zgrat | bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0

Analysis

max time kernel
181s
max time network
232s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe
Size

1.7MB
MD5

a624d0804516f34f3c18326b953e7a55
SHA1

a2c729b0c35405ec208596917cd5f8ddfbc20112
SHA256

bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0
SHA512

f059ab5843509006f7278d4bcfba94fa70f957df815a9c5dd20b4b57d09c26769f19c5cf26692da8cce94410faba99ecba6b20b0ecfa1c47fd700dbebcb11854
SSDEEP

49152:UBtFBwJbGKbesU67W9iK7Zj3EzqQz270QQwLPYZOl7:+t0JbSd67utZj3EzqQzzQQGPxt

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 9 IoCs

resource	yara_rule
behavioral1/files/0x001200000000b1f5-12.dat	family_zgrat_v1
behavioral1/files/0x001200000000b1f5-11.dat	family_zgrat_v1
behavioral1/files/0x001200000000b1f5-10.dat	family_zgrat_v1
behavioral1/files/0x001200000000b1f5-9.dat	family_zgrat_v1
behavioral1/memory/2800-13-0x0000000001130000-0x0000000001382000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00070000000146d4-49.dat	family_zgrat_v1
behavioral1/files/0x0007000000015655-112.dat	family_zgrat_v1
behavioral1/files/0x0007000000015655-111.dat	family_zgrat_v1
behavioral1/memory/1744-114-0x0000000000ED0000-0x0000000001122000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2800	chainNet.exe
1744	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1068	cmd.exe
1068	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\de-DE\sppsvc.exe	chainNet.exe
File created	C:\Program Files\Windows Defender\de-DE\0a1fd5f707cd16	chainNet.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe	chainNet.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\886983d96e3d3e	chainNet.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\csrss.exe	chainNet.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\886983d96e3d3e	chainNet.exe
File created	C:\Windows\Panther\actionqueue\WmiPrvSE.exe	chainNet.exe
File created	C:\Windows\Panther\actionqueue\24dbde2999530e	chainNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe
2800	chainNet.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	chainNet.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1744	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2628	2640	bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe	29
PID 2640 wrote to memory of 2628	2640	bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe	29
PID 2640 wrote to memory of 2628	2640	bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe	29
PID 2640 wrote to memory of 2628	2640	bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe	29
PID 2628 wrote to memory of 1068	2628	WScript.exe	30
PID 2628 wrote to memory of 1068	2628	WScript.exe	30
PID 2628 wrote to memory of 1068	2628	WScript.exe	30
PID 2628 wrote to memory of 1068	2628	WScript.exe	30
PID 1068 wrote to memory of 2800	1068	cmd.exe	32
PID 1068 wrote to memory of 2800	1068	cmd.exe	32
PID 1068 wrote to memory of 2800	1068	cmd.exe	32
PID 1068 wrote to memory of 2800	1068	cmd.exe	32
PID 2800 wrote to memory of 756	2800	chainNet.exe	42
PID 2800 wrote to memory of 756	2800	chainNet.exe	42
PID 2800 wrote to memory of 756	2800	chainNet.exe	42
PID 2800 wrote to memory of 532	2800	chainNet.exe	41
PID 2800 wrote to memory of 532	2800	chainNet.exe	41
PID 2800 wrote to memory of 532	2800	chainNet.exe	41
PID 2800 wrote to memory of 1348	2800	chainNet.exe	39
PID 2800 wrote to memory of 1348	2800	chainNet.exe	39
PID 2800 wrote to memory of 1348	2800	chainNet.exe	39
PID 2800 wrote to memory of 888	2800	chainNet.exe	38
PID 2800 wrote to memory of 888	2800	chainNet.exe	38
PID 2800 wrote to memory of 888	2800	chainNet.exe	38
PID 2800 wrote to memory of 2220	2800	chainNet.exe	36
PID 2800 wrote to memory of 2220	2800	chainNet.exe	36
PID 2800 wrote to memory of 2220	2800	chainNet.exe	36
PID 2800 wrote to memory of 2540	2800	chainNet.exe	46
PID 2800 wrote to memory of 2540	2800	chainNet.exe	46
PID 2800 wrote to memory of 2540	2800	chainNet.exe	46
PID 2540 wrote to memory of 944	2540	cmd.exe	43
PID 2540 wrote to memory of 944	2540	cmd.exe	43
PID 2540 wrote to memory of 944	2540	cmd.exe	43
PID 2540 wrote to memory of 2796	2540	cmd.exe	44
PID 2540 wrote to memory of 2796	2540	cmd.exe	44
PID 2540 wrote to memory of 2796	2540	cmd.exe	44
PID 2540 wrote to memory of 1744	2540	cmd.exe	47
PID 2540 wrote to memory of 1744	2540	cmd.exe	47
PID 2540 wrote to memory of 1744	2540	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe
"C:\Users\Admin\AppData\Local\Temp\bdda2e25de8ae0b35633c5a8648a58d074220327c4f40909ea30519049b868b0exe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Temps\vVvpbSw6FtX.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Temps\8U7okBRVL00Bz8pl2f5LRqLyM2HeCd2HsXlGHbGIoytqxWixLGUzYsrUG3.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Temps\chainNet.exe
      "C:\Temps/chainNet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\WmiPrvSE.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\sppsvc.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\winlogon.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auyBXx7LBG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\Panther\actionqueue\WmiPrvSE.exe
        
        "C:\Windows\Panther\actionqueue\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\de-DE\sppsvc.exe

Filesize
240KB

MD5
e5f6e15aadd48033d98b428bd913df7b

SHA1
9143624a1e8080bd7a66b9b7d3798bb47c5fe202

SHA256
d2daa1d233de9e15aba6cc8b70ff8290a3d6e70541d2e8a9c82e57ef4a664d43

SHA512
30b7c4ad8b6255720b7817ce4330a1554889458601fcfb04e493f2f95c43d35534b2879e0a48a284ee8ab9626b699d08844c37a585b438e72a445f8488aeedf1

Download Submit
C:\Temps\8U7okBRVL00Bz8pl2f5LRqLyM2HeCd2HsXlGHbGIoytqxWixLGUzYsrUG3.bat

Filesize
75B

MD5
cb3d736ebc424d5124694d8d380c6188

SHA1
d389a311f3f9a4c0f8f8681310bc5ca9eed44a02

SHA256
aa9704354d3578e6456a7cb60d11fe621d17124fcd580fd0866b1de8fc6da8e8

SHA512
dc2ff843ee3b8db38ec037cb1ca034e77761d8c607cc53efbee5812e437341726d3fc00f219a4d2803c492d2e6402e5f223180553c17152ef18a5208f957b66c

Download Submit
C:\Temps\chainNet.exe

Filesize
340KB

MD5
5e357cb60aa488bff2424fb8bbb0dc44

SHA1
53b996530b73e8e8346523a360f85c204eb73fc0

SHA256
80bf31afb10adddba2bc28fbbd274deffb275f9cc894af50b87c101051d62b40

SHA512
7adf322666bb5839b3b3be93d1fd3c3893c7539a6dd8e6fbe64a30a4723ec43ca3dc8a117df12c60308304ac7d4bb4df15d46b5bc7d86ca7c741786b2d9b921e

Download Submit
C:\Temps\chainNet.exe

Filesize
364KB

MD5
676a32e432fae9fe746d918e54284dd9

SHA1
47a6da433140be7b53d98e2fac088918e7b7f42f

SHA256
901694960e7096d8432607843535b96ea4ed7ef6b3d4344be58b371f5aa8b294

SHA512
c6cc20472cb5f28cd2a6d1e5255bc97dd860b4ca6747347017085e7206f7373f44b2b3dad45f62827e215a100b48384fc402330c30c3be50698930ce44419cfc

Download Submit
C:\Temps\vVvpbSw6FtX.vbe

Filesize
241B

MD5
7768e60d0dce06a4f54466d72d21a3b0

SHA1
f5828634012159380057aac7c797a44900517d50

SHA256
46987a3f9e63e907bd6e4a2ff6d55d932812f1be7b64d2c485ba93851e97e3bd

SHA512
907070f123103abe398ebbf5ea25352d30156d89d2cded297d8d3b98937e71f2ee4c8fe624288f56eb1d59bf6b1f0ba81c222a5e223f95466cc7e0c8e1c7597b

Download Submit
C:\Users\Admin\AppData\Local\Temp\auyBXx7LBG.bat

Filesize
219B

MD5
fd3d26b178e4c0e5de113997c88abffb

SHA1
295537efe95309e68f3c7656f0c9b21509cd56a4

SHA256
ff89844781f6abb6cdfee485b967ee8b230908214603c5c0d46d9f8714c5e6b1

SHA512
f92c3ef003c9cf051d59b8de0dde1b24424ebb27cff9bcad1395195e4dbd2fd8a3593714a4f36f527712096eb2f74b720b2e3a7407ea80950f60458571b700d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
353a566d0b509a2c72a86b1a7d71e5df

SHA1
fc8fe4d10d27d2c2a1d4096f62ef00b370c235f3

SHA256
0ac0e039267629e7b927f211b78beec126559f8ce039fe1ac2e5dea49183b0f3

SHA512
54630d18d0ac09ad8c2b42df2b5772d6c074093579d7339c97a0c95324714e7f06cb0131304b90c2139795f703f097dcda2563725c783c4c489f0b551247d600

Download Submit
C:\Windows\Panther\actionqueue\WmiPrvSE.exe

Filesize
170KB

MD5
101ff882e3cf924e928fdc211f7e4257

SHA1
9ca1e2445629510c90ca6fb2e873cf674f8a11ee

SHA256
4a9c9d5bc2a758cbaab54e86aae08c36417a69e98574efd97e31a1150d26acfb

SHA512
f9e6102b5c231ae9f1750704a9942b4423b9be1c1a5d3bfcc41494bf02432c69e834294a6d28213cf20602b58d583d8be1bf30b6cbbb1637fbdc7eac55155b77

Download Submit
C:\Windows\Panther\actionqueue\WmiPrvSE.exe

Filesize
64KB

MD5
869c4172283a25448f829b3ce9993414

SHA1
1452efd1711b2c9de514c7b86032b0ff063fe7ed

SHA256
8cdeabdcecab9ac5d7e5427c822a41ef5b82cf847092753ba2b54021593d856d

SHA512
16a3f56e997fac567f9d13aca76887bef20ca8e24f3cc922fdae68ab664e97a4cc2a9c97206672a2f5d5337b72154d5ba663ba3f2724b45429464219b10f93d1

Download Submit
\Temps\chainNet.exe

Filesize
280KB

MD5
4289f06ffc4afb3a8c5caa5861c42f9f

SHA1
e820d8f7fe3e6b1d49a7743e16be3b856027f17c

SHA256
4929bb196ec75231152a84d23008cfff304a730af4d36717bfad2922fb12d4b0

SHA512
dd00d7e6050a3a95b5c8f587ec7468d76fbd488d8c13a03054f1e2a6629057609d6171b6820bbf7fc2a579cfb29fae76e6de06869c1ab3ba8f6a08a2f872b702

Download Submit
\Temps\chainNet.exe

Filesize
486KB

MD5
c5000cdc8bcfa18787d1e7980e875b2c

SHA1
287a8be1f5bf9133d5b50a8c05d1c16b3c6167ac

SHA256
fef0d883ab6aa7935547675de1d67acb3467975479bfa65384245a3f0f25930a

SHA512
495a36d5f1c71866ccb1f5ef157b0d509be1388337327bd5720ed21b062ad69cf983349636fe553fde9f13dfb59da2986a4043edc40b6a93b613149a11a5e9ca

Download Submit
memory/532-95-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/532-91-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/532-83-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/532-100-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/532-97-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/532-89-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/532-93-0x000000000250B000-0x0000000002572000-memory.dmp

Filesize
412KB

Download
memory/756-75-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/756-94-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/756-96-0x000000000295B000-0x00000000029C2000-memory.dmp

Filesize
412KB

Download
memory/756-101-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/756-98-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/756-99-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/756-121-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/888-92-0x000000000283B000-0x00000000028A2000-memory.dmp

Filesize
412KB

Download
memory/888-90-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/888-88-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1348-107-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-122-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/1348-110-0x0000000002AC4000-0x0000000002AC7000-memory.dmp

Filesize
12KB

Download
memory/1348-109-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/1348-103-0x0000000002ACB000-0x0000000002B32000-memory.dmp

Filesize
412KB

Download
memory/1744-118-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

Filesize
4KB

Download
memory/1744-123-0x0000000076F90000-0x0000000076F91000-memory.dmp

Filesize
4KB

Download
memory/1744-125-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/1744-119-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1744-117-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1744-115-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1744-116-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1744-113-0x000007FEF4BA0000-0x000007FEF558C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-114-0x0000000000ED0000-0x0000000001122000-memory.dmp

Filesize
2.3MB

Download
memory/1744-127-0x000007FEF4BA0000-0x000007FEF558C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-129-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/2220-105-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2220-104-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

Filesize
9.6MB

Download
memory/2220-102-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2220-106-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2220-108-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2800-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2800-32-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2800-39-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2800-29-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2800-30-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/2800-21-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/2800-18-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

Filesize
4KB

Download
memory/2800-22-0x0000000076F90000-0x0000000076F91000-memory.dmp

Filesize
4KB

Download
memory/2800-24-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/2800-17-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/2800-27-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2800-15-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/2800-14-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-25-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2800-20-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2800-35-0x0000000076F50000-0x0000000076F51000-memory.dmp

Filesize
4KB

Download
memory/2800-37-0x0000000000510000-0x000000000056A000-memory.dmp

Filesize
360KB

Download
memory/2800-34-0x0000000076F60000-0x0000000076F61000-memory.dmp

Filesize
4KB

Download
memory/2800-73-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/2800-33-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-13-0x0000000001130000-0x0000000001382000-memory.dmp

Filesize
2.3MB

Download
memory/2800-76-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-44-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2800-42-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/2800-41-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/2800-40-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download