Overview

overview

10

Static

static

1

RNSM00333.7z

windows7-x64

Analysis

  • max time kernel
    38s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 21:48

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RNSM00333.7z

  • Size

    2.6MB

  • MD5

    73c7199cad40284673528fb73187650b

  • SHA1

    69bd456a3d719830586ad233b2a5ca7f78174f24

  • SHA256

    718ccf80dfae80725fb06a9e2e55fcd728d12659ca905ce5e9f34ed9e1d7915d

  • SHA512

    461a5d32c3a426355c07085bd317a6e4430889cc0c303584c197c59c132e99ab354abfa44bbbbb5f95c8c8cb3b7a695dd96c8835ddb3a7f519e09b7870ac95d8

  • SSDEEP

    49152:bTQPXliVgR2BFwlFNbz8f6BRekpFIDIPOC+kRw4UwhmhW86jN7QBhE8ufhhfTgc6:bTQNjRSFwlLYCSIP+r3jhGjlQkvTPVbo

Score
10/10
azorultgozibankerdiscoveryevasioninfostealerisfbpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://200.63.45.106/index.php

Extracted

Family

gozi

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 22 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00333.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2644
  • C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe
    "C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Maps and Driving Direction\Maps and Driving Direction.exe
      "C:\Users\Admin\AppData\Local\Maps and Driving Direction\Maps and Driving Direction.exe" /firstrun
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hmapsanddrivingdirection.com/s?uid=4b2eb7c9-9d09-446a-a3bc-9b3d2229d7c1&uc=20180822&source=g-ccc7-lp0-bb8-sbe-ab&i_id=maps_&ap=appfocus1
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:296
  • C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe
    "C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\ProgramData\Arkei-5a410d66-f84f-4a6b-9b29-3982febe58d9\9274516112.exe
      "C:\ProgramData\Arkei-5a410d66-f84f-4a6b-9b29-3982febe58d9\9274516112.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 736
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe /f & erase C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
  • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe
    "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe
      "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:828
  • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe
    "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:788
  • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe
    "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies firewall policy service
    • Modifies security service
    • UAC bypass
    • Windows security bypass
    • Drops startup file
    • Executes dropped EXE
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:324
  • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe
    "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2200
    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe
      "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2844
    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe
      "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 9364
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:2624

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    4
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    9
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Impromptu.dat
      Filesize

      134KB

      MD5

      53724c544e22ccf39b5eb38943e42ee3

      SHA1

      fc2097652464c629805f7e645b047426e7f8edae

      SHA256

      c4a0bf827057ec6f4578dc4587c6ec546f7c9c9b48a507f8187c6ca6e1ed776f

      SHA512

      b49a65bbbcf7d66fa686e75f34addc4fc4c193048647ee95311f2586b16188aa588736fffd5ab337f1f34a94d07d2b0705b1f65c18813948a8ee89bf16f86021

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nse2F1E.tmp\npHelper.dll
      Filesize

      295KB

      MD5

      131acdb9fb02af0f12e6a3854386caf2

      SHA1

      9488242580d4de08d86b7ec3a2cf38fcb4b9a057

      SHA256

      884894a631f0e2585e0414cf26c836b13763b319993126ac28b1d96d2b6f7abc

      SHA512

      a4fe99f6c4e53568c3331f39f4e2a3215e203f44c121a80231ae9df936d4b0d12150725e9077024a65a25790716a681a2a572d29faee09503351506071d8e59f

      Download Submit

    • C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe
      Filesize

      1.2MB

      MD5

      578f6744a32d63298c455a8f6c120249

      SHA1

      ce569ff1b442501462d05e23855b0c8d957cab52

      SHA256

      a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e

      SHA512

      47f4c9b1325e4e0f07252ad5bf0b28df0e9217f1d98bab5a9090e9640cb9c563fd3e9c06c2e28e11c2f8f440a0a2e2f0a50a5f4c1c59f1259bd5c6ba6b9ddc6d

      Download Submit

    • C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe
      Filesize

      651KB

      MD5

      6ac4d355cd99adc2264a9c9bd64b38fa

      SHA1

      4d630ea8cbeebae92a3b4ed1a02cff7b1a673328

      SHA256

      ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d

      SHA512

      3aeb5f38715fc6de6ab53ac45e9d3f555c9dea72aaa42394692a89fc4d4d057a8ca9afa722baffea29a3f857f6121d3802bad28208fb93f4604f82c818c8cbf6

      Download Submit

    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe
      Filesize

      196KB

      MD5

      0923de94897e0707a089e3c3bc315636

      SHA1

      202a39670bbdcbb8c20ad1c1300b4d111a46ded4

      SHA256

      0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc

      SHA512

      d396b9c7414886b53064d24a4574d83c596f88880e71c1ec9fbfccdcf8f9b3bd895542553bffe52ab68ccd491f88d990d47b3eaf590350e8841d3dc5de0d2824

      Download Submit

    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe
      Filesize

      275KB

      MD5

      8325e1443e414d2d88a080e58244abef

      SHA1

      703204d540c016a61bab2b358a6a4a348d500d1d

      SHA256

      e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60

      SHA512

      c5be6745998887b02e0461e33900d5d11a8cc6f6dcf50e350f84742dc1caa4a3dff0b1ae162e4c2cdfd70a5e7efe7ed509c819dc38b21f5b8106a028b025162a

      Download Submit

    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe
      Filesize

      652KB

      MD5

      581fdc46eb3b1e3cded338ff4ba6e15e

      SHA1

      e90b69e103d6bbd90e4af626ce952842212bb4b8

      SHA256

      030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

      SHA512

      8099fab7f666e609085ee393e7a36cd62713d217bb94f568f2f8283349f6ea21ef8f90d2b12185a45f94084774068dbc3da0064693ef7b71ae5a33b1c2d35694

      Download Submit

    • C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe
      Filesize

      683KB

      MD5

      d9da38d6564da90e0580010b664d2fcb

      SHA1

      76ebc3ff214f65ef962978ce1be4eff93d7f6939

      SHA256

      a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10

      SHA512

      4d00337becbabd6163f59401e81139e7a85f148a4ad62cda3df7004b75b21ad975b9cf27549c471179283984bf33e58e97d84cb6ec0fde8aa5727fd4baf0ea48

      Download Submit

    • \Users\Admin\AppData\Local\Maps and Driving Direction\Maps and Driving Direction.exe
      Filesize

      2.0MB

      MD5

      bed5050567df247e174ae41b5f14b04b

      SHA1

      69d56071412a4350681792a007c51ea59e34bf0e

      SHA256

      8a8fcde6287c92b435e947ff15d577bb4553d9265c78e55907b71823cf8dc9fc

      SHA512

      fc2c2fa47a23a7bcab9ec1c37b15cd0cfd3117491d25a4ac65a5b8616393f283461824869ff68aceb60bcf3aad8db13c3289e72da0acd52ec0cb3d4fafd03e1c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\meaning.dll
      Filesize

      16KB

      MD5

      d267e2ea2c54993bf6db257fd0f0e0ce

      SHA1

      237bd57064b6c5bae638b356675a22555b819e6b

      SHA256

      354f572620c13c593cc4ad387a7834cdcd39b2baaa4b3a3a38d97cc358a994cd

      SHA512

      449b41ca7b04783e3949a6569d3c38df2f171035747421f1db29ebe9d22c7254856d99527b7894aff1836a3f11e702368d2ae9e2ded88c3743532436ecba2bbf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse2F1E.tmp\System.dll
      Filesize

      11KB

      MD5

      a4dd044bcd94e9b3370ccf095b31f896

      SHA1

      17c78201323ab2095bc53184aa8267c9187d5173

      SHA256

      2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

      SHA512

      87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsj43A7.tmp\System.dll
      Filesize

      11KB

      MD5

      b0c77267f13b2f87c084fd86ef51ccfc

      SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

      SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

      SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

      Download Submit

    • memory/324-180-0x0000000015190000-0x0000000015240000-memory.dmp

      Filesize

      704KB

      Download

    • memory/788-171-0x00000000074B0000-0x00000000074F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/788-178-0x00000000074B0000-0x00000000074F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/788-168-0x0000000000400000-0x00000000004A7000-memory.dmp

      Filesize

      668KB

      Download

    • memory/828-129-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-167-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-125-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-127-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-131-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-123-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-136-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-134-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/828-133-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1144-93-0x0000000000400000-0x00000000004D5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/1764-149-0x00000000004A0000-0x00000000004A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1764-148-0x0000000002120000-0x000000000217A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1764-147-0x0000000000490000-0x0000000000496000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1764-146-0x0000000000290000-0x00000000002DA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2032-139-0x0000000000400000-0x00000000004D5000-memory.dmp

      Filesize

      852KB

      Download