zgrat | 182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 03:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe
Size

4.0MB
MD5

9c31acafcb357ff41c9bc9be104397c4
SHA1

8be5933f6f72c0d4723ac3ff5501cbd17bf499c4
SHA256

182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d
SHA512

636d444a411d144ce77bb24b896198c4ac4036408c31d94d8722dcd16f950375cc7a08c034cffe74bb6202404de6c4e16069a78dbe5c4197039c1f1f9c4f6fdf
SSDEEP

98304:ypDF7RaItzPWlbVMQDWFdCEbqNixjnCc630pW0EpmEOQL6r1:IDF7RaItzckCVixT9pSmEO06r1

Score

10^/10

zgrat evasion rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000233f2-10.dat	family_zgrat_v1
behavioral1/memory/3420-12-0x0000000000190000-0x0000000000542000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	ChainproviderDriverperfdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
3420	ChainproviderDriverperfdll.exe
4884	RuntimeBroker.exe
3976	RuntimeBroker.exe
3864	RuntimeBroker.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	ChainproviderDriverperfdll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	ChainproviderDriverperfdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	ChainproviderDriverperfdll.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	RuntimeBroker.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1736	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe
3420	ChainproviderDriverperfdll.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	ChainproviderDriverperfdll.exe
Token: SeDebugPrivilege	4884	RuntimeBroker.exe
Token: SeDebugPrivilege	3976	RuntimeBroker.exe
Token: SeDebugPrivilege	3864	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 5068	2992	182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe	85
PID 2992 wrote to memory of 5068	2992	182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe	85
PID 2992 wrote to memory of 5068	2992	182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe	85
PID 5068 wrote to memory of 3504	5068	WScript.exe	87
PID 5068 wrote to memory of 3504	5068	WScript.exe	87
PID 5068 wrote to memory of 3504	5068	WScript.exe	87
PID 3504 wrote to memory of 1736	3504	cmd.exe	90
PID 3504 wrote to memory of 1736	3504	cmd.exe	90
PID 3504 wrote to memory of 1736	3504	cmd.exe	90
PID 3504 wrote to memory of 3420	3504	cmd.exe	91
PID 3504 wrote to memory of 3420	3504	cmd.exe	91
PID 3420 wrote to memory of 3092	3420	ChainproviderDriverperfdll.exe	94
PID 3420 wrote to memory of 3092	3420	ChainproviderDriverperfdll.exe	94
PID 3092 wrote to memory of 4832	3092	cmd.exe	96
PID 3092 wrote to memory of 4832	3092	cmd.exe	96
PID 3092 wrote to memory of 2272	3092	cmd.exe	97
PID 3092 wrote to memory of 2272	3092	cmd.exe	97
PID 3092 wrote to memory of 4884	3092	cmd.exe	98
PID 3092 wrote to memory of 4884	3092	cmd.exe	98
PID 4884 wrote to memory of 4244	4884	RuntimeBroker.exe	102
PID 4884 wrote to memory of 4244	4884	RuntimeBroker.exe	102
PID 4244 wrote to memory of 2152	4244	cmd.exe	104
PID 4244 wrote to memory of 2152	4244	cmd.exe	104
PID 4244 wrote to memory of 4960	4244	cmd.exe	105
PID 4244 wrote to memory of 4960	4244	cmd.exe	105
PID 4244 wrote to memory of 3976	4244	cmd.exe	106
PID 4244 wrote to memory of 3976	4244	cmd.exe	106
PID 3976 wrote to memory of 3544	3976	RuntimeBroker.exe	107
PID 3976 wrote to memory of 3544	3976	RuntimeBroker.exe	107
PID 3544 wrote to memory of 4672	3544	cmd.exe	109
PID 3544 wrote to memory of 4672	3544	cmd.exe	109
PID 3544 wrote to memory of 4420	3544	cmd.exe	110
PID 3544 wrote to memory of 4420	3544	cmd.exe	110
PID 3544 wrote to memory of 3864	3544	cmd.exe	111
PID 3544 wrote to memory of 3864	3544	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe
"C:\Users\Admin\AppData\Local\Temp\182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\SysCacheBin\a3luMGEKGggtcfeaR6JwYrETfGSR.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\SysCacheBin\4uI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1736
  - - C:\SysCacheBin\ChainproviderDriverperfdll.exe
      "C:\SysCacheBin/ChainproviderDriverperfdll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BnSRclxHmL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3092
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4832
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2272
      - C:\SysCacheBin\RuntimeBroker.exe
        
        "C:\SysCacheBin\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4960
        
        C:\SysCacheBin\RuntimeBroker.exe
        
        "C:\SysCacheBin\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4420
        
        C:\SysCacheBin\RuntimeBroker.exe
        
        "C:\SysCacheBin\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysCacheBin\4uI.bat

Filesize
203B

MD5
36073d0e8985c36d689d7750b7918274

SHA1
1f2c92264534a8b0d804727d8563f8f536001502

SHA256
5244f7e68829cacffc1c30eb11268d6c92d91de64f5d08a70cfd18f50970a1eb

SHA512
ee88acf445fd4ea8996ae1fc227d82d9a728dbc08bd9070b4867db502732b0fbbf4ffe3a5ccdfc4076dc081f78b537c2c5b6d86f18cfc2ee90538d93e43e0864

Download Submit
C:\SysCacheBin\ChainproviderDriverperfdll.exe

Filesize
3.7MB

MD5
acb404bd7968c4dc9470c4c593ac9d47

SHA1
98344a37050196332f6e3ee5fb64c48ad9668481

SHA256
0bb8c98855338acd06f4c887c8f75a9d03bf09b73e8464eac44ca971901f184e

SHA512
665c487497835ddd94d798b777ce9bf19742732faf6527c28abe791f436bc7ef94179cb20b92a8579d86512ac500c6e0338ca2d1fcd25c8875397cee50cd73dd

Download Submit
C:\SysCacheBin\a3luMGEKGggtcfeaR6JwYrETfGSR.vbe

Filesize
200B

MD5
d138a547c20ef3edab78226f907e2901

SHA1
be846d7a05fbc631be7a67e773d27f3b6c9e9336

SHA256
6b509d852b4ccf988110577d9445a7bcb5a23953ea0695e7149f9ea1d6459470

SHA512
29d80b8c0f33cdacaadfd8482262aa86b24714824d40f625a2d1b63db7a95110d74446460c0b2434189c48087a85090391c5e81e8a1e14a8d2b57325fed835f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\BnSRclxHmL.bat

Filesize
160B

MD5
4117e7a1711e90c766b2fc7ed372df9f

SHA1
16d0f609546a6dd9a8d46d54da34b8bd37ff71c5

SHA256
4369736989f63a39579fb3b843d7eea94fad1a2fefb890e3d6da2207308e76f6

SHA512
3701800828bded9fc70cb80586ce5a9c650362343241d4e0cdf458c1696bf4cefe42cbf6fc0d313c660108fd1da0cea1184402f6c27183f199b6fbd23877a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CU0JBUISt3.bat

Filesize
208B

MD5
729c7f3db84d20171723c4c9e9b0a3a6

SHA1
2843ea2fbc8ed60a90163a0da6c837b2867f5c9d

SHA256
13646d3d992ca1dfb89fe47b95e3a67dd0822c3a31c5ee0a7f92d0ff90a897af

SHA512
78efa1cf284b3a8fe6c17c897f7d4e61e96c7d282ea640c2b46a4dfb8ea57ff01c2006d407df6373217df1e54908201427c99fc067e28fc3ad705d4e807a387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat

Filesize
208B

MD5
5d7ad3bd7a769a871d6cdba5a8917ae5

SHA1
5921d717c4d32cd63315bfeca03645926e28039c

SHA256
af363e9b918ef0c2043bf0568ccadae1892525e4221dc21c6a3c030e2192324d

SHA512
eab2d7f4e8468a503b3ea932ff9e5f88ea16cfbd478d36cd27b8e35a91b8c9500c57c5ac0f12d6017cc6a332aed7663e1f388ace628a9c2067c3df753ca45248

Download Submit
memory/3420-59-0x00007FFFAD090000-0x00007FFFAD091000-memory.dmp

Filesize
4KB

Download
memory/3420-62-0x00007FFFAD070000-0x00007FFFAD071000-memory.dmp

Filesize
4KB

Download
memory/3420-15-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3420-16-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-17-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-19-0x000000001B080000-0x000000001B0A6000-memory.dmp

Filesize
152KB

Download
memory/3420-20-0x00007FFFAD320000-0x00007FFFAD3DE000-memory.dmp

Filesize
760KB

Download
memory/3420-21-0x00007FFFAD320000-0x00007FFFAD3DE000-memory.dmp

Filesize
760KB

Download
memory/3420-22-0x00007FFFAD130000-0x00007FFFAD131000-memory.dmp

Filesize
4KB

Download
memory/3420-64-0x000000001C6F0000-0x000000001C700000-memory.dmp

Filesize
64KB

Download
memory/3420-25-0x00007FFFAD110000-0x00007FFFAD111000-memory.dmp

Filesize
4KB

Download
memory/3420-28-0x00007FFFAD100000-0x00007FFFAD101000-memory.dmp

Filesize
4KB

Download
memory/3420-27-0x000000001B0B0000-0x000000001B0CC000-memory.dmp

Filesize
112KB

Download
memory/3420-29-0x000000001C740000-0x000000001C790000-memory.dmp

Filesize
320KB

Download
memory/3420-31-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/3420-32-0x00007FFFAD0F0000-0x00007FFFAD0F1000-memory.dmp

Filesize
4KB

Download
memory/3420-34-0x000000001B0D0000-0x000000001B0E8000-memory.dmp

Filesize
96KB

Download
memory/3420-38-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-37-0x00007FFF8FFF0000-0x00007FFF90AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-36-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/3420-41-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3420-40-0x00007FFFAD0E0000-0x00007FFFAD0E1000-memory.dmp

Filesize
4KB

Download
memory/3420-45-0x0000000002750000-0x000000000275E000-memory.dmp

Filesize
56KB

Download
memory/3420-46-0x00007FFFAD0B0000-0x00007FFFAD0B1000-memory.dmp

Filesize
4KB

Download
memory/3420-43-0x00007FFFAD0C0000-0x00007FFFAD0C1000-memory.dmp

Filesize
4KB

Download
memory/3420-42-0x00007FFFAD0D0000-0x00007FFFAD0D1000-memory.dmp

Filesize
4KB

Download
memory/3420-47-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-50-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/3420-48-0x00007FFFAD0A0000-0x00007FFFAD0A1000-memory.dmp

Filesize
4KB

Download
memory/3420-52-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/3420-53-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-55-0x000000001B320000-0x000000001B32E000-memory.dmp

Filesize
56KB

Download
memory/3420-58-0x000000001C710000-0x000000001C722000-memory.dmp

Filesize
72KB

Download
memory/3420-13-0x00007FFF8FFF0000-0x00007FFF90AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-56-0x00007FFFAD320000-0x00007FFFAD3DE000-memory.dmp

Filesize
760KB

Download
memory/3420-60-0x00007FFFAD080000-0x00007FFFAD081000-memory.dmp

Filesize
4KB

Download
memory/3420-14-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3420-61-0x00007FFFAD320000-0x00007FFFAD3DE000-memory.dmp

Filesize
760KB

Download
memory/3420-24-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/3420-65-0x00007FFFAD060000-0x00007FFFAD061000-memory.dmp

Filesize
4KB

Download
memory/3420-66-0x00007FFFAD050000-0x00007FFFAD051000-memory.dmp

Filesize
4KB

Download
memory/3420-68-0x000000001C7B0000-0x000000001C7C6000-memory.dmp

Filesize
88KB

Download
memory/3420-71-0x000000001C7D0000-0x000000001C7E2000-memory.dmp

Filesize
72KB

Download
memory/3420-69-0x00007FFFAD040000-0x00007FFFAD041000-memory.dmp

Filesize
4KB

Download
memory/3420-72-0x000000001CD20000-0x000000001D248000-memory.dmp

Filesize
5.2MB

Download
memory/3420-73-0x00007FFFAD030000-0x00007FFFAD031000-memory.dmp

Filesize
4KB

Download
memory/3420-75-0x000000001C700000-0x000000001C70E000-memory.dmp

Filesize
56KB

Download
memory/3420-77-0x000000001C730000-0x000000001C73C000-memory.dmp

Filesize
48KB

Download
memory/3420-78-0x00007FFFAD020000-0x00007FFFAD021000-memory.dmp

Filesize
4KB

Download
memory/3420-80-0x000000001C790000-0x000000001C7A0000-memory.dmp

Filesize
64KB

Download
memory/3420-81-0x00007FFFAD010000-0x00007FFFAD011000-memory.dmp

Filesize
4KB

Download
memory/3420-84-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

Filesize
64KB

Download
memory/3420-82-0x00007FFFAD000000-0x00007FFFAD001000-memory.dmp

Filesize
4KB

Download
memory/3420-86-0x000000001C850000-0x000000001C8AA000-memory.dmp

Filesize
360KB

Download
memory/3420-87-0x00007FFFACFF0000-0x00007FFFACFF1000-memory.dmp

Filesize
4KB

Download
memory/3420-89-0x000000001C7F0000-0x000000001C7FE000-memory.dmp

Filesize
56KB

Download
memory/3420-90-0x00007FFFACFE0000-0x00007FFFACFE1000-memory.dmp

Filesize
4KB

Download
memory/3420-92-0x000000001C800000-0x000000001C810000-memory.dmp

Filesize
64KB

Download
memory/3420-93-0x00007FFFACFD0000-0x00007FFFACFD1000-memory.dmp

Filesize
4KB

Download
memory/3420-94-0x00007FFFACFC0000-0x00007FFFACFC1000-memory.dmp

Filesize
4KB

Download
memory/3420-96-0x000000001C810000-0x000000001C81E000-memory.dmp

Filesize
56KB

Download
memory/3420-97-0x00007FFFACFB0000-0x00007FFFACFB1000-memory.dmp

Filesize
4KB

Download
memory/3420-99-0x000000001CAB0000-0x000000001CAC8000-memory.dmp

Filesize
96KB

Download
memory/3420-122-0x000000001CB70000-0x000000001CC3D000-memory.dmp

Filesize
820KB

Download
memory/3420-12-0x0000000000190000-0x0000000000542000-memory.dmp

Filesize
3.7MB

Download
memory/3976-265-0x000000001D890000-0x000000001D898000-memory.dmp

Filesize
32KB

Download
memory/3976-280-0x000000001DA30000-0x000000001DAFD000-memory.dmp

Filesize
820KB

Download
memory/3976-281-0x000000001D890000-0x000000001D898000-memory.dmp

Filesize
32KB

Download
memory/3976-264-0x000000001DA30000-0x000000001DAFD000-memory.dmp

Filesize
820KB

Download
memory/4884-187-0x000000001EA50000-0x000000001EB1D000-memory.dmp

Filesize
820KB

Download
memory/4884-188-0x000000001E8B0000-0x000000001E8B8000-memory.dmp

Filesize
32KB

Download
memory/4884-205-0x000000001E8B0000-0x000000001E8B8000-memory.dmp

Filesize
32KB

Download
memory/4884-204-0x000000001EA50000-0x000000001EB1D000-memory.dmp

Filesize
820KB

Download