gozi | 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b565aa423ca4ba6e8c6b208c2.dll
Size

585KB
MD5

b565aa423ca4ba6e8c6b208c22e5b056
SHA1

0f661ba97e702021988fa372fde43bd3165f1cfe
SHA256

894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
SHA512

b426343c6e8fa54e892fdbf506f1865d89e134e25ff9552bfe2dea36e791a017380aa5220c1af08922e2619d49731f73889de2e6e2efc155c64f4f6f87d701dd
SSDEEP

6144:2Qs4GPx2zWaTL8pxi5mLgNKz+ODzKaDtdjokutIC54VQQkPBRm2mZOkjnEsWKsGs:Y4sQiMjNa+ODmsWDOWrK1idIGd

Score

10^/10

gozi 5050 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

https://avas1ta.com/in/login/

itwicenice.com

Attributes

base_path
/jerry/
build
250259
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

https://avas1t.de/in/loginq/

itwicenice.com

Attributes

base_path
/pictures/
build
250259
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	mshta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FolderContact = "cmd /c start C:\\Users\\Admin\\FolderContact.lnk -ep unrestricted -file C:\\Users\\Admin\\StartMail.ps1"	Explorer.EXE

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process	target process
PID 4564 set thread context of 3188	4564	powershell.exe	Explorer.EXE
PID 3188 set thread context of 3736	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 set thread context of 4000	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 set thread context of 4548	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 set thread context of 1728	3188	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXE

pid	process
2760	regsvr32.exe
2760	regsvr32.exe
4564	powershell.exe
4564	powershell.exe
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

4564 powershell.exe
3188 Explorer.EXE
3188 Explorer.EXE
3188 Explorer.EXE
3188 Explorer.EXE

pid	process
4564	powershell.exe
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE
3188	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeShutdownPrivilege	3188	Explorer.EXE
Token: SeCreatePagefilePrivilege	3188	Explorer.EXE
Token: SeShutdownPrivilege	3188	Explorer.EXE
Token: SeCreatePagefilePrivilege	3188	Explorer.EXE
Token: SeShutdownPrivilege	3188	Explorer.EXE
Token: SeCreatePagefilePrivilege	3188	Explorer.EXE
Token: SeShutdownPrivilege	3188	Explorer.EXE
Token: SeCreatePagefilePrivilege	3188	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3188 Explorer.EXE

pid	process
3188	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 2096 wrote to memory of 2760	2096	regsvr32.exe	regsvr32.exe
PID 2096 wrote to memory of 2760	2096	regsvr32.exe	regsvr32.exe
PID 2096 wrote to memory of 2760	2096	regsvr32.exe	regsvr32.exe
PID 3168 wrote to memory of 4564	3168	mshta.exe	powershell.exe
PID 3168 wrote to memory of 4564	3168	mshta.exe	powershell.exe
PID 4564 wrote to memory of 792	4564	powershell.exe	csc.exe
PID 4564 wrote to memory of 792	4564	powershell.exe	csc.exe
PID 792 wrote to memory of 4716	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 4716	792	csc.exe	cvtres.exe
PID 4564 wrote to memory of 1816	4564	powershell.exe	csc.exe
PID 4564 wrote to memory of 1816	4564	powershell.exe	csc.exe
PID 1816 wrote to memory of 872	1816	csc.exe	cvtres.exe
PID 1816 wrote to memory of 872	1816	csc.exe	cvtres.exe
PID 4564 wrote to memory of 3188	4564	powershell.exe	Explorer.EXE
PID 4564 wrote to memory of 3188	4564	powershell.exe	Explorer.EXE
PID 4564 wrote to memory of 3188	4564	powershell.exe	Explorer.EXE
PID 4564 wrote to memory of 3188	4564	powershell.exe	Explorer.EXE
PID 3188 wrote to memory of 3736	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 3736	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 3736	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 3736	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4000	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4000	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4000	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4000	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4548	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4548	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4548	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 4548	3188	Explorer.EXE	RuntimeBroker.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe
PID 3188 wrote to memory of 1728	3188	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c2.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b565aa423ca4ba6e8c6b208c2.dll
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cmb3='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cmb3).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\62040AB2-5938-E445-F3B6-9D58D74A210C\\\StartMail'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jyblglexiu -value gp; new-alias -name dvyosotxm -value iex; dvyosotxm ([System.Text.Encoding]::ASCII.GetString((jyblglexiu "HKCU:Software\AppDataLow\Software\Microsoft\62040AB2-5938-E445-F3B6-9D58D74A210C").MaskMemory))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xs40i2ym\xs40i2ym.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp" "c:\Users\Admin\AppData\Local\Temp\xs40i2ym\CSC6BDBCA39DD534FD3B835239A6D31B7D5.TMP"
5⤵
PID:4716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0grptnm\o0grptnm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD6A.tmp" "c:\Users\Admin\AppData\Local\Temp\o0grptnm\CSC350CC7A59FA3417FBEC4257463A9ED8B.TMP"
5⤵
PID:872

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp

Filesize
1KB

MD5
2dc92a2c15c0cedb2d223b8509882c39

SHA1
5a0fd06e68a09d12b588fe686c2f855ff98332fd

SHA256
eb92efcbb1511c46f63cbf84dab702e361cd37e0d5299a512aa4c55a144437dd

SHA512
69889d90bcf2b7b21c859485bf643d49239f576b1fbb63db874b4a501afd4e0894ea78b647952daff8811b739fb38d15567791e9736a3c2d5f862b48fce5f9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD6A.tmp

Filesize
1KB

MD5
d6f44105b2b1920cde72b98d0966bd28

SHA1
54629956f9e5c520aaae8d43c01a9ca978754ca1

SHA256
12fc92261aacd912914c768429e4c7a70be165fede94cc1c0552c29bae335c68

SHA512
e724b69948954412fe91f896d56742f7bbcc975f6fdbedb4a2dd49f1b2a6fc96dc838026f789baba746650a150bd6d00a503830f3243d63a24df5a9dc85bc0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1phyqlqj.vih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0grptnm\o0grptnm.dll

Filesize
3KB

MD5
20bf679cbf57addf1c7dfbe5694e9534

SHA1
1f3c8a4335f8e066d8497ac9b03a8e3c2c98186e

SHA256
199d404d6147916d3f23ae45e358838625d4a779b5ff68e43a4b772004417ddd

SHA512
e78d72bf37a7db302cd71b856b429f8727f0a8f0dea174e1330a8a524666aa14ac623c59752f9c89f54f5611cce971b9f66c367be82518411ff3fd71827acb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\xs40i2ym\xs40i2ym.dll

Filesize
3KB

MD5
807702125d78f28583ecf352269a6b99

SHA1
350adbceaeaa56b56fdedceb3baff89e20e9b19f

SHA256
ba352c86de0c74507117a1e6dbb343dc5e32bec6ef271f034575d01c6aef21e0

SHA512
0caaff54aefdb0f86f9ebd3b5b0b3a85e978ecdc486d96756fd378c682b42f7f904252347aa925caff9b5711ad0c7735e4cf9640d0f166c817ef45d58f6473dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0grptnm\CSC350CC7A59FA3417FBEC4257463A9ED8B.TMP

Filesize
652B

MD5
7da0d1c64a71ec8dc982da9067996b34

SHA1
738fef5e1c046d944bcb3f4e766026988cdaf2a5

SHA256
d84eee46ae407bea72bd42b64c81c509e00a3d81e8f1d4740ca3709cf56fdafc

SHA512
413066ecb431c63358c85768f13ebb174823c5e02d846994b0754eca4a6918e35bd87aa2008c0c88dee2fcbe696390b1db77cc902954c06943862add0135a6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0grptnm\o0grptnm.0.cs

Filesize
412B

MD5
290e901d2ca9801a33ba1c2e1a28326a

SHA1
ffba41172744d79b40905e37d607f2a6a28e30cc

SHA256
6e9926b1981afd9dedfa73fd8f792ef11fc433073bfc8791be35fa4d802a86f5

SHA512
1077660f0ad43c5c69fee7576f70f04d017524eec8ddbb8f80cc7b0801df2ab3dac540cfdc08bb42e39c37caf215d7ca027f6deb2df924c1831382c5e4687b06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0grptnm\o0grptnm.cmdline

Filesize
369B

MD5
82b171ac8c5a56ea6fde42d182f79a92

SHA1
c4d798d4403a6ac8ad8671b462cf1dfd1d122ff1

SHA256
74d7d570a423734ba927d94a34e56e491187e5c511a377ee4ea0bdefbb6f40a9

SHA512
9a04e1204f1af3bbb9666d07e8c7bb7fb4d384700469966ee8ce843ca2c24d07f5a43594876e4e147b0798e30685f50719c390c0bb27578b14e7fc25277f833b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xs40i2ym\CSC6BDBCA39DD534FD3B835239A6D31B7D5.TMP

Filesize
652B

MD5
40f859bcc638cc7a0fde5072c623cb2a

SHA1
112798219416e7eb2dea7d10886528a62afc11b1

SHA256
e5c287a0aeb38ce92b12669e10fbe873418a0f8fcc624619edf7b615bc716750

SHA512
069d63afdb7a2282aedc9b826c72060220a3ecf363b80071f71f22ff595f05fd953a3ccf39beab919f37da801d2a867b21e62e27579d70bf4afe86abd387771b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xs40i2ym\xs40i2ym.0.cs

Filesize
419B

MD5
6f9929170a31b4128137fa54d631bf2e

SHA1
77e54c09aacad9ec0fa5e09894a54066d5630c36

SHA256
88df79379c27a718e26a0ab4d3cf710c67b36a9b5fa155e044791710e59e3c3f

SHA512
22a8d34ecc787f6e30bdbda3d14bc578cf824a31eb31149b770a207f28eff877ae2d961aab13ce1cc99487536196d2a2b15acedbcdd4536db1bf87d60f265f76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xs40i2ym\xs40i2ym.cmdline

Filesize
369B

MD5
9a4b4e8a3c54cbbe71418a1191306b27

SHA1
94518d42cd1d821151c78c71f7aebd0acf60c1c4

SHA256
9255627766e0f43d846410218a7afae0b72dd9e808754bd2a999dceb265b5a4f

SHA512
b008aa08dff0e3e9aa0938decc1c63ad1dd7df18a6c8a72adceaefc446996a8cb750ad7b8d44112174f02bf79d94b654c646263220c598e91ad431606c61cf11

Download Submit
memory/1728-215-0x0000000000CA0000-0x0000000000D38000-memory.dmp

Filesize
608KB

Download
memory/1728-218-0x0000000000CA0000-0x0000000000D38000-memory.dmp

Filesize
608KB

Download
memory/2760-138-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2760-197-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2760-133-0x0000000000C80000-0x0000000000CBF000-memory.dmp

Filesize
252KB

Download
memory/2760-135-0x0000000000900000-0x000000000090D000-memory.dmp

Filesize
52KB

Download
memory/2760-134-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/3188-223-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-227-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-235-0x00000000092C0000-0x0000000009363000-memory.dmp

Filesize
652KB

Download
memory/3188-234-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-233-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-232-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-231-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-230-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-229-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-228-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-180-0x00000000092C0000-0x0000000009363000-memory.dmp

Filesize
652KB

Download
memory/3188-226-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-225-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-212-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3188-213-0x00000000092C0000-0x0000000009363000-memory.dmp

Filesize
652KB

Download
memory/3188-224-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-222-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-219-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-220-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3188-221-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3736-208-0x000002A899BF0000-0x000002A899BF1000-memory.dmp

Filesize
4KB

Download
memory/3736-191-0x000002A89C440000-0x000002A89C4E3000-memory.dmp

Filesize
652KB

Download
memory/3736-209-0x000002A89C440000-0x000002A89C4E3000-memory.dmp

Filesize
652KB

Download
memory/4000-210-0x000002C720A10000-0x000002C720A11000-memory.dmp

Filesize
4KB

Download
memory/4000-211-0x000002C720A50000-0x000002C720AF3000-memory.dmp

Filesize
652KB

Download
memory/4000-196-0x000002C720A50000-0x000002C720AF3000-memory.dmp

Filesize
652KB

Download
memory/4548-207-0x000001ECEBCD0000-0x000001ECEBD73000-memory.dmp

Filesize
652KB

Download
memory/4548-206-0x000001ECEB580000-0x000001ECEB581000-memory.dmp

Filesize
4KB

Download
memory/4548-201-0x000001ECEBCD0000-0x000001ECEBD73000-memory.dmp

Filesize
652KB

Download
memory/4564-151-0x000001B03B8C0000-0x000001B03B8D0000-memory.dmp

Filesize
64KB

Download
memory/4564-150-0x000001B03B8C0000-0x000001B03B8D0000-memory.dmp

Filesize
64KB

Download
memory/4564-178-0x000001B03DC50000-0x000001B03DC8C000-memory.dmp

Filesize
240KB

Download
memory/4564-145-0x000001B03B830000-0x000001B03B852000-memory.dmp

Filesize
136KB

Download
memory/4564-183-0x000001B03DC50000-0x000001B03DC8C000-memory.dmp

Filesize
240KB

Download