gozi | 23fd68d00cb2321f750d44994db334eed3fbbf84c7c1d72d99164b4661ea07f6

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4824 set thread context of 3168	4824	powershell.exe	Explorer.EXE
PID 3168 set thread context of 3740	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 set thread context of 4088	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 set thread context of 4800	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 set thread context of 1452	3168	Explorer.EXE	cmd.exe
PID 1452 set thread context of 2084	1452	cmd.exe	PING.EXE
PID 3168 set thread context of 3656	3168	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4828 3936 WerFault.exe 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2084 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2084 PING.EXE

pid	pid_target	process	target process
4828	3936	WerFault.exe	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe

pid	process
2084	PING.EXE

pid	process
2084	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exepowershell.exeExplorer.EXE

pid	process
3936	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe
3936	729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe
4824	powershell.exe
4824	powershell.exe
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4824 powershell.exe
3168 Explorer.EXE
3168 Explorer.EXE
3168 Explorer.EXE
3168 Explorer.EXE
1452 cmd.exe
3168 Explorer.EXE

pid	process
4824	powershell.exe
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
1452	cmd.exe
3168	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3168 Explorer.EXE

pid	process
3168	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3700 wrote to memory of 4824	3700	mshta.exe	powershell.exe
PID 3700 wrote to memory of 4824	3700	mshta.exe	powershell.exe
PID 4824 wrote to memory of 436	4824	powershell.exe	csc.exe
PID 4824 wrote to memory of 436	4824	powershell.exe	csc.exe
PID 436 wrote to memory of 3304	436	csc.exe	cvtres.exe
PID 436 wrote to memory of 3304	436	csc.exe	cvtres.exe
PID 4824 wrote to memory of 4180	4824	powershell.exe	csc.exe
PID 4824 wrote to memory of 4180	4824	powershell.exe	csc.exe
PID 4180 wrote to memory of 3748	4180	csc.exe	cvtres.exe
PID 4180 wrote to memory of 3748	4180	csc.exe	cvtres.exe
PID 4824 wrote to memory of 3168	4824	powershell.exe	Explorer.EXE
PID 4824 wrote to memory of 3168	4824	powershell.exe	Explorer.EXE
PID 4824 wrote to memory of 3168	4824	powershell.exe	Explorer.EXE
PID 4824 wrote to memory of 3168	4824	powershell.exe	Explorer.EXE
PID 3168 wrote to memory of 3740	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 3740	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 3740	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 1452	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 1452	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 1452	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 3740	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4088	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4088	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4088	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4088	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4800	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4800	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 4800	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 1452	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 4800	3168	Explorer.EXE	RuntimeBroker.exe
PID 3168 wrote to memory of 1452	3168	Explorer.EXE	cmd.exe
PID 1452 wrote to memory of 2084	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 2084	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 2084	1452	cmd.exe	PING.EXE
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe
PID 1452 wrote to memory of 2084	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 2084	1452	cmd.exe	PING.EXE
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 3656	3168	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe
"C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 312
3⤵
- Program crash
PID:4828

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Oqpy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Oqpy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pcdlhid -value gp; new-alias -name wwpsfjy -value iex; wwpsfjy ([System.Text.Encoding]::ASCII.GetString((pcdlhid "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etkbghjx\etkbghjx.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2580.tmp" "c:\Users\Admin\AppData\Local\Temp\etkbghjx\CSCE9D00D4B5FFA4DEABAE4E4F61F1747.TMP"
5⤵
PID:3304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gc5pfxh2\gc5pfxh2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES264B.tmp" "c:\Users\Admin\AppData\Local\Temp\gc5pfxh2\CSCEB22C4E399674EA4BA68EF634D270B9.TMP"
5⤵
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2084

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3656

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3936 -ip 3936
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2580.tmp

Filesize
1KB

MD5
ef03bc4ec7909bc3e44a9d42b41046ff

SHA1
a5d8dc6eea5ebc2046c91c0d6124fc10f89bf347

SHA256
803e998c88f76b1b9ebdab721de491451c56dd1c8cad0cd7d94f3ae834e6931d

SHA512
6f7ac519a03106dd190665328bddcc35b08f1f9028668c406984482183f975093ef86cac3da3231fde5774cee518a137d16d0dc069b7eef52d4e7f5061e61772

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES264B.tmp

Filesize
1KB

MD5
eb0a34ad0595c81e3637d8c00538a0db

SHA1
558ab3101db9b967cccf4382fb04aef3c32ad24f

SHA256
0fa5fc0b846534785ffeb6ac7f9da4089216e76d962aff3968c4bdcdca842ed9

SHA512
ba9aaf3e740c631dc26a8b9a611afacd57c4ed3f80aa851a55385db776f1865027186905053461f80431053a0873cd220bc9a51e7a80bec0c65dbe4429b97f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hszgv1kr.jqb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etkbghjx\etkbghjx.dll

Filesize
3KB

MD5
19a522ed3229a1b0a59e18f7fbae6e46

SHA1
f977174c026706189e0e76804c70ceb741c56d93

SHA256
a680dc56209378262f7cfcfe444bf9c66e0a54cbf213071c0fd534381e4c3db5

SHA512
41a8cc968f6e1ac24b68a993b979f2d7fef67d6f1736162bc0f2005e97731e1c89ab3b1d1d27028a8a9dee109f4746de05223b3687598f0a1b30a2ed4bea5548

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc5pfxh2\gc5pfxh2.dll

Filesize
3KB

MD5
1a43a1d895dba1c373819ef9814e5652

SHA1
daf6afb726a581c1f15af7312057dffe987a084d

SHA256
5a563cdd9c36a2864c5866069eea028b6d67d79c06e5221e3205b06c1a0d832e

SHA512
4fc72713202787ea4675b1d53667f66a47ce76587385a918b47af576df7ab0ed2f75283ea73463d920080d380290f56e8c366801073a0b763293881a1852f39d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etkbghjx\CSCE9D00D4B5FFA4DEABAE4E4F61F1747.TMP

Filesize
652B

MD5
e96c9bddd143505b93f92f0d6071660d

SHA1
4c698361b57d4e6da20c1f20e516201c801d5d07

SHA256
c0946e254b69ac3af59774a3b2767b7e4ad1add833a67ddf767f9ff4778ab5d5

SHA512
d1fb5eb4b56ef1b1a0e589a775e47d126f33523ca4a335afcdfe4c54f4c2e249e8d55122ff4ee3d75a3d03e3a44efde1a61e71259f8b7d380d50d4f76fe2ab39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etkbghjx\etkbghjx.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etkbghjx\etkbghjx.cmdline

Filesize
369B

MD5
3f5e43fc3856bf12724119bd5a1c2d95

SHA1
4fad406189b1dcdd4555b5382086726c708ecf88

SHA256
ceb9d7fca7549103041390ae0e77facbc2b797f4f9487d3798a771580c5f5330

SHA512
feae80088473b5177327c2565dcabb665b5f2444defd7ad639dd787b52ceec09d79cbbbe89ce593fcaea27ac34e83324af63ff341b667cd7d090e03d4a721dab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gc5pfxh2\CSCEB22C4E399674EA4BA68EF634D270B9.TMP

Filesize
652B

MD5
7fd17984f994ebceada0f6a881cab190

SHA1
19c32691b4ea44a5a3a174675230d1d0356ee1d3

SHA256
5df330cc11832196e4e4bbc4aaecb21f5ee7ba468ec28375f21c06cb41d19791

SHA512
8a2f32d0068c49d571a6e15c45dcc5a4114090133e29bcc675de8d560b1b6fe214a8e4c8e663e8f5664e1cea707be982b8ef66e356b9eeafb48aaafe30a57430

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gc5pfxh2\gc5pfxh2.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gc5pfxh2\gc5pfxh2.cmdline

Filesize
369B

MD5
8da9cf79c1669bcb068b743e66faed34

SHA1
d4dde7fc79ab2062095b1ed3318a1dc42320d465

SHA256
a9c57764b19c5c690a36e2a2eefd33443c1ec3c8b7cc38780a9b01dda8d89524

SHA512
ad72834b3277a45c6254683124ce9b041195b6e928ccd3cc4727dd0c6ce191dfb60fe0adf9f93c40233a4a6999bca4bc2dcabefc12fb06e74bc5af69df68a206

Download Submit
memory/1452-97-0x0000028C28450000-0x0000028C28451000-memory.dmp

Filesize
4KB

Download
memory/1452-119-0x0000028C283A0000-0x0000028C28444000-memory.dmp

Filesize
656KB

Download
memory/1452-94-0x0000028C283A0000-0x0000028C28444000-memory.dmp

Filesize
656KB

Download
memory/2084-118-0x0000022AEED50000-0x0000022AEEDF4000-memory.dmp

Filesize
656KB

Download
memory/2084-104-0x0000022AEEB20000-0x0000022AEEB21000-memory.dmp

Filesize
4KB

Download
memory/2084-103-0x0000022AEED50000-0x0000022AEEDF4000-memory.dmp

Filesize
656KB

Download
memory/3168-65-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3168-109-0x0000000008200000-0x00000000082A4000-memory.dmp

Filesize
656KB

Download
memory/3168-64-0x0000000008200000-0x00000000082A4000-memory.dmp

Filesize
656KB

Download
memory/3656-113-0x0000000000E40000-0x0000000000ED8000-memory.dmp

Filesize
608KB

Download
memory/3656-111-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3656-108-0x0000000000E40000-0x0000000000ED8000-memory.dmp

Filesize
608KB

Download
memory/3740-77-0x000001A94F440000-0x000001A94F4E4000-memory.dmp

Filesize
656KB

Download
memory/3740-78-0x000001A94CBF0000-0x000001A94CBF1000-memory.dmp

Filesize
4KB

Download
memory/3740-115-0x000001A94F440000-0x000001A94F4E4000-memory.dmp

Filesize
656KB

Download
memory/3936-1-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/3936-9-0x0000000003E90000-0x0000000003E9B000-memory.dmp

Filesize
44KB

Download
memory/3936-116-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3936-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3936-2-0x0000000003E90000-0x0000000003E9B000-memory.dmp

Filesize
44KB

Download
memory/3936-7-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/3936-4-0x0000000003EF0000-0x0000000003EFD000-memory.dmp

Filesize
52KB

Download
memory/3936-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/4088-117-0x0000017A68220000-0x0000017A682C4000-memory.dmp

Filesize
656KB

Download
memory/4088-84-0x0000017A681E0000-0x0000017A681E1000-memory.dmp

Filesize
4KB

Download
memory/4088-83-0x0000017A68220000-0x0000017A682C4000-memory.dmp

Filesize
656KB

Download
memory/4800-91-0x000001D63DDC0000-0x000001D63DDC1000-memory.dmp

Filesize
4KB

Download
memory/4800-90-0x000001D63FFB0000-0x000001D640054000-memory.dmp

Filesize
656KB

Download
memory/4800-120-0x000001D63FFB0000-0x000001D640054000-memory.dmp

Filesize
656KB

Download
memory/4824-32-0x000002B6553C0000-0x000002B6553D0000-memory.dmp

Filesize
64KB

Download
memory/4824-46-0x000002B655400000-0x000002B655408000-memory.dmp

Filesize
32KB

Download
memory/4824-21-0x000002B655520000-0x000002B655542000-memory.dmp

Filesize
136KB

Download
memory/4824-62-0x000002B66DC60000-0x000002B66DC9D000-memory.dmp

Filesize
244KB

Download
memory/4824-74-0x00007FF969790000-0x00007FF96A251000-memory.dmp

Filesize
10.8MB

Download
memory/4824-75-0x000002B66DC60000-0x000002B66DC9D000-memory.dmp

Filesize
244KB

Download
memory/4824-31-0x00007FF969790000-0x00007FF96A251000-memory.dmp

Filesize
10.8MB

Download
memory/4824-33-0x000002B6553C0000-0x000002B6553D0000-memory.dmp

Filesize
64KB

Download
memory/4824-60-0x000002B6555D0000-0x000002B6555D8000-memory.dmp

Filesize
32KB

Download