gozi | 9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

ed017c0f334b6d10ac5aca77fe7f9a2a
SHA1

de7a838cbf418f5c093e5bed00254c4c68b82fa7
SHA256

9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4
SHA512

e7210ef6cfb8b9cad8078b8bdc4331eba04c9b7bd87b1aadce8c84560035fe4725161dceaca03608f10f7e02de7120c6dbf345c0ac69c72d5613e85080f58316
SSDEEP

3072:Az6N1tmvikka83g9IGkpt4fMlw5mlg9eidid74+VONrRrCS:bN1cvBka83g9PkUf55B++1r

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3084 set thread context of 3140	3084	powershell.exe	Explorer.EXE
PID 3140 set thread context of 3688	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 3940	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 4804	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 2836	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 set thread context of 1720	3140	Explorer.EXE	cmd.exe
PID 3140 set thread context of 2060	3140	Explorer.EXE	cmd.exe
PID 1720 set thread context of 2300	1720	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4244 2176 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2300 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2300 PING.EXE

pid	pid_target	process	target process
4244	2176	WerFault.exe	client.exe

pid	process
2300	PING.EXE

pid	process
2300	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2176	client.exe
2176	client.exe
3084	powershell.exe
3084	powershell.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3084 powershell.exe
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
3140 Explorer.EXE
1720 cmd.exe

pid	process
3084	powershell.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
1720	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE

pid	process
3140	Explorer.EXE

pid	process
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2732 wrote to memory of 3084	2732	mshta.exe	powershell.exe
PID 2732 wrote to memory of 3084	2732	mshta.exe	powershell.exe
PID 3084 wrote to memory of 3948	3084	powershell.exe	csc.exe
PID 3084 wrote to memory of 3948	3084	powershell.exe	csc.exe
PID 3948 wrote to memory of 2704	3948	csc.exe	cvtres.exe
PID 3948 wrote to memory of 2704	3948	csc.exe	cvtres.exe
PID 3084 wrote to memory of 3320	3084	powershell.exe	csc.exe
PID 3084 wrote to memory of 3320	3084	powershell.exe	csc.exe
PID 3320 wrote to memory of 1020	3320	csc.exe	cvtres.exe
PID 3320 wrote to memory of 1020	3320	csc.exe	cvtres.exe
PID 3084 wrote to memory of 3140	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3140	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3140	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3140	3084	powershell.exe	Explorer.EXE
PID 3140 wrote to memory of 3688	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3688	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3688	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3688	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3940	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3940	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3940	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 3940	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4804	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4804	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4804	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 4804	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2836	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2836	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 1720	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 1720	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 1720	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 2836	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2836	3140	Explorer.EXE	RuntimeBroker.exe
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 1720	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 1720	3140	Explorer.EXE	cmd.exe
PID 1720 wrote to memory of 2300	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2300	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2300	1720	cmd.exe	PING.EXE
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 3140 wrote to memory of 2060	3140	Explorer.EXE	cmd.exe
PID 1720 wrote to memory of 2300	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2300	1720	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 568
3⤵
- Program crash
PID:4244

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Rnu3='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rnu3).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nibynxj -value gp; new-alias -name mmftlvf -value iex; mmftlvf ([System.Text.Encoding]::ASCII.GetString((nibynxj "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znxdwba1\znxdwba1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF9.tmp" "c:\Users\Admin\AppData\Local\Temp\znxdwba1\CSCEB3CE4E826074772BA86D422BD5F2A5D.TMP"
5⤵
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dz4dqpsc\dz4dqpsc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDB4.tmp" "c:\Users\Admin\AppData\Local\Temp\dz4dqpsc\CSCB7AE3EE8FB3C4BFB80F18FCBEF2DFCE.TMP"
5⤵
PID:1020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2300

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2176 -ip 2176
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFCF9.tmp

Filesize
1KB

MD5
f812c51024f1dc2fd8334de8b1a279f0

SHA1
f01302ec4e00df087958b20fab0fd20c277b58b9

SHA256
94ae8635e4bc53f443c70d6e74e136435381fe2e4a60cd5243afe3938ff40bf1

SHA512
fee9b59c3d38815addd8f77ab5cd1f0c775d8179b7abd298913cd8dd6a3aa4ff36e3d69c89890a08e6bed6ae98214516eaee33a83d9b54aea35a8904b33369de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDB4.tmp

Filesize
1KB

MD5
0fc131d0cebda4cf4c90969e9e07c46f

SHA1
6d6fbed60f54c1addc7078a50cb1a869b9bea0c6

SHA256
9a6975edf5cef7f92be1803434fdafdc7e29c6e4562c7f17909199fee03819e7

SHA512
a002a36fcc12f1a996baa2109aec76aef6046dc732e3397411ba6c0288c439832bcfe1231e3ab9100d7543f5785f9356fee0dcca26018447fca26e279ac99c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rp3ranip.44q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dz4dqpsc\dz4dqpsc.dll

Filesize
3KB

MD5
513c08402a1ddb5567952d0b91ca2fa6

SHA1
ec4385a6c21ee3af73735116531b3765670a9589

SHA256
dedf7d9b921c8177917a36c8f00059b5641f9c50c2e5e3f215f70aec5ea46cb6

SHA512
8139d1d2a8277a1fd7b27c5d5a7f5de5a4d0bcdd6653c22752732ad632150ab4b26f24780d35eb6e22d88c4055816f8d3951882f87d7f4a457f8a99724c5658f

Download Submit
C:\Users\Admin\AppData\Local\Temp\znxdwba1\znxdwba1.dll

Filesize
3KB

MD5
f3b16d83b55e3ae8b92dd0305ebac3fd

SHA1
ccf214c5c95e7901945c4977e3cdb30fed1d078c

SHA256
6b57073b1f0593fdc704cc66e06c16f08505d27f5d3c08ab08d65969263073ef

SHA512
5f9bd421b986086117dc0c1a14e0eb78c5a735818cc160c4a6aa6fb7bf4b8685aefe1539877c07f17f792ba44a795230125fd34c3b7b9f84e66ac9d29ed0b362

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dz4dqpsc\CSCB7AE3EE8FB3C4BFB80F18FCBEF2DFCE.TMP

Filesize
652B

MD5
ac23d16b6fa50af35a2c9aa23e49bd5f

SHA1
ae74ad4b13b017cce6654fea05afdbe1aadcb1e6

SHA256
5b31e9f6d9aec5007b84a550a4da6f99ee8ac670f1dce41bd41bd415cba4f743

SHA512
d6a50fc80e9f9a168ed7c3edb7d56938a03fde8ac5bc9c4a92861c64c727b0227dc393d97bab87816ce6a3f298f460cce8404d57c6edbde116fd9607fe9a7f03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dz4dqpsc\dz4dqpsc.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dz4dqpsc\dz4dqpsc.cmdline

Filesize
369B

MD5
d3016ac52042cb7b49f5c361283205be

SHA1
8df27beccc7431b7d7ed41eb643a651cb7fe9648

SHA256
3515ff94d76f36241ce3f1fbc9bbd55e36debf5c3484d06fd765e75cbb463181

SHA512
4d83dd630a1d5ff5b8d6d882684ac0059e309823c6b63e6e5135f31b5a7ee1e84bda5c6a7b6f5d28541513a64dc7b466825dffa34aa9b6c164816fd37857a734

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znxdwba1\CSCEB3CE4E826074772BA86D422BD5F2A5D.TMP

Filesize
652B

MD5
4bf03f542f1fbdaa14b3caf0fc0c4864

SHA1
f4ed08ae4a89adad8c4ac1c95919d67214600c2c

SHA256
1b2f0e198375afdd6e0acc10cbcd18746dd6129710e788b68b1292350cd55c29

SHA512
209ddcbcb3d819d96ab9b44c3a10415a36b3fa78eb926a829fde06e55f4f09d1327b64fea187b5ef62eb50370abac7de810bfdf2ccc0e13cd13ba35f293a6659

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znxdwba1\znxdwba1.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znxdwba1\znxdwba1.cmdline

Filesize
369B

MD5
3e9284a0c4b5e475f3f3107802b14c01

SHA1
4f1a34fb13f4c447ea8941729c816887a9cf474d

SHA256
1fd276e2272df724ee29672199b3ee0b5e407b55612094bfdcd49492f3967b1d

SHA512
11afb13e26edce57e5ed99f8d88612256e1105a75be938ad3f8a085b3c53f754e5c9f6cfcf2a4ebb91ff303c9437aa55633cc505256105327080aa4649234edf

Download Submit
memory/1720-106-0x000001956F3E0000-0x000001956F3E1000-memory.dmp

Filesize
4KB

Download
memory/1720-103-0x000001956F4F0000-0x000001956F594000-memory.dmp

Filesize
656KB

Download
memory/1720-129-0x000001956F4F0000-0x000001956F594000-memory.dmp

Filesize
656KB

Download
memory/2060-121-0x0000000001070000-0x0000000001108000-memory.dmp

Filesize
608KB

Download
memory/2060-111-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2060-109-0x0000000001070000-0x0000000001108000-memory.dmp

Filesize
608KB

Download
memory/2176-5-0x0000000004040000-0x000000000404D000-memory.dmp

Filesize
52KB

Download
memory/2176-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2176-8-0x0000000002440000-0x000000000244B000-memory.dmp

Filesize
44KB

Download
memory/2176-1-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/2176-4-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/2176-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2176-2-0x0000000002440000-0x000000000244B000-memory.dmp

Filesize
44KB

Download
memory/2176-123-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2176-125-0x00007FFBA05D0000-0x00007FFBA07C5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-118-0x0000029CBB320000-0x0000029CBB321000-memory.dmp

Filesize
4KB

Download
memory/2300-115-0x0000029CBB540000-0x0000029CBB5E4000-memory.dmp

Filesize
656KB

Download
memory/2300-128-0x0000029CBB540000-0x0000029CBB5E4000-memory.dmp

Filesize
656KB

Download
memory/2836-95-0x000002128FE30000-0x000002128FED4000-memory.dmp

Filesize
656KB

Download
memory/2836-127-0x000002128FE30000-0x000002128FED4000-memory.dmp

Filesize
656KB

Download
memory/2836-96-0x000002128FEE0000-0x000002128FEE1000-memory.dmp

Filesize
4KB

Download
memory/3084-25-0x0000023B5FFE0000-0x0000023B60002000-memory.dmp

Filesize
136KB

Download
memory/3084-62-0x0000023B60360000-0x0000023B6039D000-memory.dmp

Filesize
244KB

Download
memory/3084-60-0x0000023B60350000-0x0000023B60358000-memory.dmp

Filesize
32KB

Download
memory/3084-75-0x00007FFB7FBD0000-0x00007FFB80691000-memory.dmp

Filesize
10.8MB

Download
memory/3084-46-0x0000023B60330000-0x0000023B60338000-memory.dmp

Filesize
32KB

Download
memory/3084-76-0x0000023B60360000-0x0000023B6039D000-memory.dmp

Filesize
244KB

Download
memory/3084-30-0x00007FFB7FBD0000-0x00007FFB80691000-memory.dmp

Filesize
10.8MB

Download
memory/3084-33-0x0000023B47910000-0x0000023B47920000-memory.dmp

Filesize
64KB

Download
memory/3084-31-0x0000023B47910000-0x0000023B47920000-memory.dmp

Filesize
64KB

Download
memory/3084-32-0x0000023B47910000-0x0000023B47920000-memory.dmp

Filesize
64KB

Download
memory/3140-65-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3140-64-0x0000000008400000-0x00000000084A4000-memory.dmp

Filesize
656KB

Download
memory/3140-104-0x0000000008400000-0x00000000084A4000-memory.dmp

Filesize
656KB

Download
memory/3688-110-0x000002D543D00000-0x000002D543DA4000-memory.dmp

Filesize
656KB

Download
memory/3688-78-0x000002D543D00000-0x000002D543DA4000-memory.dmp

Filesize
656KB

Download
memory/3688-79-0x000002D5437E0000-0x000002D5437E1000-memory.dmp

Filesize
4KB

Download
memory/3940-116-0x00000245330F0000-0x0000024533194000-memory.dmp

Filesize
656KB

Download
memory/3940-85-0x00000245330B0000-0x00000245330B1000-memory.dmp

Filesize
4KB

Download
memory/3940-84-0x00000245330F0000-0x0000024533194000-memory.dmp

Filesize
656KB

Download
memory/4804-91-0x0000025E6E380000-0x0000025E6E381000-memory.dmp

Filesize
4KB

Download
memory/4804-122-0x0000025E70580000-0x0000025E70624000-memory.dmp

Filesize
656KB

Download
memory/4804-90-0x0000025E70580000-0x0000025E70624000-memory.dmp

Filesize
656KB

Download