zgrat | 3b9330b09929cc5391a31e5780a967d26f21b010b586b2226e3d22038226f800

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe
Size

3.9MB
MD5

c93eb1803d22b1ea86a0e5b4c61ab5fc
SHA1

e1be31f724ba662e5067767f6144a3ce64167897
SHA256

3b9330b09929cc5391a31e5780a967d26f21b010b586b2226e3d22038226f800
SHA512

f2509c0e58064a517708e2cadee34805cf3d25043af41f70a34af69b6acfd74b09f1c0c2dc851128f2777e2e49bd9766c719c0f1f8bcf52d325bff54dcce08e1
SSDEEP

98304:yOYX6sYD1rXzznYLGRk3/ZuPqInTeNlZD6jdKkb8p:Fkdq1rIH3/OnaJuy

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x000d000000015c13-9.dat	family_zgrat_v1
behavioral1/files/0x000d000000015c13-12.dat	family_zgrat_v1
behavioral1/files/0x000d000000015c13-11.dat	family_zgrat_v1
behavioral1/files/0x000d000000015c13-10.dat	family_zgrat_v1
behavioral1/memory/2756-13-0x0000000000170000-0x0000000000508000-memory.dmp	family_zgrat_v1
behavioral1/memory/3044-104-0x0000000000AF0000-0x0000000000E88000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1632	schtasks.exe	32

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2756	agentreviewIntoRefdhcp.exe
3044	agentreviewIntoRefdhcp.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe	agentreviewIntoRefdhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\69ddcba757bf72	agentreviewIntoRefdhcp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\smss.exe	agentreviewIntoRefdhcp.exe
File opened for modification	C:\Windows\Offline Web Pages\smss.exe	agentreviewIntoRefdhcp.exe
File created	C:\Windows\Offline Web Pages\69ddcba757bf72	agentreviewIntoRefdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1652	schtasks.exe
1100	schtasks.exe
1152	schtasks.exe
1524	schtasks.exe
2084	schtasks.exe
756	schtasks.exe
1092	schtasks.exe
2896	schtasks.exe
2364	schtasks.exe
2220	schtasks.exe
1416	schtasks.exe
1320	schtasks.exe
2176	schtasks.exe
2276	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe
2756	agentreviewIntoRefdhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	agentreviewIntoRefdhcp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	agentreviewIntoRefdhcp.exe
Token: SeDebugPrivilege	3044	agentreviewIntoRefdhcp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3052	2924	3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe	28
PID 2924 wrote to memory of 3052	2924	3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe	28
PID 2924 wrote to memory of 3052	2924	3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe	28
PID 2924 wrote to memory of 3052	2924	3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe	28
PID 3052 wrote to memory of 2820	3052	WScript.exe	29
PID 3052 wrote to memory of 2820	3052	WScript.exe	29
PID 3052 wrote to memory of 2820	3052	WScript.exe	29
PID 3052 wrote to memory of 2820	3052	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	cmd.exe	31
PID 2820 wrote to memory of 2756	2820	cmd.exe	31
PID 2820 wrote to memory of 2756	2820	cmd.exe	31
PID 2820 wrote to memory of 2756	2820	cmd.exe	31
PID 2756 wrote to memory of 2164	2756	agentreviewIntoRefdhcp.exe	48
PID 2756 wrote to memory of 2164	2756	agentreviewIntoRefdhcp.exe	48
PID 2756 wrote to memory of 2164	2756	agentreviewIntoRefdhcp.exe	48
PID 2164 wrote to memory of 2112	2164	cmd.exe	50
PID 2164 wrote to memory of 2112	2164	cmd.exe	50
PID 2164 wrote to memory of 2112	2164	cmd.exe	50
PID 2164 wrote to memory of 1468	2164	cmd.exe	51
PID 2164 wrote to memory of 1468	2164	cmd.exe	51
PID 2164 wrote to memory of 1468	2164	cmd.exe	51
PID 2164 wrote to memory of 3044	2164	cmd.exe	52
PID 2164 wrote to memory of 3044	2164	cmd.exe	52
PID 2164 wrote to memory of 3044	2164	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe
"C:\Users\Admin\AppData\Local\Temp\3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MsWebSession\aISwmBA1tz2Li9c6LCYbI0c56v7tmGzpAA7ZdNSGvv0YyEqFbmxvfE9xX.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\MsWebSession\28GBsRQl2u5EqD0HGx7YGeYZyO2za9W9ftVvHiRGielbEoVm.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\MsWebSession\agentreviewIntoRefdhcp.exe
      "C:\MsWebSession/agentreviewIntoRefdhcp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZRScbS9PN9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2112
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1468
      - C:\Users\Admin\Templates\agentreviewIntoRefdhcp.exe
        
        "C:\Users\Admin\Templates\agentreviewIntoRefdhcp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewIntoRefdhcpa" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\agentreviewIntoRefdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewIntoRefdhcp" /sc ONLOGON /tr "'C:\Users\Admin\Templates\agentreviewIntoRefdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewIntoRefdhcpa" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\agentreviewIntoRefdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsWebSession\28GBsRQl2u5EqD0HGx7YGeYZyO2za9W9ftVvHiRGielbEoVm.bat

Filesize
95B

MD5
d7fa26c8b1aa0d91d5c3682c87970269

SHA1
9934cb04ec5d81e86519c36c38d9e7caf5c01a1d

SHA256
102e9e1f76065e7c6207880bdcdba7cad4aebb61e2644ac80f76ed1a2ca92b1b

SHA512
71d72daaab45e8198d375a6fdf78bb7b3173c757cb2b6e349bbe516a67461b8ddb183ab028579f80c44392bba46a00b82f66bc5f01da4297af2a222be7ac5117

Download Submit
C:\MsWebSession\aISwmBA1tz2Li9c6LCYbI0c56v7tmGzpAA7ZdNSGvv0YyEqFbmxvfE9xX.vbe

Filesize
250B

MD5
472b891861c2851f23fc56f0da9834f0

SHA1
1938881b09e054a23c46369d850f92c52a9b1164

SHA256
fee3cc05c5cd12982240bd1e83cf2362871ab9b656fd807928387ddb67e831f7

SHA512
77850c8c9d95733ff9128a9e19f87be4b64ee450ed4aa27be4dcaceded74c0ec8c05d57d8c78249c30ad8cdfcd96a9eeae51e587adef1ad38cd24a0125cbb129

Download Submit
C:\MsWebSession\agentreviewIntoRefdhcp.exe

Filesize
3.6MB

MD5
1e8b556d7c4cefe0023e5ba9b6d021e5

SHA1
1f2dd53b352fd7b5972b38d1a5eeb2aec378b9e5

SHA256
3ed028c17d0038c69998ad942feb78aff2f9f363bae2203250b0eba6ce0d26be

SHA512
788395a9013db192ff4054fc766aef4f55335c5816d0b5fa57d3019f7254aea32e194790930bc8255e05e80e9e9d5e2a77d0dfb45aac142c6f65edb9ae6061c0

Download Submit
C:\MsWebSession\agentreviewIntoRefdhcp.exe

Filesize
3.2MB

MD5
597ebdf4c40cadb6ee0f33970b8a3426

SHA1
6a938d560ceb125f1d0202208e7ff3ace2ea12cf

SHA256
b7e68398dde8d9e6dc5846f96cfe7c5d804930f8ec53e468a5018a74890c0914

SHA512
774a8e9095123034de5efecca5b645edfd5fca291700a17147d7f196a9ea458ba517ad9704f92162192c30e03fd1c3e8229378e471c2f9e3c75c94b1c8d311e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRScbS9PN9.bat

Filesize
227B

MD5
352ad6b05a33f328b41d0f31df420f6f

SHA1
e8faeb65416c2a0ced8d281d6c9f236aa53bd0b4

SHA256
1aa063999bedc03814d474d05ca370d86e1e269fb3a392caa5b2f3ef3d4de246

SHA512
e286bd577dfd0a0a41e0d88f8621bc47a2186aee6c972c55c615597293706a5a6cd2fbab12f1a65cc9e9cd15bde22a7fc37ae6e6cdc59994860975523c22940a

Download Submit
\MsWebSession\agentreviewIntoRefdhcp.exe

Filesize
3.5MB

MD5
df79d82a6c5f8e63ff2d5597912e0833

SHA1
863c5813973d097d907aac8fe2b4720963ce5304

SHA256
763138c486e20b5a30be735803fdea0840479558cd6a9bbe06e093c098f5ad25

SHA512
85ef538ccad2e8c217052b7ab91cb6ab17b8fb277bd25ed65494e949a0350a3e0f3e700efc22994e3202aadb46f6cf104be1100c858ae74296e4c69984a16723

Download Submit
\MsWebSession\agentreviewIntoRefdhcp.exe

Filesize
2.0MB

MD5
370d72167ffadc49874fa27116e1b1c5

SHA1
4f577407b0194b9df3063306b3bc82c1216359e9

SHA256
1e336ca4bb0f8f723c4fefcaad9ddb39352ef94868c0815c68555b2723cf3110

SHA512
7b8961a1dec3bf3915e1c18a2b18a15a9dc250bd0f2d4e208b21faaa6f6d69b735577fa7b4fae1711428076a77827cb2a54670d00d7def3d407fdec84db2c446

Download Submit
memory/2756-13-0x0000000000170000-0x0000000000508000-memory.dmp

Filesize
3.6MB

Download
memory/2756-14-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-15-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-16-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2756-17-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-18-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/2756-19-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-21-0x00000000007E0000-0x0000000000806000-memory.dmp

Filesize
152KB

Download
memory/2756-23-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2756-24-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/2756-26-0x0000000000810000-0x000000000082C000-memory.dmp

Filesize
112KB

Download
memory/2756-27-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2756-29-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2756-30-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2756-32-0x0000000000830000-0x0000000000848000-memory.dmp

Filesize
96KB

Download
memory/2756-33-0x0000000077780000-0x0000000077781000-memory.dmp

Filesize
4KB

Download
memory/2756-35-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2756-36-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download
memory/2756-38-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/2756-39-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-40-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2756-43-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/2756-44-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-41-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2756-46-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/2756-47-0x0000000002230000-0x0000000002242000-memory.dmp

Filesize
72KB

Download
memory/2756-48-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-49-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/2756-51-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2756-53-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2756-54-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2756-55-0x0000000077720000-0x0000000077721000-memory.dmp

Filesize
4KB

Download
memory/2756-56-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/2756-58-0x0000000002300000-0x0000000002316000-memory.dmp

Filesize
88KB

Download
memory/2756-60-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2756-61-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2756-62-0x00000000776F0000-0x00000000776F1000-memory.dmp

Filesize
4KB

Download
memory/2756-64-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/2756-65-0x00000000776E0000-0x00000000776E1000-memory.dmp

Filesize
4KB

Download
memory/2756-67-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/2756-68-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/2756-70-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/2756-71-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/2756-73-0x000000001A9E0000-0x000000001AA3A000-memory.dmp

Filesize
360KB

Download
memory/2756-75-0x0000000002320000-0x000000000232E000-memory.dmp

Filesize
56KB

Download
memory/2756-77-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2756-79-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/2756-81-0x0000000002520000-0x0000000002538000-memory.dmp

Filesize
96KB

Download
memory/2756-83-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/2756-85-0x000000001ABC0000-0x000000001AC0E000-memory.dmp

Filesize
312KB

Download
memory/2756-101-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-104-0x0000000000AF0000-0x0000000000E88000-memory.dmp

Filesize
3.6MB

Download
memory/3044-105-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-106-0x000000001B4C0000-0x000000001B540000-memory.dmp

Filesize
512KB

Download
memory/3044-107-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-108-0x000000001B4C0000-0x000000001B540000-memory.dmp

Filesize
512KB

Download
memory/3044-110-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/3044-112-0x000000001B4C0000-0x000000001B540000-memory.dmp

Filesize
512KB

Download
memory/3044-113-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/3044-115-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/3044-117-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/3044-119-0x0000000077780000-0x0000000077781000-memory.dmp

Filesize
4KB

Download
memory/3044-122-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-124-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download