zgrat | 8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe
Size

4.5MB
MD5

b13bc34181b47944d82a7daf9b1243af
SHA1

964d5f5f3eff0edf9da9e3a7256f779884530f3c
SHA256

8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020
SHA512

72cc8282887f9534a8da584b98050db59d7a9c989d55f4ddcd030aed96e2fc8e7ed3be7faeb23c34ac93d01d9ab39ce94daecd63f82cd37fc607e6405b88394a
SSDEEP

98304:hgZmDxM5pfnV14xJIviRgoYTl9+yj5PcXKuEagqCEKcHii/JtlotZSgd:emDMnuJIviyTbhcXKuEJqrK4iySeq

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023220-31.dat	family_zgrat_v1
behavioral2/memory/2676-33-0x00000000009C0000-0x0000000000D48000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	EGN RU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	portWebsavesRuntimeSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	sustem32.exe

Executes dropped EXE 4 IoCs

pid	Process
3624	sustem32.exe
3172	EGN RU.exe
2676	portWebsavesRuntimeSvc.exe
564	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\es-ES\WmiPrvSE.exe	portWebsavesRuntimeSvc.exe
File created	C:\Program Files\Internet Explorer\es-ES\24dbde2999530e	portWebsavesRuntimeSvc.exe
File created	C:\Program Files\ModifiableWindowsApps\SppExtComObj.exe	portWebsavesRuntimeSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	sustem32.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	portWebsavesRuntimeSvc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4672	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2668	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe
2676	portWebsavesRuntimeSvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	portWebsavesRuntimeSvc.exe
Token: SeDebugPrivilege	564	winlogon.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3624	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	84
PID 2348 wrote to memory of 3624	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	84
PID 2348 wrote to memory of 3624	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	84
PID 2348 wrote to memory of 3172	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	85
PID 2348 wrote to memory of 3172	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	85
PID 2348 wrote to memory of 3172	2348	8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe	85
PID 3624 wrote to memory of 3760	3624	sustem32.exe	87
PID 3624 wrote to memory of 3760	3624	sustem32.exe	87
PID 3624 wrote to memory of 3760	3624	sustem32.exe	87
PID 3172 wrote to memory of 4672	3172	EGN RU.exe	88
PID 3172 wrote to memory of 4672	3172	EGN RU.exe	88
PID 3172 wrote to memory of 4672	3172	EGN RU.exe	88
PID 3760 wrote to memory of 4944	3760	WScript.exe	93
PID 3760 wrote to memory of 4944	3760	WScript.exe	93
PID 3760 wrote to memory of 4944	3760	WScript.exe	93
PID 4944 wrote to memory of 2676	4944	cmd.exe	95
PID 4944 wrote to memory of 2676	4944	cmd.exe	95
PID 2676 wrote to memory of 4392	2676	portWebsavesRuntimeSvc.exe	99
PID 2676 wrote to memory of 4392	2676	portWebsavesRuntimeSvc.exe	99
PID 4392 wrote to memory of 2740	4392	cmd.exe	101
PID 4392 wrote to memory of 2740	4392	cmd.exe	101
PID 4392 wrote to memory of 2668	4392	cmd.exe	102
PID 4392 wrote to memory of 2668	4392	cmd.exe	102
PID 4392 wrote to memory of 564	4392	cmd.exe	103
PID 4392 wrote to memory of 564	4392	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe
"C:\Users\Admin\AppData\Local\Temp\8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\sustem32.exe
  "C:\Users\Admin\AppData\Local\Temp\sustem32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hyperwebfont\JNbMKTHQeeisaNE5gWwcccFtQuC.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hyperwebfont\yIgYU9c1z9H1xn6Tye0KRsv0DdNxWg4dhb8r4Zd.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\hyperwebfont\portWebsavesRuntimeSvc.exe
        
        "C:\hyperwebfont/portWebsavesRuntimeSvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0TeBHQmvui.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
- C:\Users\Admin\AppData\Local\Temp\EGN RU.exe
  "C:\Users\Admin\AppData\Local\Temp\EGN RU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\hwid.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0TeBHQmvui.bat

Filesize
162B

MD5
c2949b58c93db296f6268bd3f0af1908

SHA1
a9eeb8b98ae2991758c4cb2fe086137adb383f7e

SHA256
f841ee7cd1130b39b7ef5fd64e6a2ce9ed85ecc88dfb7799c7494aaaaf20c056

SHA512
153f4744dce9ba0d282d5fbb37b2b4d0ce524110cbb8dbdb99fda25e48b8e903466b3628417eaeadcbdc104ad2e5201b58fc42d06fb0ac4864fa445e69562355

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGN RU.exe

Filesize
384KB

MD5
63d9163d109b429eb02fa60943ac5787

SHA1
46d4fde2f1b991d98709e7fc76631ca4a785bba3

SHA256
365634831ed926e89c601cb102e1dc80945fa915c8a2aecea4da48d5255e798a

SHA512
ad706f27b167d93b766cf7c77df5b0e68f3a1f1b3f8d374fa94c9a6616bfba46bff7118eca2f6593fbe818163956facb285e976b36659225a86c72c3974d1a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGN RU.exe

Filesize
1.1MB

MD5
b7513bb58f850ac7bdf8ec670373422b

SHA1
e526db0ed08278a31937d64d009c1e5f7e26027b

SHA256
57747f058e5245542ea8c55f2dcf09b1dc15f099cbec4c501ca412eafba46971

SHA512
78edb04bfafa6697f53b96bff3f44d8d47f0414e76c0e58a16fa0d6dfba3d6c1cb7290e94b5026dc90c49cb6f666894c78a6d74bc41b7adff19a3c8b174e162a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sustem32.exe

Filesize
3.4MB

MD5
0886a9867d91bccc6495fd1c66690de4

SHA1
8fbb0554f649359eba2db61aacbfd4082a1093d6

SHA256
add392dc7f07a769013c7502cfc7dc03c0bc2861532093207932ee57d19b3d9c

SHA512
0c902bbbcd21d93fd4c1751b060e5e492ac16ef1ca6270398bcdfb722e6b1e84d9657204ff9fb4e0bf74766e362e2394b5796440f16c341b3c4ebc46c27861ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\sustem32.exe

Filesize
704KB

MD5
fbd1b78e1a791472879da8b26b6fc283

SHA1
83e33c05b37b5b31f452181058244533fe21de26

SHA256
46c12c10c31535aa74d92bf8a4224f37aadc4a08f331117ad6e86a50d941e8b1

SHA512
41f9ed5478a54e77fcd0448a13a4103a4a3fd64ff1bfc0e3e81d5fab4a7e85edb880ca9a766839fa19ef63d1adb839c52901f3fa4b51596bf564b536fb6931d7

Download Submit
C:\hwid.ini

Filesize
44B

MD5
16c90fb1a7acb1ca3a788814d226bcc7

SHA1
7998a21fc29b54a6f26cb18acc9ce07208aac1c9

SHA256
da482962cf133517e501cd7c0710f636a41749aa957db7d182d1c02471bde2e5

SHA512
a4fa9f8eb5d3d870e87dffcd71c529007688ae19d57b0c9f395933ce9f21c1ab48d4e62fe1647ed2c376af2bb398d3841d3444a3c813e5e3fc74d599828a5745

Download Submit
C:\hyperwebfont\JNbMKTHQeeisaNE5gWwcccFtQuC.vbe

Filesize
229B

MD5
8de7540bdac0abdcc50c8983d813f07b

SHA1
c5379d554d02bc67eb9c9be90fecd65047e842cb

SHA256
bce928388a91b6b4b5ccab4355f9f2a5ade85f87ce9e14d718729b9788d5f79e

SHA512
d4a4ba9e8ed6b0f4483429043f9bc6ced08e0c94f2506c2052ce770bac15def536cd673932da2c86d613cd8ffd16ecaa8f5f63ddadbd0a898286214c6f221a79

Download Submit
C:\hyperwebfont\portWebsavesRuntimeSvc.exe

Filesize
3.5MB

MD5
d6203e407a0e2dc8a7b335d290f5b871

SHA1
883272a32627509544c84f114d2081cd11976945

SHA256
b13ba52779289565a4e8c8830e01f70547076a8422944381e90b781fccf8ef9f

SHA512
7a0dd6891793cf906ac4de58f0be700e093a050c863565c33807605541841a19d219208937310a8d3cf310ba26cb65bed5e9f48c0c5fd1f21a61da0eec8a241a

Download Submit
C:\hyperwebfont\yIgYU9c1z9H1xn6Tye0KRsv0DdNxWg4dhb8r4Zd.bat

Filesize
86B

MD5
acb6341b1e8391068b3bfe91e492a1f2

SHA1
b8c513ce099d6d7f56ec1d0932e0dce31cbdb820

SHA256
93a9f1e23a92e534cf81887220cff2bfe93ea8e0969e73efbebfb5173a192389

SHA512
ff12f74c5a2439ffb767eda1c6404b6198bddbdda37230aa1702067f7d628ddfb430d5174f7fc84c0080c0c0fdaaa64ca488939ad1641a0f9b4f7797436c3e66

Download Submit
memory/564-188-0x000000001D5B0000-0x000000001D6C5000-memory.dmp

Filesize
1.1MB

Download
memory/564-187-0x000000001C000000-0x000000001C06B000-memory.dmp

Filesize
428KB

Download
memory/564-135-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/564-134-0x00007FFDB0C20000-0x00007FFDB16E1000-memory.dmp

Filesize
10.8MB

Download
memory/2348-14-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2676-71-0x00007FFDCEF10000-0x00007FFDCEF11000-memory.dmp

Filesize
4KB

Download
memory/2676-80-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-39-0x00007FFDCEF90000-0x00007FFDCEF91000-memory.dmp

Filesize
4KB

Download
memory/2676-42-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-43-0x00007FFDCEF80000-0x00007FFDCEF81000-memory.dmp

Filesize
4KB

Download
memory/2676-45-0x0000000001620000-0x000000000162E000-memory.dmp

Filesize
56KB

Download
memory/2676-47-0x0000000002F60000-0x0000000002F7C000-memory.dmp

Filesize
112KB

Download
memory/2676-49-0x00007FFDB0C80000-0x00007FFDB1741000-memory.dmp

Filesize
10.8MB

Download
memory/2676-50-0x00007FFDCEF70000-0x00007FFDCEF71000-memory.dmp

Filesize
4KB

Download
memory/2676-53-0x00007FFDCEF60000-0x00007FFDCEF61000-memory.dmp

Filesize
4KB

Download
memory/2676-52-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/2676-48-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/2676-54-0x00007FFDCEF50000-0x00007FFDCEF51000-memory.dmp

Filesize
4KB

Download
memory/2676-56-0x000000001BAD0000-0x000000001BAE8000-memory.dmp

Filesize
96KB

Download
memory/2676-59-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/2676-60-0x00007FFDCEF40000-0x00007FFDCEF41000-memory.dmp

Filesize
4KB

Download
memory/2676-57-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-63-0x0000000001660000-0x0000000001670000-memory.dmp

Filesize
64KB

Download
memory/2676-62-0x00007FFDCEF30000-0x00007FFDCEF31000-memory.dmp

Filesize
4KB

Download
memory/2676-64-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-67-0x00007FFDCEF20000-0x00007FFDCEF21000-memory.dmp

Filesize
4KB

Download
memory/2676-66-0x000000001BB00000-0x000000001BB0E000-memory.dmp

Filesize
56KB

Download
memory/2676-69-0x000000001BB30000-0x000000001BB42000-memory.dmp

Filesize
72KB

Download
memory/2676-70-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-38-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-72-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-75-0x00007FFDCEF00000-0x00007FFDCEF01000-memory.dmp

Filesize
4KB

Download
memory/2676-74-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/2676-77-0x000000001BBC0000-0x000000001BBD6000-memory.dmp

Filesize
88KB

Download
memory/2676-78-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-79-0x00007FFDCEEF0000-0x00007FFDCEEF1000-memory.dmp

Filesize
4KB

Download
memory/2676-41-0x000000001BAA0000-0x000000001BAC6000-memory.dmp

Filesize
152KB

Download
memory/2676-82-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

Filesize
72KB

Download
memory/2676-83-0x00007FFDCEEE0000-0x00007FFDCEEE1000-memory.dmp

Filesize
4KB

Download
memory/2676-84-0x000000001D450000-0x000000001D978000-memory.dmp

Filesize
5.2MB

Download
memory/2676-85-0x00007FFDCEED0000-0x00007FFDCEED1000-memory.dmp

Filesize
4KB

Download
memory/2676-87-0x000000001BB20000-0x000000001BB2E000-memory.dmp

Filesize
56KB

Download
memory/2676-88-0x00007FFDCEEC0000-0x00007FFDCEEC1000-memory.dmp

Filesize
4KB

Download
memory/2676-90-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/2676-93-0x00007FFDCEEB0000-0x00007FFDCEEB1000-memory.dmp

Filesize
4KB

Download
memory/2676-92-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/2676-94-0x00007FFDCEEA0000-0x00007FFDCEEA1000-memory.dmp

Filesize
4KB

Download
memory/2676-96-0x000000001BC60000-0x000000001BCBA000-memory.dmp

Filesize
360KB

Download
memory/2676-97-0x00007FFDCEE90000-0x00007FFDCEE91000-memory.dmp

Filesize
4KB

Download
memory/2676-99-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/2676-101-0x000000001BC10000-0x000000001BC20000-memory.dmp

Filesize
64KB

Download
memory/2676-102-0x00007FFDCEE80000-0x00007FFDCEE81000-memory.dmp

Filesize
4KB

Download
memory/2676-103-0x00007FFDCEDE0000-0x00007FFDCEDE1000-memory.dmp

Filesize
4KB

Download
memory/2676-105-0x000000001BC20000-0x000000001BC2E000-memory.dmp

Filesize
56KB

Download
memory/2676-107-0x000000001BCC0000-0x000000001BCD8000-memory.dmp

Filesize
96KB

Download
memory/2676-108-0x00007FFDCEDD0000-0x00007FFDCEDD1000-memory.dmp

Filesize
4KB

Download
memory/2676-109-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-111-0x000000001BD30000-0x000000001BD7E000-memory.dmp

Filesize
312KB

Download
memory/2676-112-0x00007FFDCEDC0000-0x00007FFDCEDC1000-memory.dmp

Filesize
4KB

Download
memory/2676-128-0x00007FFDCEFA0000-0x00007FFDCF05E000-memory.dmp

Filesize
760KB

Download
memory/2676-37-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-130-0x00007FFDB0C80000-0x00007FFDB1741000-memory.dmp

Filesize
10.8MB

Download
memory/2676-36-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2676-35-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2676-34-0x00007FFDB0C80000-0x00007FFDB1741000-memory.dmp

Filesize
10.8MB

Download
memory/2676-33-0x00000000009C0000-0x0000000000D48000-memory.dmp

Filesize
3.5MB

Download
memory/3172-15-0x0000000000490000-0x000000000077D000-memory.dmp

Filesize
2.9MB

Download
memory/3172-27-0x0000000000490000-0x000000000077D000-memory.dmp

Filesize
2.9MB

Download