Overview

overview

10

Static

static

3

bc4d2fd23a...18.exe

windows7-x64

10

bc4d2fd23a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118.exe

  • Size

    816KB

  • MD5

    bc4d2fd23a3ca94216443cea23381b54

  • SHA1

    7f3c793c3c6414d223f5ce7d5090bb9dc2dcd709

  • SHA256

    34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e

  • SHA512

    4f7ede4877feccbeb063cf7a2c9bcfe5c9e31f0336800f92c42259153724682599d466aa7500f344c6c370e3b300b3dc3ee4212f00b655bddc2a79fbafe0d5e9

  • SSDEEP

    12288:6crq243ICNz1TJ987E77JALCkUBmke6dfDKT2UD4w3E1/JoV0TCV+Z:6e4d1q7o7Bkz3NDSpyG6+Z

Score
10/10
gozi1000bankercollectionisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

purbs.com

makarcheck.com
Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 63 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95A4\CAD2.bat" "C:\Users\Admin\AppData\Roaming\accoSync\AzSqcatq.exe" "C:\Users\Admin\AppData\Local\Temp\BC4D2F~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\accoSync\AzSqcatq.exe" "C:\Users\Admin\AppData\Local\Temp\BC4D2F~1.EXE""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Users\Admin\AppData\Roaming\accoSync\AzSqcatq.exe
            "C:\Users\Admin\AppData\Roaming\accoSync\AzSqcatq.exe" "C:\Users\Admin\AppData\Local\Temp\BC4D2F~1.EXE"
            5⤵
            • Deletes itself
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4484
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:5012
    • C:\Windows\system32\cmd.exe
      cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\1BC8.bin1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\system32\systeminfo.exe
        systeminfo.exe
        3⤵
        • Gathers system information
        PID:2992
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4008
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3136
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2748
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4628
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5072
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:2816
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1872
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4168
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:2508
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1352
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:1228
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1872
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3728
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4636
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4668
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:4992
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:3528
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:2440
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                            PID:2216
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3808
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:1984
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:1108
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:3944

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v13

                                  Initial Access

                                  Execution

                                  Persistence

                                  Boot or Logon Autostart Execution

                                  2
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Active Setup

                                  1
                                  T1547.014

                                  Privilege Escalation

                                  Boot or Logon Autostart Execution

                                  2
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Active Setup

                                  1
                                  T1547.014

                                  Defense Evasion

                                  Modify Registry

                                  3
                                  T1112

                                  Credential Access

                                  Discovery

                                  Query Registry

                                  3
                                  T1012

                                  System Information Discovery

                                  5
                                  T1082

                                  Peripheral Device Discovery

                                  2
                                  T1120

                                  Lateral Movement

                                  Collection

                                  Email Collection

                                  2
                                  T1114

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Resource Development

                                  Reconnaissance

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                    Filesize

                                    471B

                                    MD5

                                    461d6d49a61df6dd9cb2a31eb681193f

                                    SHA1

                                    c9a7aa032ace23ff4ffe94e2b4c953d6c6efd712

                                    SHA256

                                    e9667bcdce409b511683b9cf190e17a847bcb73c8523a2de039002459b6faf12

                                    SHA512

                                    79d2bb9a5463b1f8090282217064cf14e97823108b0796205614fbe8d97768b443d96beaa14b8f460f1dcc00be61d2ab78e02df1b9a367aec2b23f055e18bae4

                                    Download Submit
                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                    Filesize

                                    420B

                                    MD5

                                    84964dd06ed9588388fb2c0e74560112

                                    SHA1

                                    5fd984d66010fae0680bfab75d5465e39f948d44

                                    SHA256

                                    f8a17ffc6b278e50c0a493291b7d78464fd0ff2f51719628c2562dde59ab2de4

                                    SHA512

                                    aa70c16b36987f87887fcf20563c89489afd1cfc5c0153121b6c2d37445a4f6306adb4142cd4dccf533ae4ae749685b02f74afb4abb4183ad5dede45e3dd3242

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                    Filesize

                                    2KB

                                    MD5

                                    144bb6c359dac90d996dfd09ebc48dee

                                    SHA1

                                    789ee8b7da32786d480e7619c0ed3c72725207a0

                                    SHA256

                                    71d71e10d93967be75daee2e3f1c4f7aba0ec3e27b446e0dc68258393eb295ab

                                    SHA512

                                    23c5863b74258e4ba7012e37e887e4f23a8f167b6c5435739d8323132756d0a48c3bc4276bed1268b691bf70a5d73eb4586e396217177c4c46304786d1bf23ba

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631926953136654.txt
                                    Filesize

                                    75KB

                                    MD5

                                    ec861d1b31e9e99a4a6548f1e0b504e1

                                    SHA1

                                    8bf1243597aba54793caf29c5e6c258507f15652

                                    SHA256

                                    9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

                                    SHA512

                                    30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DEN9315F\microsoft.windows[1].xml
                                    Filesize

                                    97B

                                    MD5

                                    874407164075f430e90aef3f5424206b

                                    SHA1

                                    8575db62a2f0eeec19bd607b8d7ae7fe170d440c

                                    SHA256

                                    bb832ca543f384639184651203cbc6376ad386b418d3777dd54c4680b7051a8a

                                    SHA512

                                    8bf5fda5ffe2962a35ae23ad32664fe7ea3315870f51e196aff13d28bf07fd54012161de236f5a88fd2d2acb4a7efd35fd3392730b6dd568ab2df7092ba897d7

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\95A4\CAD2.bat
                                    Filesize

                                    112B

                                    MD5

                                    1dca0e4a881e814ba2c7b54b56488107

                                    SHA1

                                    6fa5ecca42384650cb20998941598b74deba1598

                                    SHA256

                                    d8e853de58f5eb09024c180f6cbd449e739c34540fd9566f484f83599b431494

                                    SHA512

                                    19ce02024a99941a8a50a06bf1da7f132311d7274cdc93496e9a724a26fa10fd1be885ab2164002e47e1bcfc8024603120b22e393ba31d5815e8d151329c8693

                                    Download Submit
                                  • C:\Users\Admin\AppData\Roaming\accoSync\AzSqcatq.exe
                                    Filesize

                                    816KB

                                    MD5

                                    bc4d2fd23a3ca94216443cea23381b54

                                    SHA1

                                    7f3c793c3c6414d223f5ce7d5090bb9dc2dcd709

                                    SHA256

                                    34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e

                                    SHA512

                                    4f7ede4877feccbeb063cf7a2c9bcfe5c9e31f0336800f92c42259153724682599d466aa7500f344c6c370e3b300b3dc3ee4212f00b655bddc2a79fbafe0d5e9

                                    Download Submit
                                  • memory/1228-374-0x00000215B4A70000-0x00000215B4A90000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/1228-405-0x00000215B4E40000-0x00000215B4E60000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/1228-386-0x00000215B4A30000-0x00000215B4A50000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/1872-515-0x00000000047C0000-0x00000000047C1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/2508-367-0x0000000004320000-0x0000000004321000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/2816-227-0x0000000004830000-0x0000000004831000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3420-0-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
                                    Filesize

                                    32KB

                                    Download
                                  • memory/3420-10-0x0000000000400000-0x00000000004D1000-memory.dmp
                                    Filesize

                                    836KB

                                    Download
                                  • memory/3420-4-0x0000000000400000-0x00000000004D1000-memory.dmp
                                    Filesize

                                    836KB

                                    Download
                                  • memory/3420-3-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
                                    Filesize

                                    32KB

                                    Download
                                  • memory/3420-2-0x00000000023F0000-0x00000000023F1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3420-1-0x00000000023F0000-0x00000000023F1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3520-50-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-49-0x0000000000E60000-0x0000000000E61000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3520-42-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-41-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-40-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-39-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-38-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-34-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-35-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-33-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-36-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-26-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-37-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3520-44-0x0000000008460000-0x0000000008593000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/3528-666-0x00000182A4F00000-0x00000182A5000000-memory.dmp
                                    Filesize

                                    1024KB

                                    Download
                                  • memory/4168-228-0x000001FE73140000-0x000001FE73240000-memory.dmp
                                    Filesize

                                    1024KB

                                    Download
                                  • memory/4168-263-0x000001FE74660000-0x000001FE74680000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4168-229-0x000001FE73140000-0x000001FE73240000-memory.dmp
                                    Filesize

                                    1024KB

                                    Download
                                  • memory/4168-246-0x000001FE74050000-0x000001FE74070000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4168-233-0x000001FE74090000-0x000001FE740B0000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4484-14-0x00000000022C0000-0x00000000022C8000-memory.dmp
                                    Filesize

                                    32KB

                                    Download
                                  • memory/4484-23-0x0000000000400000-0x00000000004D1000-memory.dmp
                                    Filesize

                                    836KB

                                    Download
                                  • memory/4484-15-0x00000000022C0000-0x00000000022C8000-memory.dmp
                                    Filesize

                                    32KB

                                    Download
                                  • memory/4628-65-0x0000000004280000-0x0000000004281000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/4636-517-0x0000020617200000-0x0000020617300000-memory.dmp
                                    Filesize

                                    1024KB

                                    Download
                                  • memory/4636-522-0x0000020618320000-0x0000020618340000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4636-536-0x0000020617DE0000-0x0000020617E00000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4636-554-0x00000206186F0000-0x0000020618710000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/4668-664-0x0000000002780000-0x0000000002781000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/5012-19-0x0000000000E20000-0x0000000000F53000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/5012-24-0x0000000000E20000-0x0000000000F53000-memory.dmp
                                    Filesize

                                    1.2MB

                                    Download
                                  • memory/5072-72-0x000001F3D33E0000-0x000001F3D3400000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/5072-87-0x000001F3D3AB0000-0x000001F3D3AD0000-memory.dmp
                                    Filesize

                                    128KB

                                    Download
                                  • memory/5072-67-0x000001EBD1580000-0x000001EBD1680000-memory.dmp
                                    Filesize

                                    1024KB

                                    Download
                                  • memory/5072-74-0x000001F3D33A0000-0x000001F3D33C0000-memory.dmp
                                    Filesize

                                    128KB

                                    Download