aac2f
SHA256

35f53c5cca6b39903694aff2fa966bce4165c79ea707c54200096d5756a3ef05
SHA512

3f45980ab9509066e2f9daec04055aaa689be68fbe25328521670b7cbab5d9c1fe36779d9e7183b0a7d3842a7e8368c0ca728005ccdf3b5f5350fa96abb8a03b
SSDEEP

49152:IBJCfMtUPyBZFPZm9Yc8B0TTBqYH0LSjUvX:yQUsyvVZm95BTB5q5X

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 9 IoCs

resource	yara_rule
behavioral1/files/0x001100000000b1f5-9.dat	family_zgrat_v1
behavioral1/files/0x001100000000b1f5-12.dat	family_zgrat_v1
behavioral1/files/0x001100000000b1f5-11.dat	family_zgrat_v1
behavioral1/files/0x001100000000b1f5-10.dat	family_zgrat_v1
behavioral1/memory/2832-14-0x00000000001F0000-0x00000000003F8000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015e38-48.dat	family_zgrat_v1
behavioral1/files/0x0006000000016cd6-111.dat	family_zgrat_v1
behavioral1/memory/2716-112-0x0000000000A30000-0x0000000000C38000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016cd6-110.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2832	componentwin.exe
2716	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
516	cmd.exe
516	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\lsass.exe	componentwin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\lsass.exe	componentwin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\6203df4a6bafc7	componentwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe
2832	componentwin.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	componentwin.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2716	csrss.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2908	2564	526a60e929f138a26e787599b03b11e3.exe	29
PID 2564 wrote to memory of 2908	2564	526a60e929f138a26e787599b03b11e3.exe	29
PID 2564 wrote to memory of 2908	2564	526a60e929f138a26e787599b03b11e3.exe	29
PID 2564 wrote to memory of 2908	2564	526a60e929f138a26e787599b03b11e3.exe	29
PID 2908 wrote to memory of 516	2908	WScript.exe	30
PID 2908 wrote to memory of 516	2908	WScript.exe	30
PID 2908 wrote to memory of 516	2908	WScript.exe	30
PID 2908 wrote to memory of 516	2908	WScript.exe	30
PID 516 wrote to memory of 2832	516	cmd.exe	32
PID 516 wrote to memory of 2832	516	cmd.exe	32
PID 516 wrote to memory of 2832	516	cmd.exe	32
PID 516 wrote to memory of 2832	516	cmd.exe	32
PID 2832 wrote to memory of 2404	2832	componentwin.exe	42
PID 2832 wrote to memory of 2404	2832	componentwin.exe	42
PID 2832 wrote to memory of 2404	2832	componentwin.exe	42
PID 2832 wrote to memory of 2272	2832	componentwin.exe	41
PID 2832 wrote to memory of 2272	2832	componentwin.exe	41
PID 2832 wrote to memory of 2272	2832	componentwin.exe	41
PID 2832 wrote to memory of 2532	2832	componentwin.exe	40
PID 2832 wrote to memory of 2532	2832	componentwin.exe	40
PID 2832 wrote to memory of 2532	2832	componentwin.exe	40
PID 2832 wrote to memory of 2228	2832	componentwin.exe	38
PID 2832 wrote to memory of 2228	2832	componentwin.exe	38
PID 2832 wrote to memory of 2228	2832	componentwin.exe	38
PID 2832 wrote to memory of 2480	2832	componentwin.exe	37
PID 2832 wrote to memory of 2480	2832	componentwin.exe	37
PID 2832 wrote to memory of 2480	2832	componentwin.exe	37
PID 2832 wrote to memory of 1692	2832	componentwin.exe	43
PID 2832 wrote to memory of 1692	2832	componentwin.exe	43
PID 2832 wrote to memory of 1692	2832	componentwin.exe	43
PID 1692 wrote to memory of 2488	1692	cmd.exe	45
PID 1692 wrote to memory of 2488	1692	cmd.exe	45
PID 1692 wrote to memory of 2488	1692	cmd.exe	45
PID 1692 wrote to memory of 2776	1692	cmd.exe	46
PID 1692 wrote to memory of 2776	1692	cmd.exe	46
PID 1692 wrote to memory of 2776	1692	cmd.exe	46
PID 1692 wrote to memory of 2716	1692	cmd.exe	47
PID 1692 wrote to memory of 2716	1692	cmd.exe	47
PID 1692 wrote to memory of 2716	1692	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\526a60e929f138a26e787599b03b11e3.exe
"C:\Users\Admin\AppData\Local\Temp\526a60e929f138a26e787599b03b11e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portBrowserWebFontwin\Wpqih7cz6fMRtU.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\portBrowserWebFontwin\l1IRr8npYRL3m1TwDlV7BI8krChTb4.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\portBrowserWebFontwin\componentwin.exe
      "C:\portBrowserWebFontwin/componentwin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portBrowserWebFontwin\wininit.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portBrowserWebFontwin\sppsvc.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\smss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\lsass.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XmIiU16YCi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2488
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2776
      - C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe
        
        "C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe

Filesize
365KB

MD5
a2588de256c20e9efbeebdc862586e1b

SHA1
dcec459995ee85808e6a097285f8ce443edfd1ea

SHA256
19addc16ce495445c422fe18727e63c5daf2d1c54e0ee29569bae81578c85df3

SHA512
73a88080aec770fe1e941cddce893f839761e44f4e71d5d60a61f57cd0d6b842a3e9e0ba940716add64b06eb5842d6bf214c363714dbf31bbf7c7014586dd656

Download Submit
C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe

Filesize
131KB

MD5
4b4ebf5f4c3d93d638ce9fafb827587b

SHA1
c6397bafcd09a507964c2973c6811becfe272b5d

SHA256
d61587dd676ab4b97599dfa3c4b71ec63c197e71ba8a3c5e46d6baf80f2a6496

SHA512
15142b676533fe9517e41f4143d622ce21b7d884e277e4a7c1b36c70eaf054a2cabae4de9df7dc04553b920074758fa74b4195c794219ed83ab3db96a4702b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmIiU16YCi.bat

Filesize
234B

MD5
ad5ae1351ac74cdc16da64b5a7c45d4e

SHA1
3f567ddf0da525ace5fd9921b44768a36303f2c2

SHA256
2579016e851a7f019eaf3efe3eb29c2afdd264360b82eddd1c012cfe98e23630

SHA512
34b284a5e95c41f122810e8cfe742b08a76f99c1b980f96fd2a83ca0f74536ab8725080d332c8591563b05fceb0936e82b3356ccf5d7382db3dd1dffb9ac36a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3fb8d357b673e6cacdc2782b711942d7

SHA1
1b9c1721ab92a1e3f4c7105a79dcfbf01c257abb

SHA256
dd12a27fcf8512525045ccf16cb12fdbaf41f05ffe6890a1a73f51ba7955bbd6

SHA512
34812267a66e7bcb2dc4fcae50d39fe8ba8d1b6c4c0df54e80dd901172eced55a2e542014ab1d9c370b9ac8eea4ac198ada24c6ac12a57ad49edb99debd78d97

Download Submit
C:\portBrowserWebFontwin\Wpqih7cz6fMRtU.vbe

Filesize
230B

MD5
9e88561625a6451652722ce5e60595b5

SHA1
a8c28b73fb8529f6eb4c7ba4461fce4cf2f805b8

SHA256
832fe4f2fa0ad872193ae6936c700d554d96d4598848afd07738557370275574

SHA512
e0dd18f907834acb992f9a9389b9bda0a5555609866cc5e166826627c2606ef6a585390b5c1e5425401fe68785b6e4e6dd1ae68a287738c5d7467e2f1be18c50

Download Submit
C:\portBrowserWebFontwin\componentwin.exe

Filesize
499KB

MD5
d48b9e424e38fa1e20e0e77defbf40bc

SHA1
39f14e7a90b720095f5c3c51b8e4bce283f58895

SHA256
7c19db97bd4e946c1667b2ecb2936549d9e126ff9ab6e67ac5f9ab04730b0eb9

SHA512
7bc65fc08618fd209bb03c8342663b47e2011a804fce572a4898547ccf7a962a156d1389c08c592bb7ed04484fd8548a0a677e50db775cbf8c8a0f37d380b5d8

Download Submit
C:\portBrowserWebFontwin\componentwin.exe

Filesize
591KB

MD5
f49899b494ee22e39144e75abfbccb1c

SHA1
8221a9c3bf4fa43ee2dec4bd6939de6a600f5e00

SHA256
e89ec88a6c7b7be8b15709e063c294dae057593ab57dd76ebc4c4596cebf5a4f

SHA512
0a6aa51744e6b7606f1c5683717a13a3380df5a465d962b56871673ae567c86be4a992b37f53dedd2ace57725edb817a7391cc8a4acb0a4ce0c59777384b7480

Download Submit
C:\portBrowserWebFontwin\l1IRr8npYRL3m1TwDlV7BI8krChTb4.bat

Filesize
90B

MD5
60ffb7dd22d2928087c2c840514eb4de

SHA1
610fa4a27fc1ed822b67469dd24def9b11e646c9

SHA256
d199db37023f7b2d9aeb5f677b162f4418058037319e94aca08314408aef73c8

SHA512
df53233ba792200f8450c7d2195712c305bdd6bf70e5b1fa03f6cf7cf9d8203e7d3bf8371c60bfc0f2622d3deae263bb7e805382dca6aa2d6ff1e64e431dde0b

Download Submit
C:\portBrowserWebFontwin\sppsvc.exe

Filesize
45KB

MD5
2da682afd4cd7fbf341f270242777ad8

SHA1
71ff3858e671af8cd2dc5b6c2a1afe7ea9a05c2f

SHA256
8c0f276cd23c3503a4f52303826b260139e229b66d3c75a4795c5c741fdd630b

SHA512
0b327e711239de1f08cdd0f6f8d2f00ae2a87fffd47b2f6fe99b2d8c2c443a0b10a4d41a34bd0cbca87975beaae8b8e2dfd0b7702ccfa1169b9c45cf0efa474e

Download Submit
\portBrowserWebFontwin\componentwin.exe

Filesize
497KB

MD5
9a408d414f4f10a58e33aca1887dcbc0

SHA1
ab055fcb135353cea7c599b816668fb2e0985eaa

SHA256
65523e22aadcbcd9bb73a432209793f5a871e170b4c1f6cc3d6771c78fc2b72d

SHA512
add7c798c0dbd5305b7fc698be17ff633818766cddbb5b2696d15b0653180a76d5aa82855c40b13fa01aebcf1e6db50d399f8c18a2f5da5d8ec2352508728a7d

Download Submit
\portBrowserWebFontwin\componentwin.exe

Filesize
426KB

MD5
83ff3b8f778ff3f518e0e1a32e1ca440

SHA1
e23d592ed9f1aa66b37fb3b21447f2796942aaa4

SHA256
dcb37b2e0c06c8e35bfe52be974e07f1d31f6205cc60722c00d4ef111cfea5a2

SHA512
6fa9e6a7c39bebee75ae263fe6b9b20d67d1d816514f1477f9965024252999d68c3784a467227061bb9d24652c587b29f98fb9b0242c4d271e4c03e621cd046d

Download Submit
memory/2228-108-0x00000000029EB000-0x0000000002A52000-memory.dmp

Filesize
412KB

Download
memory/2228-84-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2228-96-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-102-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/2272-92-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-105-0x0000000002A7B000-0x0000000002AE2000-memory.dmp

Filesize
412KB

Download
memory/2272-100-0x0000000002A74000-0x0000000002A77000-memory.dmp

Filesize
12KB

Download
memory/2272-83-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2272-95-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2272-89-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2272-88-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-90-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-104-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2404-97-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-106-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/2404-109-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2404-91-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-117-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2480-103-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2480-98-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-93-0x000000000273B000-0x00000000027A2000-memory.dmp

Filesize
412KB

Download
memory/2532-94-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-107-0x000000000299B000-0x0000000002A02000-memory.dmp

Filesize
412KB

Download
memory/2532-99-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2532-101-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/2716-113-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-112-0x0000000000A30000-0x0000000000C38000-memory.dmp

Filesize
2.0MB

Download
memory/2716-133-0x0000000077030000-0x0000000077031000-memory.dmp

Filesize
4KB

Download
memory/2716-132-0x0000000077040000-0x0000000077041000-memory.dmp

Filesize
4KB

Download
memory/2716-128-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-131-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2716-124-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/2716-123-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2716-118-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/2716-119-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2716-116-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2716-114-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2716-115-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2832-43-0x0000000077030000-0x0000000077031000-memory.dmp

Filesize
4KB

Download
memory/2832-77-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2832-24-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2832-26-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2832-19-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2832-21-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2832-39-0x0000000077040000-0x0000000077041000-memory.dmp

Filesize
4KB

Download
memory/2832-18-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/2832-17-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2832-16-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2832-15-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2832-28-0x0000000077070000-0x0000000077071000-memory.dmp

Filesize
4KB

Download
memory/2832-27-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/2832-30-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2832-60-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2832-14-0x00000000001F0000-0x00000000003F8000-memory.dmp

Filesize
2.0MB

Download
memory/2832-36-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2832-13-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-42-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-41-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2832-34-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2832-33-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2832-86-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-38-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2832-32-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2832-23-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download