Analysis

  • max time kernel
    809s
  • max time network
    811s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-12-2024 06:28

General

  • Target

    Gorker Private.exe

  • Size

    895KB

  • MD5

    533cfcfdbce621d1a75048ed80c82113

  • SHA1

    b840f235522f8775e0f590d65580fc511c63762e

  • SHA256

    8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e

  • SHA512

    c2742323604eaf97df952e6082b20e747fb19c227670eccab58a2a329a24239577af1bb1454fb29b23cb7f0108a9eee9592deb51b462aa7dfbaba4bb6ec61668

  • SSDEEP

    6144:qt5IG6wZ9AI57tN0rBe6TM05wiBRju4h4/aOnzJRQuMIwy5zn98psF16TrG8PsTu:fYAI+rBjpOUREzLw2f1WrG8HXXQG

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe
    "C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2816
          • \??\c:\windows\system32\cmstp.exe
            "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\2xleldqp.inf
            5⤵
              PID:240
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:4848
              • C:\Windows\SYSTEM32\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
                6⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:4364
      • C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe
        "C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"
        2⤵
        • Executes dropped EXE
        PID:772
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1360
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2072
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3704
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:60
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

      Filesize

      408B

      MD5

      78e88b59b68685122df5a07de23fe515

      SHA1

      15363e1bb7ec6412abdd32358ae7b6693f8e5bdf

      SHA256

      121d105c84aae277a258b9a913d8ee37944e7b5902ae887500e2f33d0761a3cb

      SHA512

      a6eb63f55993ce115117e3d0ba5f004dbf696d8564f7abf6a4637890aa738dae92c9513215c44895572d3ee27cadc4b65d3d83472440cd99fff0c8132b1ae5ec

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

      Filesize

      676B

      MD5

      326aef9b08f9aac4b3359803fb646042

      SHA1

      dd4982f91e35e71311888fbae0e9e57080f7c656

      SHA256

      08fea848e761b9374668a952190fb3f245fd4a8d349db8c0787b1de595530922

      SHA512

      3d8f37c8f993f6c142dc23a8feeb8eb3001f1c00d419e662f1efcf6bdc6c32184848d68c4919975fa7189fb889c85303b521be8a325b69b6b1b0389834c80d9c

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

      Filesize

      588B

      MD5

      eb648159b8b127b921f52890c901eb13

      SHA1

      241023158050ae60a070744c2e230afdec4e8785

      SHA256

      04b00e28462a0ea580e983f6ec59cc74267b74ed61cbc708922be3c63d8f4454

      SHA512

      ea5a2310a760ca3ba493683ab33ded218fff681ad9fcf6b8f7e43ac012a7e13cbc384893788e67c30411ca93b3e3118cc98c9259a087513316f2fc9204ac0ff6

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      52ae4ebcfdd8b42cbe61071597ace6f9

      SHA1

      1f985550c2bc349d97c42975529620ea6d977b7f

      SHA256

      c420f2961330660532d6083e146c6fd6f316371f6d919f14f471eb952b7c4fd1

      SHA512

      ef65bb8f5713feb53653a3c01dfccd15a047b343840e3cbe2ef090fe797d3ae878693b3709c137678ba5a9e42d5f3420d5bb99c48697066dacbda76f9ddd81a4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      83d94e8aa23c7ad2db6f972739506306

      SHA1

      bd6d73d0417971c0077f772352d2f538a6201024

      SHA256

      dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

      SHA512

      4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      60b3262c3163ee3d466199160b9ed07d

      SHA1

      994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

      SHA256

      e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

      SHA512

      081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      6a807b1c91ac66f33f88a787d64904c1

      SHA1

      83c554c7de04a8115c9005709e5cd01fca82c5d3

      SHA256

      155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

      SHA512

      29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

    • C:\Users\Admin\AppData\Local\Temp\2xleldqp.inf

      Filesize

      619B

      MD5

      6f1420f2133f3e08fd8cdea0e1f5fe27

      SHA1

      3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

      SHA256

      aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

      SHA512

      d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

    • C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe

      Filesize

      401KB

      MD5

      55128e0a30d438cb5e4d85beb4d61d4f

      SHA1

      aa99199ae8d2e1471cb9ec3c8fc1c6cfb355c914

      SHA256

      2a2e49592f82336a9d1a01fd190bc44e98b3caf17c05c046f06e8d4549d2930b

      SHA512

      60fedb8c75623fdefd173dae60a1952520699e42acd58b1075303f3d93abad03a1235f19327cfc6204053a29e16ba6a4de14f3e6fc99667a5d0ac75afd283bc3

    • C:\Users\Admin\AppData\Local\Temp\Setup.exe

      Filesize

      477KB

      MD5

      0e6c9432cba1614fccc232f201028c72

      SHA1

      6082cf9489faa785c066195f108548e705a6d407

      SHA256

      c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

      SHA512

      c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tv1n0pb0.mr4.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

      Filesize

      357KB

      MD5

      cff755ff758e9e71d0af34017a8e9d8e

      SHA1

      8d401767360e61261cee79a18e061d9a0dc95724

      SHA256

      c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

      SHA512

      a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

      Filesize

      339KB

      MD5

      301e8d9a2445dd999ce816c17d8dbbb3

      SHA1

      b91163babeb738bd4d0f577ac764cee17fffe564

      SHA256

      2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

      SHA512

      4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

      Filesize

      140KB

      MD5

      bbf128484e7ea29053c6db91849067ea

      SHA1

      c46ec37265740c349fb265099e47ebbef9369ba1

      SHA256

      5e6f03b5ae15131c2ad374c563273389b3340168ff647433a6b5e7acce468b05

      SHA512

      aeb756d2b2238eaa16a82673b6a86b609320abd6eafc4b742d0f5a9fe88fbbf34a1fd7e6ad9d2f30a832e288a3d7b725a73f83616df1d3edee92c8fd06984e7e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

      Filesize

      84KB

      MD5

      15ee95bc8e2e65416f2a30cf05ef9c2e

      SHA1

      107ca99d3414642450dec196febcd787ac8d7596

      SHA256

      c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

      SHA512

      ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

    • memory/772-54-0x0000000000FD0000-0x000000000103A000-memory.dmp

      Filesize

      424KB

    • memory/1232-116-0x00000199D4BB0000-0x00000199D4BD2000-memory.dmp

      Filesize

      136KB

    • memory/1956-61-0x00000000029A0000-0x00000000029A8000-memory.dmp

      Filesize

      32KB

    • memory/2576-31-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/2576-33-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/2576-62-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/2576-32-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/2816-93-0x0000000001280000-0x0000000001288000-memory.dmp

      Filesize

      32KB

    • memory/2816-96-0x00000000012A0000-0x00000000012AC000-memory.dmp

      Filesize

      48KB

    • memory/3816-4-0x000000001BFC0000-0x000000001C05C000-memory.dmp

      Filesize

      624KB

    • memory/3816-55-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/3816-0-0x00007FFC93A15000-0x00007FFC93A16000-memory.dmp

      Filesize

      4KB

    • memory/3816-6-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/3816-3-0x000000001BA50000-0x000000001BF1E000-memory.dmp

      Filesize

      4.8MB

    • memory/3816-2-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/3816-1-0x000000001B4B0000-0x000000001B556000-memory.dmp

      Filesize

      664KB

    • memory/4780-22-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/4780-23-0x0000000001350000-0x000000000137C000-memory.dmp

      Filesize

      176KB

    • memory/4780-63-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/4780-21-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB

    • memory/4780-26-0x00007FFC93760000-0x00007FFC94101000-memory.dmp

      Filesize

      9.6MB