gozi | 7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

Resubmissions

06-10-2023 00:32

231006-avxlbaac38 10

06-10-2023 00:31

231006-at7pwsgb5s 10

05-10-2023 16:10

231005-tmvxasec87 10

Analysis

max time kernel
150s
max time network
140s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
Size

304KB
MD5

a3f4c907a088c99a8b7bf5f4280d7d0c
SHA1

9a9297bd0af1c008eb7477c1e310ce70c30c6d56
SHA256

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
SHA512

106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
SSDEEP

6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/3856-1-0x0000000000860000-0x000000000086C000-memory.dmp	dave

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3644 set thread context of 3328	3644	powershell.exe	Explorer.EXE
PID 3328 set thread context of 3892	3328	Explorer.EXE	RuntimeBroker.exe
PID 3328 set thread context of 4300	3328	Explorer.EXE	cmd.exe
PID 4300 set thread context of 4348	4300	cmd.exe	PING.EXE
PID 3328 set thread context of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 set thread context of 4536	3328	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4348 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4348 PING.EXE

pid	process
4348	PING.EXE

pid	process
4348	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exepowershell.exeExplorer.EXE

pid	process
3856	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
3856	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3328 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3644 powershell.exe
3328 Explorer.EXE
3328 Explorer.EXE
4300 cmd.exe
3328 Explorer.EXE
3328 Explorer.EXE

pid	process
3328	Explorer.EXE

pid	process
3644	powershell.exe
3328	Explorer.EXE
3328	Explorer.EXE
4300	cmd.exe
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3328 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3328 Explorer.EXE

pid	process
3328	Explorer.EXE

pid	process
3328	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 3644	2644	mshta.exe	powershell.exe
PID 2644 wrote to memory of 3644	2644	mshta.exe	powershell.exe
PID 3644 wrote to memory of 692	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 692	3644	powershell.exe	csc.exe
PID 692 wrote to memory of 200	692	csc.exe	cvtres.exe
PID 692 wrote to memory of 200	692	csc.exe	cvtres.exe
PID 3644 wrote to memory of 216	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 216	3644	powershell.exe	csc.exe
PID 216 wrote to memory of 192	216	csc.exe	cvtres.exe
PID 216 wrote to memory of 192	216	csc.exe	cvtres.exe
PID 3644 wrote to memory of 3328	3644	powershell.exe	Explorer.EXE
PID 3644 wrote to memory of 3328	3644	powershell.exe	Explorer.EXE
PID 3644 wrote to memory of 3328	3644	powershell.exe	Explorer.EXE
PID 3644 wrote to memory of 3328	3644	powershell.exe	Explorer.EXE
PID 3328 wrote to memory of 3892	3328	Explorer.EXE	RuntimeBroker.exe
PID 3328 wrote to memory of 3892	3328	Explorer.EXE	RuntimeBroker.exe
PID 3328 wrote to memory of 3892	3328	Explorer.EXE	RuntimeBroker.exe
PID 3328 wrote to memory of 3892	3328	Explorer.EXE	RuntimeBroker.exe
PID 3328 wrote to memory of 4300	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4300	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4300	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4300	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4300	3328	Explorer.EXE	cmd.exe
PID 4300 wrote to memory of 4348	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4348	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4348	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4348	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4348	4300	cmd.exe	PING.EXE
PID 3328 wrote to memory of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 wrote to memory of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 wrote to memory of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 wrote to memory of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 wrote to memory of 5000	3328	Explorer.EXE	WinMail.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe
PID 3328 wrote to memory of 4536	3328	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
"C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Hk43='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hk43).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\31C71D01-DC96-8B44-6EF5-D0EF82F90493\\\StopBlack'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pkynwt -value gp; new-alias -name jflbsvfnuh -value iex; jflbsvfnuh ([System.Text.Encoding]::ASCII.GetString((pkynwt "HKCU:Software\AppDataLow\Software\Microsoft\31C71D01-DC96-8B44-6EF5-D0EF82F90493").ClassContact))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axyra5sm\axyra5sm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B20.tmp" "c:\Users\Admin\AppData\Local\Temp\axyra5sm\CSC37ECF1CFC6214E1686AF4BAF395F3781.TMP"
5⤵
PID:200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jr1kfu1f\jr1kfu1f.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C29.tmp" "c:\Users\Admin\AppData\Local\Temp\jr1kfu1f\CSC4032C025C7EB4A43AC9D5E5EAE6C4C1F.TMP"
5⤵
PID:192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4348

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:5000

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3B20.tmp

Filesize
1KB

MD5
2c8b68d3e1b31eff509b46db88a0dff8

SHA1
3cad9a2c7ced13238d2d958acccab5faa0dc3b97

SHA256
209a3c7d0fd706186769211fd4028644844c1700c6ef7ec513f548e635a683cc

SHA512
1ed6d5e19ed7bfca342146ccf649d0b5afc92bdf9f545c4b9030a682a41358b8a3075f6fbeea83b28fe56ec1daaf31272ac9c2fc90004b8c2eec8a31aed83ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C29.tmp

Filesize
1KB

MD5
c86bd9364c46c56b3d89ccc169854d6a

SHA1
216e3978d85f460fa98407c2b7a4c16a6170b2f6

SHA256
d79d153211649839c909ba54e4e89adfdee07be2a21e887768790562e39be22d

SHA512
c0e089e239202df8e1321eb7fbe90e5f7154763a0d15e0e04f9887688b14dfb94a8a44cfaef9f87a5792c00c63ddf48f43f8f3db9edcb1b6bd047016cc197213

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrxaqrxf.ei0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\axyra5sm\axyra5sm.dll

Filesize
3KB

MD5
b53dc9dbf830d1e83f7f92a11f98155b

SHA1
7d712f2a821f000836c4f94406b3b0f180c6a995

SHA256
09c3446232cd3c2be98e3def1c3368fc8f84c671ca06980a51b9224ea38514b7

SHA512
110b3ff5885aa806a24a617e42c846d8e6e143efb481be6787a76d9fce35a41655e43041ba71a6ed7a2367bcee5d85b2a269cd674938a84bfbbbd4e37ac340ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jr1kfu1f\jr1kfu1f.dll

Filesize
3KB

MD5
e55432a975fbeb854cdc5766b339a277

SHA1
4701d73e94945b6f5c5382139323910030b23bd4

SHA256
2740e97fd2f3e41be1b8e4291641333ec33dbd84412dc7980456ad9103aa608c

SHA512
cf4a9a93007a46d0b7030551b2baf36f98c942d616e782f95519533d4d1d24a26f11382ea79fb41bfc9feee358f1dab5863370dee06c34734eba47a8fc4f74f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axyra5sm\CSC37ECF1CFC6214E1686AF4BAF395F3781.TMP

Filesize
652B

MD5
941aff72715f93aa676852513a5f4402

SHA1
5a0ffbd95f1b7f0b00e27c851c8b3501d3dba3c8

SHA256
64865daaa8d447290bf3a43b920e96228f3f2987e9dce90bdd63b1fdca72d062

SHA512
c44febd92dc2f805445f8707f08c4d2095535f58fd5db4860e8faf33ea57de592ca6ded04d6585616ad47e6c6236fad5ff30fa70ad2aa47fa21ad3f30cba697a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axyra5sm\axyra5sm.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axyra5sm\axyra5sm.cmdline

Filesize
369B

MD5
6a3b915953abd231cfdc52657c31a25e

SHA1
055b752fc046d6a3689f2bf52a8ed2bf59b816a4

SHA256
3ec1e9dd251926e7ec82169aaaaca039bb1e94480e00317b13b68f20e8b8e609

SHA512
8dc00240b4cf2c97dab516304f53b96cdb7fbb64deec6db6d0213228c1c4863caf6926d4e83c08c4355b0c87bb01318d290d756ab9dfea35bd9d2ecc5a118957

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jr1kfu1f\CSC4032C025C7EB4A43AC9D5E5EAE6C4C1F.TMP

Filesize
652B

MD5
ceb328d7c09687b87c14b9b88d4f9e4b

SHA1
6075b08f950ec710f9f5693fdf727351710c55f7

SHA256
c35a5e5766356649421d6d3927b7340646e9dfd341c9ad1994337da680c9e218

SHA512
392abc8406f9295cb378bfddb2b6dbb65217ea7e0f375afde84a16cfbed2d1faf8ee79a18bfa36f51b1001c992c581313d0d41a0570b657aba7a6aecb5a6ad92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jr1kfu1f\jr1kfu1f.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jr1kfu1f\jr1kfu1f.cmdline

Filesize
369B

MD5
1cefae6bf669793af0bc063b2b94b0c2

SHA1
a7ce032d4f8368b76ee8309ede84d63bfbd89f1c

SHA256
624833b47ea322fd85074eb57473ffaaa4bcb4023140c145da7310a27e023a8e

SHA512
500c2504b974280c8787e0e51ecdfcfccc7e2e1cffb58a654cc576b2afddd57ea826a6e00b78c41d0462f069259e8c6223fcdc6b2608bd521fc52b388f51bfee

Download Submit
memory/3328-79-0x0000000003250000-0x00000000032F4000-memory.dmp

Filesize
656KB

Download
memory/3328-80-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/3328-139-0x0000000003250000-0x00000000032F4000-memory.dmp

Filesize
656KB

Download
memory/3328-145-0x00000000074D0000-0x000000000760A000-memory.dmp

Filesize
1.2MB

Download
memory/3328-149-0x00000000074D0000-0x000000000760A000-memory.dmp

Filesize
1.2MB

Download
memory/3328-151-0x00000000074D0000-0x000000000760A000-memory.dmp

Filesize
1.2MB

Download
memory/3644-75-0x00000188A0070000-0x00000188A0080000-memory.dmp

Filesize
64KB

Download
memory/3644-23-0x00000188A0070000-0x00000188A0080000-memory.dmp

Filesize
64KB

Download
memory/3644-27-0x00000188A0260000-0x00000188A02D6000-memory.dmp

Filesize
472KB

Download
memory/3644-73-0x00000188A0250000-0x00000188A0258000-memory.dmp

Filesize
32KB

Download
memory/3644-25-0x00000188A0070000-0x00000188A0080000-memory.dmp

Filesize
64KB

Download
memory/3644-59-0x00000188A00A0000-0x00000188A00A8000-memory.dmp

Filesize
32KB

Download
memory/3644-77-0x00000188A05E0000-0x00000188A061D000-memory.dmp

Filesize
244KB

Download
memory/3644-21-0x00000188A00B0000-0x00000188A00D2000-memory.dmp

Filesize
136KB

Download
memory/3644-22-0x00007FF98DDD0000-0x00007FF98E7BC000-memory.dmp

Filesize
9.9MB

Download
memory/3644-93-0x00007FF98DDD0000-0x00007FF98E7BC000-memory.dmp

Filesize
9.9MB

Download
memory/3644-94-0x00000188A05E0000-0x00000188A061D000-memory.dmp

Filesize
244KB

Download
memory/3856-1-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/3856-0-0x0000000002260000-0x000000000226F000-memory.dmp

Filesize
60KB

Download
memory/3856-11-0x00000000023E0000-0x00000000023ED000-memory.dmp

Filesize
52KB

Download
memory/3856-5-0x0000000002270000-0x000000000227F000-memory.dmp

Filesize
60KB

Download
memory/3892-98-0x0000024492CF0000-0x0000024492CF1000-memory.dmp

Filesize
4KB

Download
memory/3892-96-0x0000024494940000-0x00000244949E4000-memory.dmp

Filesize
656KB

Download
memory/3892-144-0x0000024494940000-0x00000244949E4000-memory.dmp

Filesize
656KB

Download
memory/4300-108-0x0000027E37DC0000-0x0000027E37E64000-memory.dmp

Filesize
656KB

Download
memory/4300-152-0x0000027E37DC0000-0x0000027E37E64000-memory.dmp

Filesize
656KB

Download
memory/4300-109-0x0000027E37B50000-0x0000027E37B51000-memory.dmp

Filesize
4KB

Download
memory/4348-153-0x00000239D5500000-0x00000239D55A4000-memory.dmp

Filesize
656KB

Download
memory/4348-116-0x00000239D51F0000-0x00000239D51F1000-memory.dmp

Filesize
4KB

Download
memory/4348-117-0x00000239D5500000-0x00000239D55A4000-memory.dmp

Filesize
656KB

Download
memory/4536-143-0x0000000002C10000-0x0000000002CA8000-memory.dmp

Filesize
608KB

Download
memory/4536-136-0x0000000002C10000-0x0000000002CA8000-memory.dmp

Filesize
608KB

Download
memory/4536-137-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5000-131-0x0000017D4E4F0000-0x0000017D4E594000-memory.dmp

Filesize
656KB

Download
memory/5000-124-0x0000017D4E4F0000-0x0000017D4E594000-memory.dmp

Filesize
656KB

Download
memory/5000-125-0x0000017D4E4C0000-0x0000017D4E4C1000-memory.dmp

Filesize
4KB

Download