Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 03:55

General

  • Target

    ac15ae1e49f4272e8d38b5fd5573ce35.exe

  • Size

    81KB

  • MD5

    ac15ae1e49f4272e8d38b5fd5573ce35

  • SHA1

    93a70b449926995d458b9513b8b36e988f73dc8a

  • SHA256

    c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149

  • SHA512

    23d7977aeac5a2f1856861519b34dbbd4aa52ed003d4001b73435024266d258d765613a3be8a1e2ae67548f9eb69f662925d663f8321f1610f200af6258025f8

  • SSDEEP

    1536:D7Vs/tSdQLcSjAA0C0rEr2ofgNTX0g/+PmN/10BmglZqiqazVkP5tJCFPzRUR2lX:D5MmQLcxAarEDINTD/+Pmn0BmgnpzmcP

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Detect ZGRat V1 34 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
    "C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
      C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
        "C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
          "C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1236 -s 716
            5⤵
              PID:2056
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2560
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1320
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                5⤵
                  PID:1348
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  5⤵
                    PID:3024
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:968
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                      PID:292
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:2612
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2024

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                1c26cded0e72b7957d17ed1e1ac5eb20

                SHA1

                4ef9345e507f9107cbc779cb0e5fad6068cc7d59

                SHA256

                04a722f4f791477f25a5130fa9ac8ef8507248d2bb7932fb8d60148b18fcdd1a

                SHA512

                ab068c0b1382c243aedd282d220573cbbc254818cc32617ea7f2ad42295d40f2e95f5e99fd741567c591fd60760f2cd5edbd062adde4d8c919aced1b8cef5971

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt

                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Directories\Videos.txt

                Filesize

                23B

                MD5

                1fddbf1169b6c75898b86e7e24bc7c1f

                SHA1

                d2091060cb5191ff70eb99c0088c182e80c20f8c

                SHA256

                a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                SHA512

                20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\Apps.txt

                Filesize

                6KB

                MD5

                90e05e64959dcc96ed6dfb89d65334a6

                SHA1

                76840a3fb0a3a37a497a2232912753f9a9e5733a

                SHA256

                5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876

                SHA512

                f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\Debug.txt

                Filesize

                320B

                MD5

                7a63b53a5ae6d72741dfcedb88f9d26b

                SHA1

                c05423356152e671818f4ae99533453d3982d54b

                SHA256

                2ff7745396d0088e7aabab766edc660190a7232ec825fc4ba92e7be315eaddc3

                SHA512

                b043221dc42d01d953d465f9515313659ac2c63916f5f9a462320e19bedcac7276c8a7777a68de28a7ad653bfa60633576854253d1dc3aaa3a835eb70bde7eea

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\ProductKey.txt

                Filesize

                29B

                MD5

                cad6c6bee6c11c88f5e2f69f0be6deb7

                SHA1

                289d74c3bebe6cca4e1d2e084482ad6d21316c84

                SHA256

                dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

                SHA512

                e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

              • C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\msgid.dat

                Filesize

                19B

                MD5

                a2dae724d24a1e29870171dce039bf15

                SHA1

                416fdb59913b9c31d9ece9aed1595c87d9c0892a

                SHA256

                ac772cd81f0405910e60618df6b0013162bee48cd0582cc2901d6a283b74fefd

                SHA512

                fdebbe09f010dfbfd875d0c8b2c45572ce253589fa307d08f9dcf8dd642f6a49cd4c5a1687bd0fa27f61ae30c3085aafad83b7ef967e4f9d620c8226159c3f7f

              • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                690KB

                MD5

                b2b2aee98a316af7df9af63534632f59

                SHA1

                6773875ab6fbd5538a72beae7968904cdb9852a6

                SHA256

                693c7ba6dc0b416bd9076a4acaffcd2feb9012021ca739e4706070649ed96c0d

                SHA512

                09a8a2063ea7410b067719aead7f762532719bbf19dc87dc8372cc8edf9da1c5609ad2e6ed1e8dcd32bc1b64d4296d691bce688788a560b730191f3be53ec2a7

              • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                679KB

                MD5

                bfb8866406a887f611b58af3cda8f246

                SHA1

                c7ca14280875961a729b0c4d98fcc54781d05c42

                SHA256

                10314807ff47014bfeb31e2c2ec55193cd534290672223ab31ea5a5e82cc5385

                SHA512

                70fa652963a93f69a4cf48ff4b9f3d53594ca797220245c73f0095de31620c8ef7b2b6a16ea0df788e0c54e830994ff64202cc9a7388a8c7e7f1da023a58760d

              • C:\Users\Admin\AppData\Local\Temp\Cab1170.tmp

                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

                Filesize

                34KB

                MD5

                fcc259c12d3015ec2f490578f20ae36f

                SHA1

                6a5964bc2f5e523589c5b648e6493a8d4a769632

                SHA256

                c0eba00c6c2351a93922918feae6bacfde45d711c4f03e64d97bd917433f45f2

                SHA512

                50d645ff714033adf17cd3c5aa279d53cd086f31270efb9bfff8da80f2167123d80440d7496be16c33d50e3336e3624dbb7c89efb4cec00ae07c35186534de60

              • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

                Filesize

                68KB

                MD5

                68f87ada1c861946dfb374f15907fe4e

                SHA1

                5ad786ccd2e29d92a7216433e97565b6dfadcf4a

                SHA256

                b98925b2c7ed1364e3d63c18e6af82fed20444eb00ed6875b7134f8b6720a49d

                SHA512

                77d1aabff3b923cbf1476f4f4775e301b3d61514ac3e0c987517a92587f2e31cc0d9fbce2806aa8e3404238d4eab021f439a8bdb7ceba51a4450ddb8d600b1f1

              • C:\Users\Admin\AppData\Local\Temp\Tar11D1.tmp

                Filesize

                171KB

                MD5

                9c0c641c06238516f27941aa1166d427

                SHA1

                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                SHA256

                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                SHA512

                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

              • C:\Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                1.0MB

                MD5

                778e1e34ee77a25c58aedc48d24486ae

                SHA1

                cd6bbd316d083a4f59598e85556259fd2adebbb9

                SHA256

                cbcbdfda8eb75d10a118940ae6a0b46002329f814056f91feefcb624863657d1

                SHA512

                c93ee11f0874833c58f67f9bdc05f5b2afe8175bc206997a02e1ca75a3e6c7a9ad53291a102197c77341f56387e41603cdf0a5a09381d0d0c4263153858e0108

              • C:\Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                631KB

                MD5

                46ea7d3de90f2da13dd8d76aa4c6ed6c

                SHA1

                2c1a47205a21507fb86c3d8be44a68ab2f91a15a

                SHA256

                59c4ba9f7ce429d30b6cb292fb8e34fb7cd45a3650d8a6c8696709ebceb7f2da

                SHA512

                e0b7977153019ccc50e7fdd9274124a5cafd291f914fc4a27e6b454c3f6e4a4c6f5ecc1070fde3da067f2fc43648627b9c84cd0da231ce4362ccadd1001c6825

              • \Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                1006KB

                MD5

                2a79f09a92f9358c9a0308e1d81d212f

                SHA1

                403f52d25db2814e67481e25636077145ab2a2e7

                SHA256

                8bba33bfb730fa047e7391306f3b1c25f1ad4ee72b9026459cf170546fdbeba6

                SHA512

                6f9be195427795588aa149080a9b6f9bb52a03c488b753158945f5bffb386d81d8c9275269218dfe3a295d74af4dbd78a8ed74feda0b11c49f2606dc6852fcc5

              • \Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                932KB

                MD5

                de7430fc6f9e99788387676e6d85e550

                SHA1

                38d1d76936371445f76e24c3e197083af898f18c

                SHA256

                f16f03472223270fcde63c9358eec7ed75b0974f43d629f855f0dc28bfbdd3be

                SHA512

                4a2fa0e3181f0fb9b8fb0f09e751c6b7e38f049817624330e68d57b5d6b25422c38688a1f47cadfa9f02bfcee06bcee5fce52478158b597e669f1cf82819b167

              • memory/1236-991-0x00000000008E0000-0x00000000008FE000-memory.dmp

                Filesize

                120KB

              • memory/1236-992-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

                Filesize

                9.9MB

              • memory/1236-1165-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

                Filesize

                9.9MB

              • memory/1740-67-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-65-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-27-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-29-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-31-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-33-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-35-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-37-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-39-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-41-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-43-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-45-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-47-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-49-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-51-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-53-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-55-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-57-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-59-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-61-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-63-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-11-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-23-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-69-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-938-0x00000000003A0000-0x00000000003A1000-memory.dmp

                Filesize

                4KB

              • memory/1740-939-0x0000000008580000-0x0000000008A82000-memory.dmp

                Filesize

                5.0MB

              • memory/1740-940-0x00000000007E0000-0x000000000082C000-memory.dmp

                Filesize

                304KB

              • memory/1740-953-0x00000000743D0000-0x0000000074ABE000-memory.dmp

                Filesize

                6.9MB

              • memory/1740-0-0x0000000001170000-0x000000000118A000-memory.dmp

                Filesize

                104KB

              • memory/1740-1-0x00000000743D0000-0x0000000074ABE000-memory.dmp

                Filesize

                6.9MB

              • memory/1740-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

                Filesize

                256KB

              • memory/1740-3-0x0000000000250000-0x0000000000256000-memory.dmp

                Filesize

                24KB

              • memory/1740-4-0x0000000000270000-0x0000000000276000-memory.dmp

                Filesize

                24KB

              • memory/1740-5-0x0000000008010000-0x000000000857A000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-21-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-7-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-6-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-25-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-19-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-17-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-15-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-13-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/1740-9-0x0000000008010000-0x0000000008574000-memory.dmp

                Filesize

                5.4MB

              • memory/2560-1035-0x0000000000850000-0x0000000000858000-memory.dmp

                Filesize

                32KB

              • memory/2560-1339-0x0000000004C90000-0x0000000004CD0000-memory.dmp

                Filesize

                256KB

              • memory/2560-999-0x00000000005A0000-0x00000000005A8000-memory.dmp

                Filesize

                32KB

              • memory/2560-997-0x0000000004BF0000-0x0000000004C82000-memory.dmp

                Filesize

                584KB

              • memory/2560-993-0x0000000004C90000-0x0000000004CD0000-memory.dmp

                Filesize

                256KB

              • memory/2560-1034-0x0000000000840000-0x000000000084A000-memory.dmp

                Filesize

                40KB

              • memory/2560-998-0x0000000000690000-0x00000000006B6000-memory.dmp

                Filesize

                152KB

              • memory/2560-1036-0x0000000000DB0000-0x0000000000DCE000-memory.dmp

                Filesize

                120KB

              • memory/2560-1037-0x0000000073CE0000-0x00000000743CE000-memory.dmp

                Filesize

                6.9MB

              • memory/2560-1232-0x0000000005F50000-0x0000000006002000-memory.dmp

                Filesize

                712KB

              • memory/2560-979-0x0000000001090000-0x0000000001222000-memory.dmp

                Filesize

                1.6MB

              • memory/2560-1308-0x0000000004C90000-0x0000000004CD0000-memory.dmp

                Filesize

                256KB

              • memory/2560-1118-0x0000000004C90000-0x0000000004CD0000-memory.dmp

                Filesize

                256KB

              • memory/2560-980-0x0000000073CE0000-0x00000000743CE000-memory.dmp

                Filesize

                6.9MB

              • memory/2560-1164-0x00000000059F0000-0x0000000005A6A000-memory.dmp

                Filesize

                488KB

              • memory/2640-981-0x0000000073CE0000-0x00000000743CE000-memory.dmp

                Filesize

                6.9MB

              • memory/2640-959-0x00000000027E0000-0x0000000002820000-memory.dmp

                Filesize

                256KB

              • memory/2640-958-0x0000000000400000-0x0000000000C0A000-memory.dmp

                Filesize

                8.0MB

              • memory/2640-957-0x0000000073CE0000-0x00000000743CE000-memory.dmp

                Filesize

                6.9MB

              • memory/2864-984-0x000000001BF80000-0x000000001C000000-memory.dmp

                Filesize

                512KB

              • memory/2864-1121-0x000000001BF80000-0x000000001C000000-memory.dmp

                Filesize

                512KB

              • memory/2864-1117-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

                Filesize

                9.9MB

              • memory/2864-982-0x0000000000DA0000-0x0000000000F18000-memory.dmp

                Filesize

                1.5MB

              • memory/2864-983-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

                Filesize

                9.9MB