gozi | f031cac9dd28b035c7027c23d79c88382d8c7b048c736f8ac7e3c9ec364b5e92

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inform.dll
Size

206KB
MD5

72e2a5c797954e895a41be5b20f867b2
SHA1

419aacfb3ccea9b08277bcc9405054fa4238a597
SHA256

858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
SHA512

77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
SSDEEP

6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

59 1304 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

flow	pid	process
59	1304	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2364 set thread context of 3144	2364	powershell.exe	Explorer.EXE
PID 3144 set thread context of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 3612	3144	Explorer.EXE	cmd.exe
PID 3612 set thread context of 4496	3612	cmd.exe	PING.EXE
PID 3144 set thread context of 4840	3144	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4496 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4496 PING.EXE

pid	process
4496	PING.EXE

pid	process
4496	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
1304	rundll32.exe
1304	rundll32.exe
2364	powershell.exe
2364	powershell.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2364 powershell.exe
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3612 cmd.exe
3144 Explorer.EXE

pid	process
3144	Explorer.EXE

pid	process
2364	powershell.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3612	cmd.exe
3144	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE

pid	process
3144	Explorer.EXE

pid	process
3144	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1304	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1304	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1304	1600	rundll32.exe	rundll32.exe
PID 4652 wrote to memory of 2364	4652	mshta.exe	powershell.exe
PID 4652 wrote to memory of 2364	4652	mshta.exe	powershell.exe
PID 2364 wrote to memory of 3492	2364	powershell.exe	csc.exe
PID 2364 wrote to memory of 3492	2364	powershell.exe	csc.exe
PID 3492 wrote to memory of 4172	3492	csc.exe	cvtres.exe
PID 3492 wrote to memory of 4172	3492	csc.exe	cvtres.exe
PID 2364 wrote to memory of 3960	2364	powershell.exe	csc.exe
PID 2364 wrote to memory of 3960	2364	powershell.exe	csc.exe
PID 3960 wrote to memory of 2172	3960	csc.exe	cvtres.exe
PID 3960 wrote to memory of 2172	3960	csc.exe	cvtres.exe
PID 2364 wrote to memory of 3144	2364	powershell.exe	Explorer.EXE
PID 2364 wrote to memory of 3144	2364	powershell.exe	Explorer.EXE
PID 2364 wrote to memory of 3144	2364	powershell.exe	Explorer.EXE
PID 2364 wrote to memory of 3144	2364	powershell.exe	Explorer.EXE
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3612	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3612	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3612	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3612	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3612	3144	Explorer.EXE	cmd.exe
PID 3612 wrote to memory of 4496	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 4496	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 4496	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 4496	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 4496	3612	cmd.exe	PING.EXE
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 4840	3144	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3768

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\inform.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\inform.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gtel='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gtel).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name takvmbtah -value gp; new-alias -name kcufqx -value iex; kcufqx ([System.Text.Encoding]::ASCII.GetString((takvmbtah "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vojrzea5\vojrzea5.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2B1.tmp" "c:\Users\Admin\AppData\Local\Temp\vojrzea5\CSC91A3B353F7B0491680C9B6BDB06A82E3.TMP"
5⤵
PID:4172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hsh4dk4w\hsh4dk4w.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB418.tmp" "c:\Users\Admin\AppData\Local\Temp\hsh4dk4w\CSCCA5110195B6447B896F6EB65DB11E6A.TMP"
5⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\inform.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4496

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB2B1.tmp
Filesize
1KB

MD5
c9d60851433c310c794d7761b9c6c9d8

SHA1
cd7e2d880083b6228df4ae895c2dbe1dbb905e0d

SHA256
03251356fd20e60ede7faf095bc6f4987a3cf989cc16d0fae97f6240d3ec0bcb

SHA512
d02323efaad4c681e0eeb37979ef14431e540106d71755b824fd0b101e04ffde7c407db65752a3dbdbb797287cd349f62bdfd7136b54d4791080f62d3d2495f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB418.tmp
Filesize
1KB

MD5
4d4e4e2086f03e023f1953486e0a2bd3

SHA1
bc5d241bfa554efae568461bb16f7b50e0beb7f9

SHA256
e0d9006beab5d795a444dea40118fa2537cc2595c629f8b02f61f9f17916f5b5

SHA512
5f36fac140b45ba383f50ebc6d12383059ab62c866cea257fa09894c5a8780cd094f2fd84a1ac7ff4ef46423b0caebb19e75a0e00bf572cab0c980fad8ca5381

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcmyjkga.uqd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsh4dk4w\hsh4dk4w.dll
Filesize
3KB

MD5
11362c25b3fb8e97b43f1d554f021994

SHA1
38ade9dbcffedce9043a224688c69f3383d4fe2e

SHA256
41fc303fb52dfd9fd6b194f04b0173d9d7da9d15816e271bbc65a58aab150990

SHA512
dfb98e629b493c558468701fab3f19d8a2ef96b13807e4f9e9f955170ee539a0aabb6a3ccc58980031c42a894180767c0c1ae6a20af431010357c14b03a7b403

Download Submit
C:\Users\Admin\AppData\Local\Temp\vojrzea5\vojrzea5.dll
Filesize
3KB

MD5
9ac235ba2a9b913e8c6c5f318d9253e7

SHA1
ed30d05dd7fd16d3e3634b15fa237132a17f0fef

SHA256
abf2cbebe9a011085ea0cf49eb42acd5454ecfc1e02967e9f11061570985c2b0

SHA512
9f7255185ed75e388b146947e52c06a659d61ca11ee6275c1dcded59483aa30fa8ee93975df948c283d632e19d2a2a4d8fbeb41a94ad25e853cf95103af1fedd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsh4dk4w\CSCCA5110195B6447B896F6EB65DB11E6A.TMP
Filesize
652B

MD5
98632d32a8f63e2c995f066f7e66af9d

SHA1
afe77bafeb92b24727a5e36f4d545ba9b4cab7fc

SHA256
00c5d887b417b8e9ab10d6587ea8d17e0f3ba4bddca3b3a459d676845634df58

SHA512
f54b1c120e05f0fc3cf0c64056ed2b0cc4750b58a48d052395123626d4de1f609b2a7e32ddd574e4dd82828293a104757f375d09ffd5e923a56a6bd7422e059a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsh4dk4w\hsh4dk4w.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsh4dk4w\hsh4dk4w.cmdline
Filesize
369B

MD5
e5d2bc6bb94db4fc91b1120ff354ed10

SHA1
921ca0a3d55e085eb36b4b64760a7c0f3c083dc9

SHA256
2cddd7d3cd7f9831a36656f98e9e0698204aecdfc3f8e31a4e4e86b0fb44dbcd

SHA512
a1bb8e9923f45795ccefb485be6ddb6e326502f598f4e2db2db202aae2056e01b4211e9e06bda68af08f680c93fa19170f61205968b13f4f6a34a93d3834adee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vojrzea5\CSC91A3B353F7B0491680C9B6BDB06A82E3.TMP
Filesize
652B

MD5
38fff753178100ea4669307bf59003f6

SHA1
c361e28dc0b85ccef547b2fd9ebdac897b28e403

SHA256
1fb00c50cdd0509733657d5b2757e42af0ef829ef5c6ca9770c85eca61f7765c

SHA512
aecb17b4b0716469d844a867c637f5b3ffbf8125b4c3adaa9d21e67290d3c56c29f7b3e1636bc84cb364c57890fe29314281dd74d3a23723b28aa2b6d4853201

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vojrzea5\vojrzea5.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vojrzea5\vojrzea5.cmdline
Filesize
369B

MD5
6133281cd8da31d0c6c1a0ea53893b38

SHA1
ff982c333736d2d57eed2a3ef520af2677f1364c

SHA256
3abecd6e5d510026b5a0309df9a79722f981e766872a6cd7db217d99e19d94a0

SHA512
81b8538251397c5dc1b305c4aca4a52111e43dd1c63940b6a9d55aad6c85ac5b3b067330eb686021d7a94e6dd2def1e3d7e8c5dfe33699025bbb4a499a86b1c1

Download Submit
memory/1304-5-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1304-0-0x00000000022E0000-0x0000000002309000-memory.dmp

Filesize
164KB

Download
memory/1304-103-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1304-1-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1304-2-0x0000000002420000-0x000000000242D000-memory.dmp

Filesize
52KB

Download
memory/2364-19-0x0000023FC3820000-0x0000023FC3830000-memory.dmp

Filesize
64KB

Download
memory/2364-16-0x0000023FC3830000-0x0000023FC3852000-memory.dmp

Filesize
136KB

Download
memory/2364-18-0x0000023FC3820000-0x0000023FC3830000-memory.dmp

Filesize
64KB

Download
memory/2364-17-0x00007FF9A32A0000-0x00007FF9A3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2364-47-0x0000023FC3BA0000-0x0000023FC3BA8000-memory.dmp

Filesize
32KB

Download
memory/2364-33-0x0000023FC3B80000-0x0000023FC3B88000-memory.dmp

Filesize
32KB

Download
memory/2364-49-0x0000023FC3BE0000-0x0000023FC3C1D000-memory.dmp

Filesize
244KB

Download
memory/2364-20-0x0000023FC3820000-0x0000023FC3830000-memory.dmp

Filesize
64KB

Download
memory/2364-63-0x00007FF9A32A0000-0x00007FF9A3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2364-55-0x00007FF9A32A0000-0x00007FF9A3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2364-58-0x0000023FC3BE0000-0x0000023FC3C1D000-memory.dmp

Filesize
244KB

Download
memory/3144-52-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3144-51-0x00000000092E0000-0x0000000009384000-memory.dmp

Filesize
656KB

Download
memory/3144-91-0x00000000092E0000-0x0000000009384000-memory.dmp

Filesize
656KB

Download
memory/3304-72-0x000002BA66740000-0x000002BA66741000-memory.dmp

Filesize
4KB

Download
memory/3304-71-0x000002BA66780000-0x000002BA66824000-memory.dmp

Filesize
656KB

Download
memory/3304-104-0x000002BA66780000-0x000002BA66824000-memory.dmp

Filesize
656KB

Download
memory/3612-107-0x000001817A5F0000-0x000001817A694000-memory.dmp

Filesize
656KB

Download
memory/3612-84-0x000001817A490000-0x000001817A491000-memory.dmp

Filesize
4KB

Download
memory/3612-83-0x000001817A5F0000-0x000001817A694000-memory.dmp

Filesize
656KB

Download
memory/3768-66-0x000001C0398D0000-0x000001C0398D1000-memory.dmp

Filesize
4KB

Download
memory/3768-98-0x000001C039E00000-0x000001C039EA4000-memory.dmp

Filesize
656KB

Download
memory/3768-65-0x000001C039E00000-0x000001C039EA4000-memory.dmp

Filesize
656KB

Download
memory/4496-106-0x00000120DE640000-0x00000120DE6E4000-memory.dmp

Filesize
656KB

Download
memory/4496-90-0x00000120DE640000-0x00000120DE6E4000-memory.dmp

Filesize
656KB

Download
memory/4496-93-0x00000120DE4E0000-0x00000120DE4E1000-memory.dmp

Filesize
4KB

Download
memory/4840-102-0x0000000000A20000-0x0000000000AB8000-memory.dmp

Filesize
608KB

Download
memory/4840-97-0x0000000000A20000-0x0000000000AB8000-memory.dmp

Filesize
608KB

Download
memory/4840-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4852-105-0x000001FCC5250000-0x000001FCC52F4000-memory.dmp

Filesize
656KB

Download
memory/4852-77-0x000001FCC5250000-0x000001FCC52F4000-memory.dmp

Filesize
656KB

Download
memory/4852-78-0x000001FCC49F0000-0x000001FCC49F1000-memory.dmp

Filesize
4KB

Download