gozi | 1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe
Size

292KB
MD5

33ddb8880db29cac11e05bfc30bcec6b
SHA1

fb90dc44ba4b8f6b356735bd46231e6f99e15b62
SHA256

1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea
SHA512

b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f
SSDEEP

3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3084 set thread context of 3256	3084	powershell.exe	Explorer.EXE
PID 3256 set thread context of 3824	3256	Explorer.EXE	RuntimeBroker.exe
PID 3256 set thread context of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 set thread context of 4372	3256	Explorer.EXE	WinMail.exe
PID 3956 set thread context of 4404	3956	cmd.exe	PING.EXE
PID 3256 set thread context of 4240	3256	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4404 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4404 PING.EXE

pid	process
4404	PING.EXE

pid	process
4404	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exepowershell.exeExplorer.EXE

pid	process
3836	1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe
3836	1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe
3084	powershell.exe
3084	powershell.exe
3084	powershell.exe
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3256 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3084 powershell.exe
3256 Explorer.EXE
3256 Explorer.EXE
3256 Explorer.EXE
3956 cmd.exe
3256 Explorer.EXE

pid	process
3256	Explorer.EXE

pid	process
3084	powershell.exe
3256	Explorer.EXE
3256	Explorer.EXE
3256	Explorer.EXE
3956	cmd.exe
3256	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeShutdownPrivilege	3256	Explorer.EXE
Token: SeCreatePagefilePrivilege	3256	Explorer.EXE
Token: SeShutdownPrivilege	3256	Explorer.EXE
Token: SeCreatePagefilePrivilege	3256	Explorer.EXE
Token: SeShutdownPrivilege	3256	Explorer.EXE
Token: SeCreatePagefilePrivilege	3256	Explorer.EXE
Token: SeShutdownPrivilege	3256	Explorer.EXE
Token: SeCreatePagefilePrivilege	3256	Explorer.EXE
Token: SeShutdownPrivilege	3256	Explorer.EXE
Token: SeCreatePagefilePrivilege	3256	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3256 Explorer.EXE

pid	process
3256	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 220 wrote to memory of 3084	220	mshta.exe	powershell.exe
PID 220 wrote to memory of 3084	220	mshta.exe	powershell.exe
PID 3084 wrote to memory of 3796	3084	powershell.exe	csc.exe
PID 3084 wrote to memory of 3796	3084	powershell.exe	csc.exe
PID 3796 wrote to memory of 3292	3796	csc.exe	cvtres.exe
PID 3796 wrote to memory of 3292	3796	csc.exe	cvtres.exe
PID 3084 wrote to memory of 4752	3084	powershell.exe	csc.exe
PID 3084 wrote to memory of 4752	3084	powershell.exe	csc.exe
PID 4752 wrote to memory of 3724	4752	csc.exe	cvtres.exe
PID 4752 wrote to memory of 3724	4752	csc.exe	cvtres.exe
PID 3084 wrote to memory of 3256	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3256	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3256	3084	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3256	3084	powershell.exe	Explorer.EXE
PID 3256 wrote to memory of 3824	3256	Explorer.EXE	RuntimeBroker.exe
PID 3256 wrote to memory of 3824	3256	Explorer.EXE	RuntimeBroker.exe
PID 3256 wrote to memory of 3824	3256	Explorer.EXE	RuntimeBroker.exe
PID 3256 wrote to memory of 3824	3256	Explorer.EXE	RuntimeBroker.exe
PID 3256 wrote to memory of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 3956	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4372	3256	Explorer.EXE	WinMail.exe
PID 3256 wrote to memory of 4372	3256	Explorer.EXE	WinMail.exe
PID 3256 wrote to memory of 4372	3256	Explorer.EXE	WinMail.exe
PID 3256 wrote to memory of 4372	3256	Explorer.EXE	WinMail.exe
PID 3256 wrote to memory of 4372	3256	Explorer.EXE	WinMail.exe
PID 3956 wrote to memory of 4404	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 4404	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 4404	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 4404	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 4404	3956	cmd.exe	PING.EXE
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe
PID 3256 wrote to memory of 4240	3256	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe
"C:\Users\Admin\AppData\Local\Temp\1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jb3c='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jb3c).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C007E561-1FD8-F246-A9F4-C346ED68A7DA\\\GlobalPlay'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name icrhhrslvn -value gp; new-alias -name wjloldfa -value iex; wjloldfa ([System.Text.Encoding]::ASCII.GetString((icrhhrslvn "HKCU:Software\AppDataLow\Software\Microsoft\C007E561-1FD8-F246-A9F4-C346ED68A7DA").VirtualActive))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cft1lzt5\cft1lzt5.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC46.tmp" "c:\Users\Admin\AppData\Local\Temp\cft1lzt5\CSC3E0E37B33AB48769F77FF4F85F35720.TMP"
5⤵
PID:3292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fs5ojpk\3fs5ojpk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD02.tmp" "c:\Users\Admin\AppData\Local\Temp\3fs5ojpk\CSC68100D032F4FE8B7C11F56DDC91150.TMP"
5⤵
PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4404

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:4372

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fs5ojpk\3fs5ojpk.dll
Filesize
3KB

MD5
f30d451bee5d1086c04d9ea423a3ae66

SHA1
6224ccc987ad845a5b44abe293023b3227296cc0

SHA256
de4aa90896c684c84352cbb1ad74bf5cb691d593246fae962f5b655914b955ca

SHA512
b6c3fb3f96af2bfca797f2adfb161315bde9e3028ca29ad9f2535a96dfbebb21133953d99097b1af79ec3f6647343993ec0c1e64973284d874ddcbc45cefeb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC46.tmp
Filesize
1KB

MD5
e6df3314237240097642e1d0f0996951

SHA1
0266ab58e87f17c9889a13f2e59773f1442454f5

SHA256
1645e295f1819e69706d34ea7ca081c5eddea177e4541a5e0a4bc2ab7cf6d572

SHA512
b331ef4516af32f9145b0b552b7027107ddd7c7ef5456c682e2c8db0a7e536cdbc68d787efb60577a3dfd5f8719565551c3d21d648fe2a68edafac5d6b35bc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD02.tmp
Filesize
1KB

MD5
3d1d7805d5bbc700405da2995d8db30a

SHA1
d9b6694e9a96190754eb121fdc6ebba819c725ea

SHA256
f5c97d7d86df71cdb9bd07a48ad092e433562c8d64b0f549ce920e96c11002da

SHA512
ca9625870d966c270771edf35a389df6006ec4213e8cb0756919ac49b6c6b68b354c94ba293788b68aa1ca9413e232b824cae64f626ce27234f049b70c13cbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nc42reuq.qcp.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cft1lzt5\cft1lzt5.dll
Filesize
3KB

MD5
c90dd354cbbfeee458766da49e283654

SHA1
620f378cbcb836debd73eef644fc389be0a603c2

SHA256
4235e2bdbe1f12c0574f907175bd6c0b6757c197eb6031719322868057b92bc3

SHA512
bf49595cc65d11643536a448149e3f664f3a6a3e140d39fe974f46a952b2c999286bb069e88dddf40b2753bbe9d9ef19784b2e7d38f90ca16b5d5b753f9459b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fs5ojpk\3fs5ojpk.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fs5ojpk\3fs5ojpk.cmdline
Filesize
369B

MD5
f9c9162abfcfc2689dc2ffbc10a14bda

SHA1
8eedf1e068a549e965e8d6ab8d69f85965fa6470

SHA256
0a41e5f6fb51357a626125cf67575a36122a469d84d3256a2d76c8a435aa36e4

SHA512
3e89cbc0baab055879981b3143c73330fe35d26786018860d534a0965223620068fd3c9504e33cb6cee6c4559037a59a71226dda0e42a5a76b5b5e29455195d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fs5ojpk\CSC68100D032F4FE8B7C11F56DDC91150.TMP
Filesize
652B

MD5
61f5303c841ffcb3062cbdf5435a8556

SHA1
a550ca3e8b47dc6c15434d5c41c67038cac68a91

SHA256
694b5b5bfc25dc41c95cfc595740137e3c8a4484dcc1867ec8904b4b8d6b819e

SHA512
a79f81dfa99ff91ea6df48d80f5960204e5a0d3a7db8c88191e66bf8e03eb7d09d715187b0c05c13dfa7d34383394594938c143d3d7471cf2aa8553451b6de0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cft1lzt5\CSC3E0E37B33AB48769F77FF4F85F35720.TMP
Filesize
652B

MD5
c5a1b90171bc9e5172094cf2f21eb273

SHA1
4d307e7810d092efe1aa2eb5a944086f9604f344

SHA256
08bbbee0f1213d98f10d47b04b24679c90cee15d32b9e41992d8161c3782b34c

SHA512
af2dc55b0ae21927788515c99318c924f906a6a0cdfa1104f3ca3f14682f5b0df4020f5a65ddb9ce10d7c81f2c279a19efd07030b5b297e61ad753769a25a72a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cft1lzt5\cft1lzt5.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cft1lzt5\cft1lzt5.cmdline
Filesize
369B

MD5
a2ef1dbdcce2f1fbb454a44edbbd4dc8

SHA1
fb6f0900b3be2ebcbf50c8ee70140411bd9824e8

SHA256
e28043f4a6028ff1251501da5fa20d7cb2ce0e94812bc75f541dc400026bf24f

SHA512
99168d060d30e77d0ab5db8e0c5f8c7cd8136fdf137ff1e14ed2bfb855adc8dc56b94f7dfb841f61398ef78cf5a729cb2cc2f0056bd82195daf97ee4fb4df2ab

Download Submit
memory/3084-54-0x0000020FCAAF0000-0x0000020FCAAF8000-memory.dmp

Filesize
32KB

Download
memory/3084-68-0x0000020FCAB10000-0x0000020FCAB18000-memory.dmp

Filesize
32KB

Download
memory/3084-23-0x0000020FCAB30000-0x0000020FCABA6000-memory.dmp

Filesize
472KB

Download
memory/3084-20-0x0000020FB2390000-0x0000020FB23A0000-memory.dmp

Filesize
64KB

Download
memory/3084-19-0x0000020FB2390000-0x0000020FB23A0000-memory.dmp

Filesize
64KB

Download
memory/3084-86-0x00007FF9A0780000-0x00007FF9A116C000-memory.dmp

Filesize
9.9MB

Download
memory/3084-17-0x0000020FB2400000-0x0000020FB2422000-memory.dmp

Filesize
136KB

Download
memory/3084-89-0x0000020FCACB0000-0x0000020FCACED000-memory.dmp

Filesize
244KB

Download
memory/3084-18-0x00007FF9A0780000-0x00007FF9A116C000-memory.dmp

Filesize
9.9MB

Download
memory/3084-72-0x0000020FCACB0000-0x0000020FCACED000-memory.dmp

Filesize
244KB

Download
memory/3084-70-0x0000020FB2390000-0x0000020FB23A0000-memory.dmp

Filesize
64KB

Download
memory/3256-74-0x0000000002AC0000-0x0000000002B64000-memory.dmp

Filesize
656KB

Download
memory/3256-136-0x0000000002AC0000-0x0000000002B64000-memory.dmp

Filesize
656KB

Download
memory/3256-75-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3824-91-0x0000026A93930000-0x0000026A939D4000-memory.dmp

Filesize
656KB

Download
memory/3824-92-0x0000026A935A0000-0x0000026A935A1000-memory.dmp

Filesize
4KB

Download
memory/3824-143-0x0000026A93930000-0x0000026A939D4000-memory.dmp

Filesize
656KB

Download
memory/3836-4-0x0000000003E90000-0x0000000003E9D000-memory.dmp

Filesize
52KB

Download
memory/3836-7-0x00000000022F0000-0x00000000023F0000-memory.dmp

Filesize
1024KB

Download
memory/3836-9-0x0000000003E70000-0x0000000003E7B000-memory.dmp

Filesize
44KB

Download
memory/3836-2-0x0000000003E70000-0x0000000003E7B000-memory.dmp

Filesize
44KB

Download
memory/3836-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3836-1-0x00000000022F0000-0x00000000023F0000-memory.dmp

Filesize
1024KB

Download
memory/3836-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3956-144-0x0000027374310000-0x00000273743B4000-memory.dmp

Filesize
656KB

Download
memory/3956-104-0x0000027374020000-0x0000027374021000-memory.dmp

Filesize
4KB

Download
memory/3956-103-0x0000027374310000-0x00000273743B4000-memory.dmp

Filesize
656KB

Download
memory/4240-135-0x0000000002B00000-0x0000000002B98000-memory.dmp

Filesize
608KB

Download
memory/4240-138-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4240-142-0x0000000002B00000-0x0000000002B98000-memory.dmp

Filesize
608KB

Download
memory/4372-121-0x000002B0B41A0000-0x000002B0B4244000-memory.dmp

Filesize
656KB

Download
memory/4372-119-0x000002B0B4170000-0x000002B0B4171000-memory.dmp

Filesize
4KB

Download
memory/4372-122-0x000002B0B41A0000-0x000002B0B4244000-memory.dmp

Filesize
656KB

Download
memory/4372-113-0x000002B0B41A0000-0x000002B0B4244000-memory.dmp

Filesize
656KB

Download
memory/4404-124-0x00000156A0C60000-0x00000156A0D04000-memory.dmp

Filesize
656KB

Download
memory/4404-125-0x00000156A0990000-0x00000156A0991000-memory.dmp

Filesize
4KB

Download
memory/4404-145-0x00000156A0C60000-0x00000156A0D04000-memory.dmp

Filesize
656KB

Download