gozi | b31e91aa44393ac28366e2dbe207d4836f3e7c4b6e2a972f15fd619bd20c39ee

Analysis

max time kernel
203s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updater.exe
Size

11KB
MD5

c12f497b375cd6c00b79767118af3d64
SHA1

df324df4328fa86ae0e7d7bb4f8ee73a224e9f96
SHA256

b31e91aa44393ac28366e2dbe207d4836f3e7c4b6e2a972f15fd619bd20c39ee
SHA512

649a284cc3ed982a686d785890633771e6e3a3cae09d8289938fc16be312fe0c699dc7ea24433b28327b8c3ed2e85a7430d75ab27516ac983eb3e5e9acab2b97
SSDEEP

192:5XYC8JnnVGge8BHm5J4X/5WcfLGp2pab3OwhQJZ0:5XYCy48BcJ4XRjfLdaLOH7

Score

10^/10

gozi banker isfb spyware stealer trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	updater.exe

Executes dropped EXE 1 IoCs

Processes:

2np5jd5a.exe

pid process

720 2np5jd5a.exe
Loads dropped DLL 1 IoCs

Processes:

updater.exe

pid process

3024 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
16 raw.githubusercontent.com
27 discord.com
28 discord.com
44 discord.com
53 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 checkip.amazonaws.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5248 schtasks.exe

pid	process
720	2np5jd5a.exe

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
27	discord.com
28	discord.com
44	discord.com
53	discord.com

flow	ioc
40	checkip.amazonaws.com

pid	process
5248	schtasks.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\chinaitaly703648.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

updater.exe2np5jd5a.exe

pid	process
3024	updater.exe
3024	updater.exe
3024	updater.exe
720	2np5jd5a.exe
720	2np5jd5a.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe
3024	updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3544 Explorer.EXE

pid	process
3544	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

updater.exe2np5jd5a.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3024	updater.exe
Token: SeDebugPrivilege	720	2np5jd5a.exe
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Explorer.EXEupdater.exe

pid process

3544 Explorer.EXE
3544 Explorer.EXE
3024 updater.exe

pid	process
3544	Explorer.EXE
3544	Explorer.EXE
3024	updater.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

updater.execmd.exeComputerDefaults.exewscript.execmd.exe2np5jd5a.exe

description	pid	process	target process
PID 3024 wrote to memory of 5884	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 5884	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 5884	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 3600	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 3600	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 3600	3024	updater.exe	reg.exe
PID 3024 wrote to memory of 2044	3024	updater.exe	cmd.exe
PID 3024 wrote to memory of 2044	3024	updater.exe	cmd.exe
PID 3024 wrote to memory of 2044	3024	updater.exe	cmd.exe
PID 2044 wrote to memory of 528	2044	cmd.exe	ComputerDefaults.exe
PID 2044 wrote to memory of 528	2044	cmd.exe	ComputerDefaults.exe
PID 2044 wrote to memory of 528	2044	cmd.exe	ComputerDefaults.exe
PID 528 wrote to memory of 3740	528	ComputerDefaults.exe	wscript.exe
PID 528 wrote to memory of 3740	528	ComputerDefaults.exe	wscript.exe
PID 528 wrote to memory of 3740	528	ComputerDefaults.exe	wscript.exe
PID 3740 wrote to memory of 4016	3740	wscript.exe	cmd.exe
PID 3740 wrote to memory of 4016	3740	wscript.exe	cmd.exe
PID 3740 wrote to memory of 4016	3740	wscript.exe	cmd.exe
PID 3024 wrote to memory of 4492	3024	updater.exe	cmd.exe
PID 3024 wrote to memory of 4492	3024	updater.exe	cmd.exe
PID 3024 wrote to memory of 4492	3024	updater.exe	cmd.exe
PID 4492 wrote to memory of 5248	4492	cmd.exe	schtasks.exe
PID 4492 wrote to memory of 5248	4492	cmd.exe	schtasks.exe
PID 4492 wrote to memory of 5248	4492	cmd.exe	schtasks.exe
PID 3024 wrote to memory of 720	3024	updater.exe	2np5jd5a.exe
PID 3024 wrote to memory of 720	3024	updater.exe	2np5jd5a.exe
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE
PID 720 wrote to memory of 3544	720	2np5jd5a.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\chinaitaly703648.vbs" /f
3⤵
- Modifies registry class
PID:5884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
3⤵
- Modifies registry class
PID:3600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\chinaitaly703648.vbs
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
6⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN GoogleDriveUpdater_Tf0JIAqAYFIfwnJFR050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\Tf0JIAqAYFIfwnJFR050MX.exe" /RL HIGHEST /IT
3⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN GoogleDriveUpdater_Tf0JIAqAYFIfwnJFR050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\Tf0JIAqAYFIfwnJFR050MX.exe" /RL HIGHEST /IT
4⤵
- Creates scheduled task(s)
PID:5248

C:\Users\Admin\AppData\Local\Temp\2np5jd5a.exe
"C:\Users\Admin\AppData\Local\Temp\2np5jd5a.exe" explorer.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2np5jd5a.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ab2ee1b51bd41059525fc0fee9471ea
Filesize
8KB

MD5
8d9c7f048096808b7a7480b010e85d72

SHA1
abc76395407fc9000733e2b5c3d288155123e2aa

SHA256
7c5dd97838e87ef50c9874ea389859804e0203d1ff853fd14aa1f6f09e51b414

SHA512
7b06cf7e46002dceb9ae3bffe36781443588e60193965f8b8b5b0517ac85536780119359a7751be77464e4f2d7105443a53872aadbc341e4801a7b4d252f8a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c50353ed90634dc2be8bbe40bdf4a834
Filesize
130KB

MD5
28189480e145c00f3bfff9044ae79084

SHA1
f5ac5b8936f9ed1e062954843bcdf4957366a751

SHA256
336f53c6bad41f27596d8dc10b12f59ec133863da9fd5cb88399cfb9b530276e

SHA512
7b0c1d0a1f5dab128833635a65576c4daf597d2363cc856c9fbbdf2b8334d1d730bb65f527783cbcf5c0b3de89ae3307041f68e36bd68c275eb3894b428b0d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\chinaitaly703648.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebdbddbc84b6421fb336d4be60f3fdc5
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aG31PMDMK2\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aG31PMDMK2\LOG
Filesize
329B

MD5
fabbde5a95c52d75031d67e16a44e87c

SHA1
949abf6ba861c34c4dfaa0862398832c42e87dd9

SHA256
bb4e35a2b476989e7c0539e1beef54207c4e728764d7ac6d7012331a07f50920

SHA512
4bbfa8393096f044e21b3cfc25301909693bc9b2ab32456a166a4ac433d0c5c085e9eb2b00b292fd803530247735b1d5f77635825071adf479144592f1b51fc0

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aG31PMDMK2\LOG.old
Filesize
291B

MD5
6c41fec451c44bb796812ce8540b5154

SHA1
93518809fa4f152058c1a511949620fe95f77121

SHA256
63722c30fa008d1ba11a2ea57defce625e1cfda29f5dd73cf3110cd60aa8716b

SHA512
1effd63112d00e2384fc8e962b8afc20fcc4352d1ca28b518f7ce0ccce32a280f7288ae50eb7dda14601ec9729543fc2d08ef6c42cabc36d31d31406e2b67703

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aG31PMDMK2\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aLVSMAH4VE\LOG
Filesize
334B

MD5
96fd42c02a11c1af351081f147db78a7

SHA1
09f19f4d8a8684d40bc9183f09c87ed9aab380bc

SHA256
78d570d6246c1e4c87710c0a1fdfe3cdb8b060393f8cdc08c2b9cba8041e1e13

SHA512
4e00d00752005ea5d4e07ea66f875398a66215ec30d963c54d9320e3a7adc86ce737d2fc60c25eecf57645e5df3ffb8993c05ee8c96285ffff328eb0014d708a

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aLVSMAH4VE\LOG.old
Filesize
293B

MD5
c019065ccfc826909d6997854ea2be8a

SHA1
9c8085477a484eed8f5986bc690d709e938b4ed2

SHA256
febecbcfde53eba5541849f65764a6a21c9f6b0b91317982188a9151f113f33a

SHA512
086b9c879566980dac37989bc5ecdd509517e9c08145df7696a223e457686e3f02c88d212921fb58d8944be4c8102f23c194e9f12187015a64164fb0efa19c9b

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aZW6QWVI9R\47kntzet.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
2ad9c95398617924135f81fd91473fb4

SHA1
a627000dd26a15d76270bc43b4d6a8153b562add

SHA256
409b97a10e2b9223b4a7b075da7856e18085dfb67e2084698771f5fae29c2c16

SHA512
91c13b96df7be71820244060426c4ad8312406ab826d7d654069373b718c21a91d8e137025f8f95a7696bcf7ef8c5c27daaba0030bc320934922ef1f3ccdb51e

Download Submit
memory/3024-42-0x000000000E6C0000-0x000000000E6CA000-memory.dmp

Filesize
40KB

Download
memory/3024-5-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3024-1-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/3024-200-0x0000000006900000-0x000000000690A000-memory.dmp

Filesize
40KB

Download
memory/3024-37-0x0000000007AD0000-0x0000000007AE2000-memory.dmp

Filesize
72KB

Download
memory/3024-38-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/3024-39-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/3024-40-0x0000000000D90000-0x0000000000DF6000-memory.dmp

Filesize
408KB

Download
memory/3024-41-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/3024-0-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/3024-43-0x000000000AA80000-0x000000000AA8C000-memory.dmp

Filesize
48KB

Download
memory/3024-44-0x000000000AAA0000-0x000000000AAA8000-memory.dmp

Filesize
32KB

Download
memory/3024-2-0x00000000050C0000-0x00000000050DA000-memory.dmp

Filesize
104KB

Download
memory/3024-3-0x0000000002BC0000-0x0000000002BCA000-memory.dmp

Filesize
40KB

Download
memory/3024-11-0x0000000011C10000-0x00000000128B2000-memory.dmp

Filesize
12.6MB

Download
memory/3024-10-0x000000000AE80000-0x000000000BA80000-memory.dmp

Filesize
12.0MB

Download
memory/3024-6-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/3024-186-0x0000000007180000-0x00000000071A1000-memory.dmp

Filesize
132KB

Download
memory/3024-173-0x0000000006A40000-0x0000000006AF2000-memory.dmp

Filesize
712KB

Download
memory/3024-174-0x0000000006B50000-0x0000000006B72000-memory.dmp

Filesize
136KB

Download
memory/3024-175-0x0000000006C00000-0x0000000006C76000-memory.dmp

Filesize
472KB

Download
memory/3024-176-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/3024-4-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/3024-178-0x0000000006CF0000-0x0000000006D40000-memory.dmp

Filesize
320KB

Download
memory/3024-179-0x0000000006D40000-0x0000000006DAA000-memory.dmp

Filesize
424KB

Download
memory/3024-180-0x0000000006DB0000-0x0000000007104000-memory.dmp

Filesize
3.3MB

Download
memory/3024-181-0x0000000007110000-0x000000000715C000-memory.dmp

Filesize
304KB

Download
memory/3024-185-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/3544-28-0x000000000C180000-0x000000000C188000-memory.dmp

Filesize
32KB

Download
memory/3544-26-0x000000000C180000-0x000000000C188000-memory.dmp

Filesize
32KB

Download
memory/3544-27-0x000000000C2C0000-0x000000000C2C1000-memory.dmp

Filesize
4KB

Download
memory/3544-31-0x000000000C180000-0x000000000C188000-memory.dmp

Filesize
32KB

Download
memory/3544-30-0x000000000C180000-0x000000000C188000-memory.dmp

Filesize
32KB

Download