Analysis

  • max time kernel
    128s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 08:08

General

  • Target

    96af9bc7db122e2486c0c1f1b90faacc.exe

  • Size

    95KB

  • MD5

    96af9bc7db122e2486c0c1f1b90faacc

  • SHA1

    d8c2d6c8218841394847298e1a743f96f012320c

  • SHA256

    1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d

  • SHA512

    aee39931c97c57dd4a047f03ea5b61c77fbd06577c5e54dd6bd0035f0cec61ac3754c52f87702797a8332fa234a3ad58a9f8db2d8d57d82348a5557f0448cf78

  • SSDEEP

    1536:4F7fHuVP3JODQj6/107WtLuKvGdUNUPOkckQpGR9uwNWnIR/0CHBl2FQf+ry7dE8:27f+P5ODiq67WtzGUNOOX89uwN+Iq8/7

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 32 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
    "C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
      "C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
        "C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
          "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
            C:\Users\Admin\AppData\Local\Temp\BBLb.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
          C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 124
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:904
      • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
        "C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {28965341-BA25-4A85-9653-A38C99C1CD7A} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:S4U:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe

          Filesize

          771KB

          MD5

          d6d5eae5855383e77c67f6f9b7df8dd7

          SHA1

          0947f88221d255f76517f360d2459c29d700ecb6

          SHA256

          4be4fcd651fb28a4c1b7fd4161221ce2a7e74f5e8ad437d2692e578f90c2be35

          SHA512

          c80eb22ec344cee40d916fd3f05e03c26c912ba362b52c2f28875a83cf07fbef30b64d91a9d594e18ecb6a858e46f2d17b1792f86b5d2cc0f905705f81edfb5f

        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe

          Filesize

          698KB

          MD5

          de9bca236cb10c833c24c6591c54d07c

          SHA1

          8201dbcbd020df3c26991fc55e9c3013df0b44e8

          SHA256

          26f41925dadd66eb00bb3ffede516f82c5b863508e0cac8e2cc2c2b3bd7fbd56

          SHA512

          eca9663434e44c49b3ee292c53f2ff781b41e6b9a2d044fa2dae8955d9374376bc7542c98c6f6ddbc2f4232300c66855a7d2e31c7b0c69c31255823e507c09ab

        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe

          Filesize

          152KB

          MD5

          b16246fcde6fde7f4ba6ceb8e6a3f146

          SHA1

          fe006657d27ddc87cf9b19985693b9949f0f6503

          SHA256

          891b9a420c7a69716c80150fde1dbb4a737cb32843074ba024ca72b18e538c7d

          SHA512

          1871c78d027d93b3cefd572fae1acc0a41ce818f5038b4270cc6deed4ffceebf2c246f12c643f0f87287e100e60d3dea0d12c32c3fd98fe12fdc4a2e79cd23bd

        • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

          Filesize

          275KB

          MD5

          84b7642e84d945060d870593b255ffe7

          SHA1

          598e57f7628c4bdd4d55af95c9e17e82e1161edf

          SHA256

          2d3b8471b5d04701fe00d925c0c0b52d1d2b0d77a7b8886a133aab849b9f30b2

          SHA512

          58c8dccdf4e75ba5aa1cacde224ebd688a86b33761e03eb0886f15c97d49e92516717e691ef7754709e170d474eb6c7903ca99522b0ba83ee31e9b8116bc991e

        • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

          Filesize

          280KB

          MD5

          50ef7597e47f97e2e6dc1463536fb047

          SHA1

          1b4e4e086e71d98b80080f34d2cc97e7f029c74c

          SHA256

          c8225e680b373b27fd79aad0dfc907f08b1eea6fa4f6b12f1ed8164d534e84dc

          SHA512

          d7acf69c40753d466ceccd4afdb141d69a1b5a6f5c21596990220c756f4f23402c80a4f824706c025a249575b0ccbdea69a127c05e38e9510521c4f090ea3983

        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          434KB

          MD5

          9d8f024c162815eca1f4cfad352ab507

          SHA1

          14c45c70f00bd02e0680d6183142608c14941124

          SHA256

          bc70994ab3a1b3308eeb8af57f6f62f6c8556d79ea0517336558f2da188ea14c

          SHA512

          0383394d8b832d0a28126c6689f93e08f2b2897e63dec9688fb857a2aedbc10b42c46506aac78925a257706a4bd10126c075912779e86cc4a165f871f4b251ea

        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          443KB

          MD5

          bd6c337c701f84ad10090c91c5898e90

          SHA1

          0b34cffbb4e4989bd212bfb6893618c7615663da

          SHA256

          1928e319e10faefcda78ac6fbf7e718c3c763deb0a8c4698e30a16408a0e3a35

          SHA512

          334fd09c8a00d88b1a4ea8297425a22ed9dc11647b6f2dad391a53736fa866a17280f7085b92b0d612fbaad24508eb2e0da2591c4dd9791e3c01f105f6c67e3a

        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          927KB

          MD5

          a5233ad11d01b0684a4a742aea931a6b

          SHA1

          a738c48b5cdd62ab0f80780e52d93718bfadf52c

          SHA256

          7ac299c93a19a90c352a9112bc5f30e71d9a77929caf0eff903a1ded3d2cd027

          SHA512

          6dbe1583b355cbc17dbb942cec5fa65b1e353961aa6f5e2c19fcc0aa746d1730da9ea9b4c9253e25a5e2ed37a9ead31e7096ce32a35cd83f27b142533f8fd025

        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          868KB

          MD5

          2fed29c76f2a11ec7ae738d030db1d79

          SHA1

          52fde76e90d950f4739f968dd406b2fb257cc97f

          SHA256

          6187097a8ad07528c885ee4df96a80848d4b59f2d0024b2527ebe7f9541e318f

          SHA512

          34d6ffc0f6db7906b2cad082f8afdefaf350c6686543b4bc21d4f57ec2b4e54b86746d4fdf70d52f7f6230cc4055e4e2b11c4fb208f27a4edba62b8319b4f231

        • C:\Users\Admin\AppData\Local\TypeId\xutqjisn\AttributeString.exe

          Filesize

          1.2MB

          MD5

          71eb1bc6e6da380c1cb552d78b391b2a

          SHA1

          df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

          SHA256

          cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

          SHA512

          d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

        • \Users\Admin\AppData\Local\Temp\BBLb.exe

          Filesize

          641KB

          MD5

          443da3a41ece40b2043787032eeccfcf

          SHA1

          8a414bd758e3e50de70ee9fad39ab124a43e279b

          SHA256

          6c2be637d7af76d6d0380c2661aab3796e972d52d5b44726d2db7f57181deda0

          SHA512

          fdf8a2e8ca6ca43c01bc36d96bb565a3a4d0bbeb875f962d091e5ffeb23bed04e26442b1873967e19eb023d7140e3ffd19d1716ab2bf1a0f4f5ddbb0c056c06e

        • \Users\Admin\AppData\Local\Temp\BBLb.exe

          Filesize

          353KB

          MD5

          4071afad62bc8c7141c15894b435ba1e

          SHA1

          19ee80188d6a57a1ebb8107c4d54e3e3896b5f95

          SHA256

          92b1cd92991780c9716e8aa50a2189853ab3a7518125d93a04268a5820adaba1

          SHA512

          beed7807f244a355a46e590f6e964f643192b3b4950cef84fa9c53d51b01d243505ea7e17db5d993fff99899c3dcefafc02ce8dc1ba1a8bd4590524b21d5f7a5

        • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

          Filesize

          261KB

          MD5

          55a46b19cb826582900c42e24e39d737

          SHA1

          209794e5247c876d56aab1157d7061bee43b4e62

          SHA256

          ac0867d88f3b648a4121814e12cc711600e7da77bbff3df266f067e968fb81f1

          SHA512

          bf5401e62fa143a0f0bad1c63bda3061aade4cd57f8d2d4c2ddd36fce7d441cab3c8245c07501ffc687a5435013f58572b3fd83ede01a3b00961edeab82c0e15

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          1.3MB

          MD5

          d398906e371437d8cb36e820f9ee9fdc

          SHA1

          1ee21e725345d9e70d38ea0b2c96a7558c36d161

          SHA256

          4ed07c2a39e19e53b2e85db609bd23e24bcb21a033ccf03d06315e00e4ad433b

          SHA512

          986a90cea2ea868daf97dccd0a36841aa501a4cd02d46e556795b1faabb0aa825bf059bee1ddf5aeadfe9c1a605567604ff5f20e7fadd01a4c2ce8ca376e0e5d

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          323KB

          MD5

          51919b0ef17774e9c777ee725da6c4d3

          SHA1

          f9b8449253b99a4990772c0d4eb73f7a661918f5

          SHA256

          89e5c64c44b2d2bb3a78e8a012ca218051a786178c5872cc94b0b2b49ca140f0

          SHA512

          f9b9614a6809163ff5f399ca8f8cc3be034778f45a1cdbf87ef6b72f9f9dde5861d809a544d27e5cefe94777e9e96890eee4c703e1e3de32e6c6a0c365a058be

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          629KB

          MD5

          92bfda8e08553d58db843e802d9fc7d1

          SHA1

          42249be3674af7880596fa8b3df3d5f7f49bf899

          SHA256

          1532f0669c6ad020abf12e0931c96a22a81a97fe16458f74662a26ca6afebc54

          SHA512

          ae46050f0d653a8181908ea736db3276049c9d4e665d197cff10fb58867568bdf8638e06d93075b1bb76548dbf631f7262243e2d564036f2dcec4cfa0bb1c16d

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          444KB

          MD5

          84df7195deebf80a244bcef74605b0da

          SHA1

          90873f5500dc9cf95f9c6f053dc7ca6295ee4b08

          SHA256

          48880f0748870a2dc80fe97359d0151f85f19c15bc6a4560bd4bc9ea282099cb

          SHA512

          3913e970d25601be815fde2505d28dd6a28d3ad21d18852460a2a3bfd57e1c7f143a2b7a352db72f035df1db8ea666ed5cfbb78f899dcba125f79b9b4381c17e

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          354KB

          MD5

          264aec5e8f163adefa07e0b41ec0c2d5

          SHA1

          ac4ae6815056b5acd081722899e64920256b2ad0

          SHA256

          681280e76f70d866d12a9ff187527f18ec1b2d4d85e12ff83c432726b9c4742c

          SHA512

          5f4688c9305c6a4cbd4cb8693a8b489f4f6ea0364cee83e3f2070929f6b437cc0ba752c6eb60643d8692253439e11d02acd14760505496d4d973b87c7d66fcdc

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          654KB

          MD5

          9aa45e5cc7338a6ee96a9499f29bc203

          SHA1

          17e924683892829ad9892dd41c49361910ce76b6

          SHA256

          4a958b0ea4334ade568948d58c6af091c4b669fc0012680abc823dd7050f4ea9

          SHA512

          bce3105732d37cdda999a96442e6a398011de3317a931b55a5f55e4f9eb5b306ab217e26378934a10d8ddbab61880bb1d3d948cc29c20c154274b3507485e1a9

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          286KB

          MD5

          b60184f40ddf5ec7fc61c65b62fc9141

          SHA1

          682bf3d0b76218ff2cdc19e098047cb1c42fd621

          SHA256

          0b7f3500478e07064030f7e1a6f07f0693a9de02bf087dc16e88406ae68e874a

          SHA512

          536a6570b0388750d77276603d666e271bf89e92d8cc469f6d82b0c4e6c182cca1efbb1ea32fccbc9009c5810858c333663ca6d11d04fe4d3ebd820def8a6f4e

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          685KB

          MD5

          9f74bec46233e8ffc6b03ca635f3a2a8

          SHA1

          fd8d4598b2e31cb989301d2f67a7689c45b8dd9b

          SHA256

          290f4f88a43b4e9e23df7dab7eaca150273a0527a85d1a61281c74eb8aa67ca8

          SHA512

          5e5b2ac7422600f3da361cf8a94d134603c82a689b066879a3cce6c5c94bc56b8bc28cac00009be08d929a7ec5aa6cb0f590fe6a4745da13995cc0c860238aae

        • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

          Filesize

          49KB

          MD5

          325e180dece8f34a28e7429d3caa0c56

          SHA1

          2925a8d2e51c6423ae9b564bbeccce48708a5452

          SHA256

          509f32082c57fb92bc153d63fe6003c9e7219368c71fba6c66ecea1bc7d7570c

          SHA512

          391d00c9149d1f1c6d9f625833e52b21222834d3b982197f28d9019911042dbb52ddf17b440c9c73bd7868e57c894f339f7d5dacf3ee9458d2ef49079a9de5e2

        • memory/816-1933-0x0000000004D70000-0x0000000004E9A000-memory.dmp

          Filesize

          1.2MB

        • memory/816-2891-0x0000000004840000-0x0000000004900000-memory.dmp

          Filesize

          768KB

        • memory/816-2906-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/816-1930-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/816-1929-0x0000000001030000-0x0000000001170000-memory.dmp

          Filesize

          1.2MB

        • memory/816-2890-0x0000000000430000-0x0000000000431000-memory.dmp

          Filesize

          4KB

        • memory/816-1931-0x0000000004920000-0x0000000004960000-memory.dmp

          Filesize

          256KB

        • memory/816-1932-0x0000000004C40000-0x0000000004D68000-memory.dmp

          Filesize

          1.2MB

        • memory/1976-2913-0x00000000048E0000-0x0000000004920000-memory.dmp

          Filesize

          256KB

        • memory/1976-2912-0x0000000004920000-0x0000000004A08000-memory.dmp

          Filesize

          928KB

        • memory/1976-5115-0x00000000005D0000-0x0000000000626000-memory.dmp

          Filesize

          344KB

        • memory/1976-5122-0x0000000073A00000-0x00000000740EE000-memory.dmp

          Filesize

          6.9MB

        • memory/1976-5120-0x0000000000D70000-0x0000000000DC4000-memory.dmp

          Filesize

          336KB

        • memory/1976-2911-0x0000000073A00000-0x00000000740EE000-memory.dmp

          Filesize

          6.9MB

        • memory/1976-2910-0x0000000000400000-0x000000000049C000-memory.dmp

          Filesize

          624KB

        • memory/2220-69-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

        • memory/2220-5119-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2220-66-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

        • memory/2220-13-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

        • memory/2220-64-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2220-8-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2220-4-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2220-62-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

        • memory/2288-465-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/2288-1919-0x0000000004BD0000-0x0000000004C10000-memory.dmp

          Filesize

          256KB

        • memory/2288-463-0x0000000000DD0000-0x0000000000FF8000-memory.dmp

          Filesize

          2.2MB

        • memory/2288-1922-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/2288-1920-0x0000000000370000-0x0000000000371000-memory.dmp

          Filesize

          4KB

        • memory/2476-3-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

        • memory/2476-5-0x0000000000240000-0x0000000000248000-memory.dmp

          Filesize

          32KB

        • memory/2476-0-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/2476-9-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/2476-7-0x0000000000270000-0x0000000000297000-memory.dmp

          Filesize

          156KB

        • memory/2808-44-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-38-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-1870-0x0000000005660000-0x0000000005800000-memory.dmp

          Filesize

          1.6MB

        • memory/2808-1567-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

        • memory/2808-1555-0x0000000002100000-0x0000000002140000-memory.dmp

          Filesize

          256KB

        • memory/2808-88-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-82-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-78-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-74-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-70-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-65-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/2808-54-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-58-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-60-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-1958-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/2808-56-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-52-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-76-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-46-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-50-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-48-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-42-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-40-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-1872-0x0000000004E50000-0x0000000004E9C000-memory.dmp

          Filesize

          304KB

        • memory/2808-36-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-30-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-34-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-32-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-28-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-27-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-26-0x00000000048A0000-0x0000000004AA8000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-24-0x00000000008D0000-0x0000000000AF8000-memory.dmp

          Filesize

          2.2MB

        • memory/2808-25-0x0000000073A80000-0x000000007416E000-memory.dmp

          Filesize

          6.9MB

        • memory/2808-86-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-84-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-80-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/2808-72-0x00000000048A0000-0x0000000004AA3000-memory.dmp

          Filesize

          2.0MB

        • memory/3016-5127-0x0000000019DE0000-0x000000001A0C2000-memory.dmp

          Filesize

          2.9MB

        • memory/3016-5128-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

          Filesize

          9.6MB

        • memory/3016-5129-0x0000000001020000-0x00000000010A0000-memory.dmp

          Filesize

          512KB

        • memory/3016-5131-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

          Filesize

          9.6MB

        • memory/3016-5132-0x0000000001020000-0x00000000010A0000-memory.dmp

          Filesize

          512KB

        • memory/3016-5130-0x0000000001000000-0x0000000001008000-memory.dmp

          Filesize

          32KB

        • memory/3016-5133-0x0000000001020000-0x00000000010A0000-memory.dmp

          Filesize

          512KB

        • memory/3016-5134-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

          Filesize

          9.6MB