zgrat | a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496d5fc129c98a075ea39863bd8938a2.exe
Size

4.2MB
MD5

496d5fc129c98a075ea39863bd8938a2
SHA1

17ea2c2f785749550044a4fe055163216f47b76c
SHA256

a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
SHA512

567fa49ceced374a4123a7441014c1da325973d763f1222b4631b01c26ac7163330fae7a1ba08d73a9e68b4830e4320a17523d48ccd786f86b087a3d3094a2ad
SSDEEP

49152:36PaeNTOyzL4EXgpSTeCrkT04991Gexjmo1G3q99C336nGhl52LQaRV8/qz+qq2E:kagTOb4TGljhFmU/eqq2Ltk/FqqibWT7

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-73-0x0000000004FA0000-0x0000000005020000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-74-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-75-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-77-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-79-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-81-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-83-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-85-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-87-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-89-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-91-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-93-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-95-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-97-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-99-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-101-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-103-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-105-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-107-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-109-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-111-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-113-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-115-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-117-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-119-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-121-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-123-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-125-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-127-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-129-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-131-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-133-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-135-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2648-137-0x0000000004FA0000-0x000000000501A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

Sys.pifBF1PureCracker0.exe

pid process

2648 Sys.pif
2800 BF1PureCracker0.exe

pid	process
2648	Sys.pif
2800	BF1PureCracker0.exe

Loads dropped DLL 7 IoCs

Processes:

496d5fc129c98a075ea39863bd8938a2.exeSys.pif

pid	process
2424	496d5fc129c98a075ea39863bd8938a2.exe
2424	496d5fc129c98a075ea39863bd8938a2.exe
2424	496d5fc129c98a075ea39863bd8938a2.exe
2424	496d5fc129c98a075ea39863bd8938a2.exe
2424	496d5fc129c98a075ea39863bd8938a2.exe
2708
2648	Sys.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeSys.pifpowershell.exe

pid process

2492 powershell.exe
2952 powershell.exe
2648 Sys.pif
2648 Sys.pif
2308 powershell.exe

pid	process
2492	powershell.exe
2952	powershell.exe
2648	Sys.pif
2648	Sys.pif
2308	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exeSys.pifpowershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeIncreaseQuotaPrivilege	2492	powershell.exe
Token: SeSecurityPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	2492	powershell.exe
Token: SeLoadDriverPrivilege	2492	powershell.exe
Token: SeSystemProfilePrivilege	2492	powershell.exe
Token: SeSystemtimePrivilege	2492	powershell.exe
Token: SeProfSingleProcessPrivilege	2492	powershell.exe
Token: SeIncBasePriorityPrivilege	2492	powershell.exe
Token: SeCreatePagefilePrivilege	2492	powershell.exe
Token: SeBackupPrivilege	2492	powershell.exe
Token: SeRestorePrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeSystemEnvironmentPrivilege	2492	powershell.exe
Token: SeRemoteShutdownPrivilege	2492	powershell.exe
Token: SeUndockPrivilege	2492	powershell.exe
Token: SeManageVolumePrivilege	2492	powershell.exe
Token: 33	2492	powershell.exe
Token: 34	2492	powershell.exe
Token: 35	2492	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeIncreaseQuotaPrivilege	2952	powershell.exe
Token: SeSecurityPrivilege	2952	powershell.exe
Token: SeTakeOwnershipPrivilege	2952	powershell.exe
Token: SeLoadDriverPrivilege	2952	powershell.exe
Token: SeSystemProfilePrivilege	2952	powershell.exe
Token: SeSystemtimePrivilege	2952	powershell.exe
Token: SeProfSingleProcessPrivilege	2952	powershell.exe
Token: SeIncBasePriorityPrivilege	2952	powershell.exe
Token: SeCreatePagefilePrivilege	2952	powershell.exe
Token: SeBackupPrivilege	2952	powershell.exe
Token: SeRestorePrivilege	2952	powershell.exe
Token: SeShutdownPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeSystemEnvironmentPrivilege	2952	powershell.exe
Token: SeRemoteShutdownPrivilege	2952	powershell.exe
Token: SeUndockPrivilege	2952	powershell.exe
Token: SeManageVolumePrivilege	2952	powershell.exe
Token: 33	2952	powershell.exe
Token: 34	2952	powershell.exe
Token: 35	2952	powershell.exe
Token: SeDebugPrivilege	2648	Sys.pif
Token: SeDebugPrivilege	2308	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

496d5fc129c98a075ea39863bd8938a2.exeSys.pifWScript.exe

description	pid	process	target process
PID 2424 wrote to memory of 2648	2424	496d5fc129c98a075ea39863bd8938a2.exe	Sys.pif
PID 2424 wrote to memory of 2648	2424	496d5fc129c98a075ea39863bd8938a2.exe	Sys.pif
PID 2424 wrote to memory of 2648	2424	496d5fc129c98a075ea39863bd8938a2.exe	Sys.pif
PID 2424 wrote to memory of 2648	2424	496d5fc129c98a075ea39863bd8938a2.exe	Sys.pif
PID 2424 wrote to memory of 2800	2424	496d5fc129c98a075ea39863bd8938a2.exe	BF1PureCracker0.exe
PID 2424 wrote to memory of 2800	2424	496d5fc129c98a075ea39863bd8938a2.exe	BF1PureCracker0.exe
PID 2424 wrote to memory of 2800	2424	496d5fc129c98a075ea39863bd8938a2.exe	BF1PureCracker0.exe
PID 2424 wrote to memory of 2800	2424	496d5fc129c98a075ea39863bd8938a2.exe	BF1PureCracker0.exe
PID 2648 wrote to memory of 2492	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2492	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2492	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2492	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2952	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2952	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2952	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2952	2648	Sys.pif	powershell.exe
PID 2648 wrote to memory of 2316	2648	Sys.pif	WScript.exe
PID 2648 wrote to memory of 2316	2648	Sys.pif	WScript.exe
PID 2648 wrote to memory of 2316	2648	Sys.pif	WScript.exe
PID 2648 wrote to memory of 2316	2648	Sys.pif	WScript.exe
PID 2316 wrote to memory of 2308	2316	WScript.exe	powershell.exe
PID 2316 wrote to memory of 2308	2316	WScript.exe	powershell.exe
PID 2316 wrote to memory of 2308	2316	WScript.exe	powershell.exe
PID 2316 wrote to memory of 2308	2316	WScript.exe	powershell.exe
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif
PID 2648 wrote to memory of 396	2648	Sys.pif	Sys.pif

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe
"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\Sys.pif
C:\Users\Admin\AppData\Local\Temp\Sys.pif
3⤵
PID:396

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
2⤵
- Executes dropped EXE
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll
Filesize
470KB

MD5
19f8591a6baa83af46de41f20224b6f1

SHA1
c736799e1936cec37acbf66fdf1df96f4679562f

SHA256
a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79

SHA512
db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll
Filesize
216KB

MD5
d30f6fb490a820dcdd9c7da971036393

SHA1
177b1b912fb09efacce8bae24fca35ea514f131b

SHA256
be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b

SHA512
332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll
Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs
Filesize
186B

MD5
0d6555dc02c45b1e49ac39075c65cebe

SHA1
2fb0e4464b16db957a06353e14345e0f5a5ba4be

SHA256
368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f

SHA512
775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9c274a21fccd0a0f34d9adbf1b5f46ec

SHA1
07879555b26f54f6adc4906bdc99c0f5cadd086e

SHA256
1ee4e70bd05228608e93b53228db1e35a3f8c8c5b987c3087af44d57c482abb0

SHA512
d49e1e79b22f3634c71546a88f52ae0ddde4949003687d2dcc3193c23a6963fa238ab8256504024bedc779b2c42b2f9431807aa094a1c19188a4a8669b524dec

Download Submit
\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
Filesize
383KB

MD5
c2a78b5610d2abd529688c420bde478e

SHA1
7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a

SHA256
36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c

SHA512
b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

Download Submit
\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
Filesize
2.2MB

MD5
76555816c73f34e86608807c7737a593

SHA1
3c38473581f2c602a25707ee9000634f4b4d033a

SHA256
64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d

SHA512
a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b

Download Submit
memory/2308-2601-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2597-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2308-2596-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2598-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2599-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2308-2600-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2492-55-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2492-59-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-58-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2492-53-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-54-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-56-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2648-79-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-99-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-50-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2648-38-0x0000000000240000-0x0000000000484000-memory.dmp

Filesize
2.3MB

Download
memory/2648-41-0x0000000073CD0000-0x00000000743BE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-65-0x0000000073CD0000-0x00000000743BE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-137-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-135-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-133-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-131-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-129-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-71-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2648-72-0x0000000005B50000-0x0000000005D64000-memory.dmp

Filesize
2.1MB

Download
memory/2648-73-0x0000000004FA0000-0x0000000005020000-memory.dmp

Filesize
512KB

Download
memory/2648-74-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-75-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-77-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-127-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-81-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-83-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-85-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-87-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-89-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-91-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-93-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-95-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-97-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-125-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-101-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-103-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-105-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-107-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-109-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-111-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-113-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-115-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-117-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-119-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-121-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2648-123-0x0000000004FA0000-0x000000000501A000-memory.dmp

Filesize
488KB

Download
memory/2800-42-0x000000001BAC0000-0x000000001BB40000-memory.dmp

Filesize
512KB

Download
memory/2800-45-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2800-70-0x000000001BAC0000-0x000000001BB40000-memory.dmp

Filesize
512KB

Download
memory/2800-49-0x00000000021B0000-0x00000000021EC000-memory.dmp

Filesize
240KB

Download
memory/2800-57-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-47-0x00000000007A0000-0x00000000007E8000-memory.dmp

Filesize
288KB

Download
memory/2800-37-0x000000013F3A0000-0x000000013F406000-memory.dmp

Filesize
408KB

Download
memory/2800-40-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-39-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/2800-44-0x0000000002130000-0x00000000021AC000-memory.dmp

Filesize
496KB

Download
memory/2952-68-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-686-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-683-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2952-66-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-67-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2952-69-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download