gozi | 858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

Analysis

max time kernel
160s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASNEAS858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0dllexeexe_JC.dll
Size

206KB
MD5

72e2a5c797954e895a41be5b20f867b2
SHA1

419aacfb3ccea9b08277bcc9405054fa4238a597
SHA256

858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
SHA512

77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
SSDEEP

6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

69 2052 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

flow	pid	process
69	2052	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2052 set thread context of 1716	2052	rundll32.exe	control.exe
PID 1716 set thread context of 3144	1716	control.exe	Explorer.EXE
PID 3144 set thread context of 3708	3144	Explorer.EXE	RuntimeBroker.exe
PID 1716 set thread context of 4176	1716	control.exe	rundll32.exe
PID 3144 set thread context of 3356	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 2216	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 4568	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 560	3144	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
2052	rundll32.exe
2052	rundll32.exe
3904	powershell.exe
3904	powershell.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

2052 rundll32.exe
1716 control.exe
3144 Explorer.EXE
1716 control.exe
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE

pid	process
3144	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.exemshta.execontrol.exeExplorer.EXEpowershell.execsc.execsc.exe

description	pid	process	target process
PID 4528 wrote to memory of 2052	4528	rundll32.exe	rundll32.exe
PID 4528 wrote to memory of 2052	4528	rundll32.exe	rundll32.exe
PID 4528 wrote to memory of 2052	4528	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 1716	2052	rundll32.exe	control.exe
PID 2052 wrote to memory of 1716	2052	rundll32.exe	control.exe
PID 2052 wrote to memory of 1716	2052	rundll32.exe	control.exe
PID 2052 wrote to memory of 1716	2052	rundll32.exe	control.exe
PID 2052 wrote to memory of 1716	2052	rundll32.exe	control.exe
PID 4516 wrote to memory of 3904	4516	mshta.exe	powershell.exe
PID 4516 wrote to memory of 3904	4516	mshta.exe	powershell.exe
PID 1716 wrote to memory of 3144	1716	control.exe	Explorer.EXE
PID 1716 wrote to memory of 3144	1716	control.exe	Explorer.EXE
PID 1716 wrote to memory of 3144	1716	control.exe	Explorer.EXE
PID 1716 wrote to memory of 3144	1716	control.exe	Explorer.EXE
PID 3144 wrote to memory of 3708	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3708	3144	Explorer.EXE	RuntimeBroker.exe
PID 1716 wrote to memory of 4176	1716	control.exe	rundll32.exe
PID 1716 wrote to memory of 4176	1716	control.exe	rundll32.exe
PID 1716 wrote to memory of 4176	1716	control.exe	rundll32.exe
PID 3144 wrote to memory of 3708	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3708	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3356	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3356	3144	Explorer.EXE	RuntimeBroker.exe
PID 1716 wrote to memory of 4176	1716	control.exe	rundll32.exe
PID 3144 wrote to memory of 3356	3144	Explorer.EXE	RuntimeBroker.exe
PID 1716 wrote to memory of 4176	1716	control.exe	rundll32.exe
PID 3144 wrote to memory of 3356	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 2216	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 2216	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 2216	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 2216	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4568	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4568	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4568	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4568	3144	Explorer.EXE	RuntimeBroker.exe
PID 3904 wrote to memory of 2892	3904	powershell.exe	csc.exe
PID 3904 wrote to memory of 2892	3904	powershell.exe	csc.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 560	3144	Explorer.EXE	cmd.exe
PID 2892 wrote to memory of 4008	2892	csc.exe	cvtres.exe
PID 2892 wrote to memory of 4008	2892	csc.exe	cvtres.exe
PID 3904 wrote to memory of 3344	3904	powershell.exe	csc.exe
PID 3904 wrote to memory of 3344	3904	powershell.exe	csc.exe
PID 3344 wrote to memory of 220	3344	csc.exe	cvtres.exe
PID 3344 wrote to memory of 220	3344	csc.exe	cvtres.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2216

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0dllexeexe_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0dllexeexe_JC.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
5⤵
PID:4176

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mhc4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mhc4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ljqfnxvgyy -value gp; new-alias -name sqjsvfo -value iex; sqjsvfo ([System.Text.Encoding]::ASCII.GetString((ljqfnxvgyy "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3txno0fw\3txno0fw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9089.tmp" "c:\Users\Admin\AppData\Local\Temp\3txno0fw\CSC55D525CA4897497FABED66CD319B7D74.TMP"
5⤵
PID:4008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3hav00q2\3hav00q2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92BC.tmp" "c:\Users\Admin\AppData\Local\Temp\3hav00q2\CSC309A86AFE12745658FA155DDA14FD140.TMP"
5⤵
PID:220

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3hav00q2\3hav00q2.dll
Filesize
3KB

MD5
66f60fe01e797121284e5429528fb8ac

SHA1
89f471e09f5026a9003db2d8d6a4b2eb8c5e2193

SHA256
99189d9d719b2c964b91602888103f7a3c7b279db4100459aeac44db9ae420bd

SHA512
70bf3c01418bdcd4ef213a385ce716e168c9179e5c69a9edc3d8bcf12634c2ebf15e15bc6e57d5db42f9e036e78a319211defe1e3aef3d55d9d446a0d8c06026

Download Submit
C:\Users\Admin\AppData\Local\Temp\3txno0fw\3txno0fw.dll
Filesize
3KB

MD5
5cac6964251695c80d28fd40cc5162b8

SHA1
115fe2378592f36ef932c55b68fd6e15fa18b763

SHA256
e83ae3189aaed085d08cb2e52297e1d8c78cda6b70161cc33827b1077d13f00d

SHA512
51c764bf2d90b7f8964926e50cfbd82d3fda33c30de8243dff9a806fa0cc77c9c097f0c9c011fcd010a6d71c608dfa944e05d354a9c4b11b495f1a953846a4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9089.tmp
Filesize
1KB

MD5
1e91581e31ad675e81c98d86ef7e89f0

SHA1
262665e75405a3b4ce9ff72e00da19345376a0a3

SHA256
4bbf5530fdda227db1e192aa51e1bbcc30be7447a703028fcb82085e2915513e

SHA512
2eb8ad0ec21c4555f8766d90c096b238f41f49b5a39497ca96479df8927e058a6209e6c8ac81098989d2c9bc33bf39c1df3f3f7b5246f302a3fec93d0b20267b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92BC.tmp
Filesize
1KB

MD5
5b3ef7a4c8c75de4088bffded15d6b05

SHA1
ed61977e8d52c60653252455e3d0542c004078e3

SHA256
049315fc553da88f7d3f3545e649a9c75972c55e9b22d9b60f5b7083c35a4e3d

SHA512
1fa84a643c909356e64693bcb54d21c1152df15e6812c3d0025faa9da39290b30101a1741df29861cc3f843b8bbd6c98bcdef15719c427949a1527cf2c054903

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pxx3ft0.rcp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3hav00q2\3hav00q2.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3hav00q2\3hav00q2.cmdline
Filesize
369B

MD5
63baf8489ed64dcd8fd230bc69a9eea3

SHA1
650345b28332f647e356b806c36ad6058e2cdc14

SHA256
456e7cf77ae0251c55e7a9fac66ac66fb74e4e6e7f2283b4ec05b9e1c72d4e08

SHA512
ee1ed173dcea2ead5dc903ca9cbec5e616858d175e61d02a0c64f29581c19f7a11ef7d8e8f07c3492354c191d7196b917275ce652c1b9f41b282ae2d73c64c68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3hav00q2\CSC309A86AFE12745658FA155DDA14FD140.TMP
Filesize
652B

MD5
874b8b46cd16b04cade24ebfc5969be9

SHA1
f588efc72ec3137fafca18cb53a9c7cfb91fc189

SHA256
9656588f85a4fbb0c5cd25cf180ed1b82579b54897e330684ad4cb10d656621a

SHA512
83aca27833e8aac4c0d5423f289d124e3f44fa1f6d0b3cb15dcee0dc60a8b70dfbb344bb10bdd56cfd49ba71ca61abd5431c95ef9a130f5e0cc4cba1ed78f85c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3txno0fw\3txno0fw.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3txno0fw\3txno0fw.cmdline
Filesize
369B

MD5
25c9e13cb83851a824bc1863e697783a

SHA1
2fcbdd8e621b0faf1057ffa27d06840c123162c4

SHA256
b54f3d9f30755e73fe84516b11509a9a49ff4974ba68d1bb912c4ddd15cab657

SHA512
6d104f9cacfac69570e65b0b5d772b5e7cbac7c779731629e02ece6cde5b2190f9d9cc78fe5179b45dd7fc4a3ddcfda9d5ef189eedc5017e8a1f2864b073f7f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3txno0fw\CSC55D525CA4897497FABED66CD319B7D74.TMP
Filesize
652B

MD5
a7f23c29f0833ddfffc5203d2e649b3b

SHA1
f648828a4ab51dc6ddb123d6b938f7c7de493b24

SHA256
451a733408a2549b8ed541649a59d2f5d1fcaf2fc647e1a724edf27a6f196b3d

SHA512
944a995228dbe43a2b0e26e12a5fd0b7551520396274570ee43b9184bc98d3eb6e9813c80a1f5a61c2121421d3913cd5dc662fc72e7f4d7fee398884bedd041f

Download Submit
memory/560-84-0x0000000000A40000-0x0000000000AD8000-memory.dmp

Filesize
608KB

Download
memory/560-79-0x0000000000A40000-0x0000000000AD8000-memory.dmp

Filesize
608KB

Download
memory/560-80-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1716-8-0x00000000004C0000-0x0000000000564000-memory.dmp

Filesize
656KB

Download
memory/1716-9-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1716-55-0x00000000004C0000-0x0000000000564000-memory.dmp

Filesize
656KB

Download
memory/2052-2-0x0000000002860000-0x000000000286D000-memory.dmp

Filesize
52KB

Download
memory/2052-0-0x00000000027C0000-0x00000000027E9000-memory.dmp

Filesize
164KB

Download
memory/2052-1-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/2052-5-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/2052-73-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/2216-86-0x000001A780530000-0x000001A7805D4000-memory.dmp

Filesize
656KB

Download
memory/2216-53-0x000001A780530000-0x000001A7805D4000-memory.dmp

Filesize
656KB

Download
memory/2216-57-0x000001A780460000-0x000001A780461000-memory.dmp

Filesize
4KB

Download
memory/3144-28-0x0000000008860000-0x0000000008904000-memory.dmp

Filesize
656KB

Download
memory/3144-78-0x0000000008860000-0x0000000008904000-memory.dmp

Filesize
656KB

Download
memory/3144-29-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3356-85-0x000001B425D70000-0x000001B425E14000-memory.dmp

Filesize
656KB

Download
memory/3356-43-0x000001B425D70000-0x000001B425E14000-memory.dmp

Filesize
656KB

Download
memory/3356-47-0x000001B425D30000-0x000001B425D31000-memory.dmp

Filesize
4KB

Download
memory/3708-82-0x0000026E20C20000-0x0000026E20CC4000-memory.dmp

Filesize
656KB

Download
memory/3708-36-0x0000026E20C20000-0x0000026E20CC4000-memory.dmp

Filesize
656KB

Download
memory/3708-37-0x0000026E20CD0000-0x0000026E20CD1000-memory.dmp

Filesize
4KB

Download
memory/3904-25-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/3904-70-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/3904-114-0x00007FFDC4500000-0x00007FFDC4FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-64-0x00007FFDC4500000-0x00007FFDC4FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-68-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/3904-111-0x00000224DAA40000-0x00000224DAA7D000-memory.dmp

Filesize
244KB

Download
memory/3904-109-0x00000224DAA30000-0x00000224DAA38000-memory.dmp

Filesize
32KB

Download
memory/3904-22-0x00000224C2640000-0x00000224C2662000-memory.dmp

Filesize
136KB

Download
memory/3904-23-0x00007FFDC4500000-0x00007FFDC4FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-75-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/3904-95-0x00000224C2630000-0x00000224C2638000-memory.dmp

Filesize
32KB

Download
memory/3904-26-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/3904-24-0x00000224DAAE0000-0x00000224DAAF0000-memory.dmp

Filesize
64KB

Download
memory/4176-41-0x000001CB4FB60000-0x000001CB4FC04000-memory.dmp

Filesize
656KB

Download
memory/4176-44-0x000001CB4F940000-0x000001CB4F941000-memory.dmp

Filesize
4KB

Download
memory/4176-61-0x000001CB4FB60000-0x000001CB4FC04000-memory.dmp

Filesize
656KB

Download
memory/4568-60-0x00000110B0840000-0x00000110B08E4000-memory.dmp

Filesize
656KB

Download
memory/4568-71-0x00000110B0340000-0x00000110B0341000-memory.dmp

Filesize
4KB

Download
memory/4568-87-0x00000110B0840000-0x00000110B08E4000-memory.dmp

Filesize
656KB

Download