zgrat | 95211867154e018e2ab4ca9cb0b4fdf18c2ba79a312ccb01eba95b2eb899d0bd

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a97286be2249f7896f0a5c171deb80d0.exe
Size

2.5MB
MD5

a97286be2249f7896f0a5c171deb80d0
SHA1

f10351ff6bc3fbababea9bdf13be7e7e4a7d04e5
SHA256

95211867154e018e2ab4ca9cb0b4fdf18c2ba79a312ccb01eba95b2eb899d0bd
SHA512

bbdce4fe5ef2dcebc15ce92d174cb776de79404c70ab660c4bc5e9546004719c0e180dd185bec1dffc57a0d1be3ba76775b967a0c95f87bb1337a9c4ba110984
SSDEEP

49152:KDVzY8tMlX0pXGRMuK3JaEzXW+DHFgmDY8HrsjhqWl:PKGX0ARVK3J5zG+DH2IYysjhRl

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2040-111-0x0000000005F60000-0x0000000005FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-112-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-113-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-115-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-117-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-119-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-121-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-123-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-125-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-127-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-129-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-131-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-133-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-135-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-137-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-139-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-141-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-143-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-147-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-149-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-145-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-151-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-153-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-155-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-157-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-159-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-161-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-163-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-165-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-167-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-169-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-171-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-173-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2040-175-0x0000000005F60000-0x0000000005FC3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia Share = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Nvidia\\Nvidia Share.exe\""	a97286be2249f7896f0a5c171deb80d0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2272	a97286be2249f7896f0a5c171deb80d0.exe
2272	a97286be2249f7896f0a5c171deb80d0.exe
2272	a97286be2249f7896f0a5c171deb80d0.exe
2272	a97286be2249f7896f0a5c171deb80d0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2512	powershell.exe
2436	powershell.exe
2584	powershell.exe
2060	powershell.exe
772	powershell.exe
1656	powershell.exe
2256	powershell.exe
1928	powershell.exe
1664	powershell.exe
1536	powershell.exe
2040	a97286be2249f7896f0a5c171deb80d0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeIncreaseQuotaPrivilege	2512	powershell.exe
Token: SeSecurityPrivilege	2512	powershell.exe
Token: SeTakeOwnershipPrivilege	2512	powershell.exe
Token: SeLoadDriverPrivilege	2512	powershell.exe
Token: SeSystemProfilePrivilege	2512	powershell.exe
Token: SeSystemtimePrivilege	2512	powershell.exe
Token: SeProfSingleProcessPrivilege	2512	powershell.exe
Token: SeIncBasePriorityPrivilege	2512	powershell.exe
Token: SeCreatePagefilePrivilege	2512	powershell.exe
Token: SeBackupPrivilege	2512	powershell.exe
Token: SeRestorePrivilege	2512	powershell.exe
Token: SeShutdownPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeSystemEnvironmentPrivilege	2512	powershell.exe
Token: SeRemoteShutdownPrivilege	2512	powershell.exe
Token: SeUndockPrivilege	2512	powershell.exe
Token: SeManageVolumePrivilege	2512	powershell.exe
Token: 33	2512	powershell.exe
Token: 34	2512	powershell.exe
Token: 35	2512	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeIncreaseQuotaPrivilege	2436	powershell.exe
Token: SeSecurityPrivilege	2436	powershell.exe
Token: SeTakeOwnershipPrivilege	2436	powershell.exe
Token: SeLoadDriverPrivilege	2436	powershell.exe
Token: SeSystemProfilePrivilege	2436	powershell.exe
Token: SeSystemtimePrivilege	2436	powershell.exe
Token: SeProfSingleProcessPrivilege	2436	powershell.exe
Token: SeIncBasePriorityPrivilege	2436	powershell.exe
Token: SeCreatePagefilePrivilege	2436	powershell.exe
Token: SeBackupPrivilege	2436	powershell.exe
Token: SeRestorePrivilege	2436	powershell.exe
Token: SeShutdownPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeSystemEnvironmentPrivilege	2436	powershell.exe
Token: SeRemoteShutdownPrivilege	2436	powershell.exe
Token: SeUndockPrivilege	2436	powershell.exe
Token: SeManageVolumePrivilege	2436	powershell.exe
Token: 33	2436	powershell.exe
Token: 34	2436	powershell.exe
Token: 35	2436	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeIncreaseQuotaPrivilege	2584	powershell.exe
Token: SeSecurityPrivilege	2584	powershell.exe
Token: SeTakeOwnershipPrivilege	2584	powershell.exe
Token: SeLoadDriverPrivilege	2584	powershell.exe
Token: SeSystemProfilePrivilege	2584	powershell.exe
Token: SeSystemtimePrivilege	2584	powershell.exe
Token: SeProfSingleProcessPrivilege	2584	powershell.exe
Token: SeIncBasePriorityPrivilege	2584	powershell.exe
Token: SeCreatePagefilePrivilege	2584	powershell.exe
Token: SeBackupPrivilege	2584	powershell.exe
Token: SeRestorePrivilege	2584	powershell.exe
Token: SeShutdownPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeSystemEnvironmentPrivilege	2584	powershell.exe
Token: SeRemoteShutdownPrivilege	2584	powershell.exe
Token: SeUndockPrivilege	2584	powershell.exe
Token: SeManageVolumePrivilege	2584	powershell.exe
Token: 33	2584	powershell.exe
Token: 34	2584	powershell.exe
Token: 35	2584	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2272	a97286be2249f7896f0a5c171deb80d0.exe
2272	a97286be2249f7896f0a5c171deb80d0.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2512	2040	a97286be2249f7896f0a5c171deb80d0.exe	28
PID 2040 wrote to memory of 2512	2040	a97286be2249f7896f0a5c171deb80d0.exe	28
PID 2040 wrote to memory of 2512	2040	a97286be2249f7896f0a5c171deb80d0.exe	28
PID 2040 wrote to memory of 2512	2040	a97286be2249f7896f0a5c171deb80d0.exe	28
PID 2040 wrote to memory of 2436	2040	a97286be2249f7896f0a5c171deb80d0.exe	31
PID 2040 wrote to memory of 2436	2040	a97286be2249f7896f0a5c171deb80d0.exe	31
PID 2040 wrote to memory of 2436	2040	a97286be2249f7896f0a5c171deb80d0.exe	31
PID 2040 wrote to memory of 2436	2040	a97286be2249f7896f0a5c171deb80d0.exe	31
PID 2040 wrote to memory of 2584	2040	a97286be2249f7896f0a5c171deb80d0.exe	33
PID 2040 wrote to memory of 2584	2040	a97286be2249f7896f0a5c171deb80d0.exe	33
PID 2040 wrote to memory of 2584	2040	a97286be2249f7896f0a5c171deb80d0.exe	33
PID 2040 wrote to memory of 2584	2040	a97286be2249f7896f0a5c171deb80d0.exe	33
PID 2040 wrote to memory of 2060	2040	a97286be2249f7896f0a5c171deb80d0.exe	35
PID 2040 wrote to memory of 2060	2040	a97286be2249f7896f0a5c171deb80d0.exe	35
PID 2040 wrote to memory of 2060	2040	a97286be2249f7896f0a5c171deb80d0.exe	35
PID 2040 wrote to memory of 2060	2040	a97286be2249f7896f0a5c171deb80d0.exe	35
PID 2040 wrote to memory of 772	2040	a97286be2249f7896f0a5c171deb80d0.exe	37
PID 2040 wrote to memory of 772	2040	a97286be2249f7896f0a5c171deb80d0.exe	37
PID 2040 wrote to memory of 772	2040	a97286be2249f7896f0a5c171deb80d0.exe	37
PID 2040 wrote to memory of 772	2040	a97286be2249f7896f0a5c171deb80d0.exe	37
PID 2040 wrote to memory of 1656	2040	a97286be2249f7896f0a5c171deb80d0.exe	39
PID 2040 wrote to memory of 1656	2040	a97286be2249f7896f0a5c171deb80d0.exe	39
PID 2040 wrote to memory of 1656	2040	a97286be2249f7896f0a5c171deb80d0.exe	39
PID 2040 wrote to memory of 1656	2040	a97286be2249f7896f0a5c171deb80d0.exe	39
PID 2040 wrote to memory of 2256	2040	a97286be2249f7896f0a5c171deb80d0.exe	43
PID 2040 wrote to memory of 2256	2040	a97286be2249f7896f0a5c171deb80d0.exe	43
PID 2040 wrote to memory of 2256	2040	a97286be2249f7896f0a5c171deb80d0.exe	43
PID 2040 wrote to memory of 2256	2040	a97286be2249f7896f0a5c171deb80d0.exe	43
PID 2040 wrote to memory of 1928	2040	a97286be2249f7896f0a5c171deb80d0.exe	45
PID 2040 wrote to memory of 1928	2040	a97286be2249f7896f0a5c171deb80d0.exe	45
PID 2040 wrote to memory of 1928	2040	a97286be2249f7896f0a5c171deb80d0.exe	45
PID 2040 wrote to memory of 1928	2040	a97286be2249f7896f0a5c171deb80d0.exe	45
PID 2040 wrote to memory of 1664	2040	a97286be2249f7896f0a5c171deb80d0.exe	47
PID 2040 wrote to memory of 1664	2040	a97286be2249f7896f0a5c171deb80d0.exe	47
PID 2040 wrote to memory of 1664	2040	a97286be2249f7896f0a5c171deb80d0.exe	47
PID 2040 wrote to memory of 1664	2040	a97286be2249f7896f0a5c171deb80d0.exe	47
PID 2040 wrote to memory of 1536	2040	a97286be2249f7896f0a5c171deb80d0.exe	49
PID 2040 wrote to memory of 1536	2040	a97286be2249f7896f0a5c171deb80d0.exe	49
PID 2040 wrote to memory of 1536	2040	a97286be2249f7896f0a5c171deb80d0.exe	49
PID 2040 wrote to memory of 1536	2040	a97286be2249f7896f0a5c171deb80d0.exe	49
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51
PID 2040 wrote to memory of 2272	2040	a97286be2249f7896f0a5c171deb80d0.exe	51

C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe
"C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe
  C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
85c996d0486c70750a736eac5a012e8d

SHA1
2336d8444d48cf90b603ebb67113ab5b74138c5e

SHA256
92d72835bb959ca79d12d41709147e8cf31054870e172a319b25aa8d1c59cef7

SHA512
8d5fbd18e30b278994fc2eb4f393b25807c354055e31274a1a2956998241d8d4450987b2434731c9bd1646aeed48dc0b24df39a66c31c924c4e9bce07d6a49ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
becf478a566113f2b0ca35d4ee2a7ed6

SHA1
d46e47a670f03bb118e96670410445afd521b4d7

SHA256
5ded69b35844cac2312f6bd7cb060d256db98141b27ee7beb90e32becd280865

SHA512
55507601e2ca5e372f523dabde97608a045300f79c3afb7850baefcd512954de24e16d24c5391466e2f466151efae99f229c8e1e5245ca178a19adcf04b86b21

Download Submit
memory/772-54-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/772-53-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/772-50-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/772-51-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/772-52-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/1536-106-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/1536-103-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-104-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/1536-105-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-107-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/1536-108-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/1536-109-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-62-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/1656-63-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-60-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-61-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-95-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/1664-92-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-93-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/1664-91-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-94-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/1664-96-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/1664-97-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-82-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-81-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/1928-80-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-83-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/1928-84-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/1928-85-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-129-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-141-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-2134-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-175-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-173-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-171-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-169-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-167-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-165-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-163-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-161-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-159-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-157-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-155-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-153-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-151-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-145-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-27-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

Filesize
256KB

Download
memory/2040-149-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-147-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-19-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-143-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-139-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-137-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-135-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-133-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-131-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-0-0x0000000001310000-0x000000000158A000-memory.dmp

Filesize
2.5MB

Download
memory/2040-127-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-125-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-2-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

Filesize
256KB

Download
memory/2040-1-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-110-0x0000000008660000-0x000000000886A000-memory.dmp

Filesize
2.0MB

Download
memory/2040-111-0x0000000005F60000-0x0000000005FC8000-memory.dmp

Filesize
416KB

Download
memory/2040-112-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-113-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-115-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-117-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-119-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-121-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2040-123-0x0000000005F60000-0x0000000005FC3000-memory.dmp

Filesize
396KB

Download
memory/2060-42-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-40-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2060-41-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-39-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-43-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2256-73-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2256-69-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-70-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2256-71-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-72-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-16-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-20-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2436-21-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-17-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-18-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-9-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-5-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-10-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-8-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-7-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-6-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-32-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-33-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2584-31-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-30-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2584-29-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2584-28-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download