Overview

overview

10

Static

static

3

Gorker Private.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    449s
  • max time network
    446s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gorker Private.exe

  • Size

    895KB

  • MD5

    533cfcfdbce621d1a75048ed80c82113

  • SHA1

    b840f235522f8775e0f590d65580fc511c63762e

  • SHA256

    8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e

  • SHA512

    c2742323604eaf97df952e6082b20e747fb19c227670eccab58a2a329a24239577af1bb1454fb29b23cb7f0108a9eee9592deb51b462aa7dfbaba4bb6ec61668

  • SSDEEP

    6144:qt5IG6wZ9AI57tN0rBe6TM05wiBRju4h4/aOnzJRQuMIwy5zn98psF16TrG8PsTu:fYAI+rBjpOUREzLw2f1WrG8HXXQG

Score
10/10
njrathackeddefense_evasionevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell and hide display window.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe
    "C:\Users\Admin\AppData\Local\Temp\Gorker Private.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3716
          • \??\c:\windows\system32\cmstp.exe
            "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\vcrgpiut.inf
            5⤵
              PID:4212
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1672
              • C:\Windows\SYSTEM32\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
                6⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:992
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3884
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2076
      • C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe
        "C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"
        2⤵
        • Executes dropped EXE
        PID:4648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2684
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:780
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3528
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3384
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:520

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Window

    1
    T1564.003

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
      Filesize

      408B

      MD5

      70f08e6585ed9994d97a4c71472fccd8

      SHA1

      3f44494d4747c87fb8b94bb153c3a3d717f9fd63

      SHA256

      87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

      SHA512

      d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log
      Filesize

      676B

      MD5

      79d206410500f74a6f755f82d514c459

      SHA1

      67782eff101d316ad1eb79ee76dc4095f5994db3

      SHA256

      697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

      SHA512

      72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
      Filesize

      588B

      MD5

      2f142977932b7837fa1cc70278e53361

      SHA1

      0a3212d221079671bfdeee176ad841e6f15904fc

      SHA256

      961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

      SHA512

      a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      612B

      MD5

      51abfb7751dbcda87cb079c1672ac9d7

      SHA1

      3d44a77e28f527b2a30865cf98d386bfb8cc78ed

      SHA256

      a8b57d2170bbd6af6aac2d3eec8f60092e0d1f2b786124fe9069a862988726e1

      SHA512

      5b7e754d96b05e3c0769b3e5c4dc748fa5417aad64705b7579ced0b9deacce3bf8b44f73758d12f0b5869402545cb161846863e1e059691752714cc35912d59b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe
      Filesize

      401KB

      MD5

      55128e0a30d438cb5e4d85beb4d61d4f

      SHA1

      aa99199ae8d2e1471cb9ec3c8fc1c6cfb355c914

      SHA256

      2a2e49592f82336a9d1a01fd190bc44e98b3caf17c05c046f06e8d4549d2930b

      SHA512

      60fedb8c75623fdefd173dae60a1952520699e42acd58b1075303f3d93abad03a1235f19327cfc6204053a29e16ba6a4de14f3e6fc99667a5d0ac75afd283bc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      Filesize

      477KB

      MD5

      0e6c9432cba1614fccc232f201028c72

      SHA1

      6082cf9489faa785c066195f108548e705a6d407

      SHA256

      c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

      SHA512

      c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qto24uz.qdh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vcrgpiut.inf
      Filesize

      619B

      MD5

      6f1420f2133f3e08fd8cdea0e1f5fe27

      SHA1

      3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

      SHA256

      aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

      SHA512

      d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      Filesize

      357KB

      MD5

      cff755ff758e9e71d0af34017a8e9d8e

      SHA1

      8d401767360e61261cee79a18e061d9a0dc95724

      SHA256

      c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

      SHA512

      a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
      Filesize

      339KB

      MD5

      301e8d9a2445dd999ce816c17d8dbbb3

      SHA1

      b91163babeb738bd4d0f577ac764cee17fffe564

      SHA256

      2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

      SHA512

      4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      Filesize

      84KB

      MD5

      15ee95bc8e2e65416f2a30cf05ef9c2e

      SHA1

      107ca99d3414642450dec196febcd787ac8d7596

      SHA256

      c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

      SHA512

      ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

      Download Submit

    • memory/1232-106-0x0000011DFF320000-0x0000011DFF342000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1628-41-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1628-0-0x00007FFB682A5000-0x00007FFB682A6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-3-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1628-2-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1628-4-0x000000001BE80000-0x000000001C34E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1628-1-0x000000001B8B0000-0x000000001B956000-memory.dmp

      Filesize

      664KB

      Download

    • memory/1628-5-0x000000001C3F0000-0x000000001C48C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3716-95-0x0000000000A80000-0x0000000000A8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3716-92-0x0000000000A60000-0x0000000000A68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3756-61-0x00000000031F0000-0x00000000031F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3884-36-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3884-65-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3884-48-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3884-40-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4648-42-0x0000000000C70000-0x0000000000CDA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/4652-62-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4652-23-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4652-22-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4652-19-0x0000000001100000-0x000000000112C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4652-18-0x00007FFB67FF0000-0x00007FFB68991000-memory.dmp

      Filesize

      9.6MB

      Download