gozi | 7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

Resubmissions

06-10-2023 00:32

231006-avxlbaac38 10

06-10-2023 00:31

231006-at7pwsgb5s 10

05-10-2023 16:10

231005-tmvxasec87 10

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
Size

304KB
MD5

a3f4c907a088c99a8b7bf5f4280d7d0c
SHA1

9a9297bd0af1c008eb7477c1e310ce70c30c6d56
SHA256

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
SHA512

106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
SSDEEP

6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4700-1-0x0000000002A70000-0x0000000002A7C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4800 set thread context of 3144	4800	powershell.exe	Explorer.EXE
PID 3144 set thread context of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 set thread context of 3884	3144	Explorer.EXE	cmd.exe
PID 3144 set thread context of 1328	3144	Explorer.EXE	cmd.exe
PID 3884 set thread context of 992	3884	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

992 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

992 PING.EXE

pid	process
992	PING.EXE

pid	process
992	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exepowershell.exeExplorer.EXE

pid	process
4700	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
4700	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
4800	powershell.exe
4800	powershell.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4800 powershell.exe
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3144 Explorer.EXE
3884 cmd.exe

pid	process
3144	Explorer.EXE

pid	process
4800	powershell.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3884	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3768	RuntimeBroker.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3768	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE

pid	process
3144	Explorer.EXE

pid	process
3144	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 4800	4632	mshta.exe	powershell.exe
PID 4632 wrote to memory of 4800	4632	mshta.exe	powershell.exe
PID 4800 wrote to memory of 3960	4800	powershell.exe	csc.exe
PID 4800 wrote to memory of 3960	4800	powershell.exe	csc.exe
PID 3960 wrote to memory of 1040	3960	csc.exe	cvtres.exe
PID 3960 wrote to memory of 1040	3960	csc.exe	cvtres.exe
PID 4800 wrote to memory of 3504	4800	powershell.exe	csc.exe
PID 4800 wrote to memory of 3504	4800	powershell.exe	csc.exe
PID 3504 wrote to memory of 3688	3504	csc.exe	cvtres.exe
PID 3504 wrote to memory of 3688	3504	csc.exe	cvtres.exe
PID 4800 wrote to memory of 3144	4800	powershell.exe	Explorer.EXE
PID 4800 wrote to memory of 3144	4800	powershell.exe	Explorer.EXE
PID 4800 wrote to memory of 3144	4800	powershell.exe	Explorer.EXE
PID 4800 wrote to memory of 3144	4800	powershell.exe	Explorer.EXE
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3768	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3304	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 4852	3144	Explorer.EXE	RuntimeBroker.exe
PID 3144 wrote to memory of 3884	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3884	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3884	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3884	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 3884	3144	Explorer.EXE	cmd.exe
PID 3884 wrote to memory of 992	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 992	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 992	3884	cmd.exe	PING.EXE
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3144 wrote to memory of 1328	3144	Explorer.EXE	cmd.exe
PID 3884 wrote to memory of 992	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 992	3884	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
"C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vtih='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vtih).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name twmokmkvhw -value gp; new-alias -name pofesbtof -value iex; pofesbtof ([System.Text.Encoding]::ASCII.GetString((twmokmkvhw "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33dr0tch\33dr0tch.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB282.tmp" "c:\Users\Admin\AppData\Local\Temp\33dr0tch\CSC8CDC658437A6429DB42B6138C2A9431.TMP"
5⤵
PID:1040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5uktar4\t5uktar4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3F9.tmp" "c:\Users\Admin\AppData\Local\Temp\t5uktar4\CSCC4E1A7E32381470ABBD08889F6928AC0.TMP"
5⤵
PID:3688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:992

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33dr0tch\33dr0tch.dll

Filesize
3KB

MD5
cd19eec3d9f4775a88783d8ea59c6807

SHA1
553f3d3ce9431a2e46b8fd5f3c54694fbd2e089d

SHA256
cb91986063e7aa62289c77ddf297478a1d8672f1df1f0d7be346967ca4652f73

SHA512
158e2760a08125c8e62cc2ade31a0960d0d39e288c502dc45d68f9ee0f05c88350ef5de0242445c13c4bcf78c9a2648477c046ff08fd25fe764506408f12187a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB282.tmp

Filesize
1KB

MD5
e08828955f6057fec1fec3500dcd997b

SHA1
6c52abca3a8146ac1769a0b27d5385b510833679

SHA256
200f82a13841f1cd5f4ccdbfac292b3acf9aab7da48899fd3dc295ecb3671c94

SHA512
2118367727eaa65697ebac065071218b6de0a0fedb67cf56e628bf3bf005aa8666d2fb3d1e050b88edefc79e55bd2cb05e5a65d6ff75ddfda43f8b9ef11a081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3F9.tmp

Filesize
1KB

MD5
91788916e7d8f8fc3b28d95f5f6445e4

SHA1
e2f75d7e756bbf41bc78b25d9c6964e33c1d5c23

SHA256
fa6d66584e7511f53b50003a68fd15573914873209fbd571578c3e2f471f661b

SHA512
8b5ea810014a6c13e2562b18c620e3347b5c1206cbc5e6967f4a8391d45a0feb92c05540b88d2095178c8a5008eca48f58bf2268e27da9faad4e8111b3d88976

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvbxa3g1.qow.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5uktar4\t5uktar4.dll

Filesize
3KB

MD5
ce0e073b433ce325d342932b32641ce2

SHA1
cf5720b0d52602e632472b16b0a0cc098bc256e0

SHA256
3cdd1b3b00bf9b1592c0069c99d33dce3829e239a8a637b3033b8f59edafd4c5

SHA512
97a19af268001fb91a7fc46e8c61385e85fb7f740759dd55d638164845c3bd254cc41d8ca3304180380936d47741568394ae5fbf72a1368c615a547846d725ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33dr0tch\33dr0tch.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33dr0tch\33dr0tch.cmdline

Filesize
369B

MD5
5a7e2d683dbcb8149f6e752e16e8c5f0

SHA1
8cfe2ea3d36982ed04c8a5dade1e320950f8c46a

SHA256
eb6f88ceb11e7b19fb4e3f6b967764f3269cd638315bdebad6b453d1cf3ae537

SHA512
5f24c3fb17bf3da67840c7d0c23ee5265de01e0615e452e4a05d7175f65bdd983adab57a5e3c75c37de9ebf92471f25ba015089e1466ee0d23f829bddd6af4be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33dr0tch\CSC8CDC658437A6429DB42B6138C2A9431.TMP

Filesize
652B

MD5
dfd9525548f8dab77758923f24c39944

SHA1
de322b62c8dc4ebe913cd2ca1f4c7e6311ff226d

SHA256
c272784be1f7ff867905eb5dd80eb777020888a20c41c6daf0937a6484e8928f

SHA512
6136d78ced7d70e4718ce098cd9b4f8b57f3747ccb585065fa847fb789b1ebe548ed23035c0420d0235d254185e0555ac0b939237e1c465b925025a9dd655062

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5uktar4\CSCC4E1A7E32381470ABBD08889F6928AC0.TMP

Filesize
652B

MD5
6c9e7e235257efefa347f89838ca9779

SHA1
c5fb9f07bd8fdf720698361e0cd3c3318c961f20

SHA256
e4c2eac952ef1d818296b9b874fc701d7feb419acc2f845d42ee0606bb548cbe

SHA512
c35be01c3ef4133d3885cbb60c647f0a3c65bbce05b725b80aab36b3f74a8f2a53c1a31d0b21da8706913b8e61fa135e228e7ae4282bfee4e2deb61dc81e71d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5uktar4\t5uktar4.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5uktar4\t5uktar4.cmdline

Filesize
369B

MD5
04783e771f17692067ce523226cdd180

SHA1
09f3e1f276df997beee3db83f47d0653b965f750

SHA256
8539b2885e9803fcf94c4b02e111ac0df5727852fce8d4b89ed86052498acc7e

SHA512
9a7a415954417c1e72b158867526d1a81342640f207d8cf392903441219e1b323a1641ef9096777d6da67e265784a45989597efbb1c47006f5e761f376744415

Download Submit
memory/992-103-0x000001E47C0B0000-0x000001E47C154000-memory.dmp

Filesize
656KB

Download
memory/992-113-0x000001E47C0B0000-0x000001E47C154000-memory.dmp

Filesize
656KB

Download
memory/992-106-0x000001E47BFA0000-0x000001E47BFA1000-memory.dmp

Filesize
4KB

Download
memory/1328-110-0x00000000014B0000-0x0000000001548000-memory.dmp

Filesize
608KB

Download
memory/1328-97-0x00000000014B0000-0x0000000001548000-memory.dmp

Filesize
608KB

Download
memory/1328-101-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1328-104-0x00000000014B0000-0x0000000001548000-memory.dmp

Filesize
608KB

Download
memory/3144-98-0x00000000094A0000-0x0000000009544000-memory.dmp

Filesize
656KB

Download
memory/3144-59-0x00000000094A0000-0x0000000009544000-memory.dmp

Filesize
656KB

Download
memory/3144-60-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/3304-112-0x000002BA66780000-0x000002BA66824000-memory.dmp

Filesize
656KB

Download
memory/3304-79-0x000002BA66740000-0x000002BA66741000-memory.dmp

Filesize
4KB

Download
memory/3304-78-0x000002BA66780000-0x000002BA66824000-memory.dmp

Filesize
656KB

Download
memory/3768-111-0x000001C039E00000-0x000001C039EA4000-memory.dmp

Filesize
656KB

Download
memory/3768-73-0x000001C039E00000-0x000001C039EA4000-memory.dmp

Filesize
656KB

Download
memory/3768-74-0x000001C0398D0000-0x000001C0398D1000-memory.dmp

Filesize
4KB

Download
memory/3884-92-0x000001E9384A0000-0x000001E938544000-memory.dmp

Filesize
656KB

Download
memory/3884-93-0x000001E938550000-0x000001E938551000-memory.dmp

Filesize
4KB

Download
memory/3884-114-0x000001E9384A0000-0x000001E938544000-memory.dmp

Filesize
656KB

Download
memory/4700-1-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/4700-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4700-11-0x0000000002B00000-0x0000000002B0D000-memory.dmp

Filesize
52KB

Download
memory/4700-0-0x0000000002A80000-0x0000000002A8F000-memory.dmp

Filesize
60KB

Download
memory/4800-25-0x00007FF9A3340000-0x00007FF9A3E01000-memory.dmp

Filesize
10.8MB

Download
memory/4800-55-0x0000025AAA6B0000-0x0000025AAA6B8000-memory.dmp

Filesize
32KB

Download
memory/4800-41-0x0000025A91F80000-0x0000025A91F88000-memory.dmp

Filesize
32KB

Download
memory/4800-27-0x0000025A91F40000-0x0000025A91F50000-memory.dmp

Filesize
64KB

Download
memory/4800-28-0x0000025A91F40000-0x0000025A91F50000-memory.dmp

Filesize
64KB

Download
memory/4800-26-0x0000025A91F40000-0x0000025A91F50000-memory.dmp

Filesize
64KB

Download
memory/4800-71-0x0000025AAA6C0000-0x0000025AAA6FD000-memory.dmp

Filesize
244KB

Download
memory/4800-24-0x0000025A91F50000-0x0000025A91F72000-memory.dmp

Filesize
136KB

Download
memory/4800-57-0x0000025AAA6C0000-0x0000025AAA6FD000-memory.dmp

Filesize
244KB

Download
memory/4800-70-0x00007FF9A3340000-0x00007FF9A3E01000-memory.dmp

Filesize
10.8MB

Download
memory/4852-86-0x000001FCC49F0000-0x000001FCC49F1000-memory.dmp

Filesize
4KB

Download
memory/4852-84-0x000001FCC5250000-0x000001FCC52F4000-memory.dmp

Filesize
656KB

Download
memory/4852-115-0x000001FCC5250000-0x000001FCC52F4000-memory.dmp

Filesize
656KB

Download