gozi | 7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

Analysis

max time kernel
151s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe
Size

304KB
MD5

a3f4c907a088c99a8b7bf5f4280d7d0c
SHA1

9a9297bd0af1c008eb7477c1e310ce70c30c6d56
SHA256

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
SHA512

106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
SSDEEP

6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/3596-1-0x00000000004B0000-0x00000000004BC000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3796 set thread context of 3084	3796	powershell.exe	Explorer.EXE
PID 3084 set thread context of 3780	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 set thread context of 4008	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 set thread context of 4768	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 set thread context of 4724	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 set thread context of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 set thread context of 4368	3084	Explorer.EXE	cmd.exe
PID 1904 set thread context of 2984	1904	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2984 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2984 PING.EXE

pid	process
2984	PING.EXE

pid	process
2984	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exepowershell.exeExplorer.EXE

pid	process
3596	NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe
3596	NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3084 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3796 powershell.exe
3084 Explorer.EXE
3084 Explorer.EXE
3084 Explorer.EXE
3084 Explorer.EXE
3084 Explorer.EXE
3084 Explorer.EXE
1904 cmd.exe

pid	process
3084	Explorer.EXE

pid	process
3796	powershell.exe
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
1904	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3084 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3084 Explorer.EXE

pid	process
3084	Explorer.EXE

pid	process
3084	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 3796	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 3796	2792	mshta.exe	powershell.exe
PID 3796 wrote to memory of 560	3796	powershell.exe	csc.exe
PID 3796 wrote to memory of 560	3796	powershell.exe	csc.exe
PID 560 wrote to memory of 3388	560	csc.exe	cvtres.exe
PID 560 wrote to memory of 3388	560	csc.exe	cvtres.exe
PID 3796 wrote to memory of 1452	3796	powershell.exe	csc.exe
PID 3796 wrote to memory of 1452	3796	powershell.exe	csc.exe
PID 1452 wrote to memory of 2600	1452	csc.exe	cvtres.exe
PID 1452 wrote to memory of 2600	1452	csc.exe	cvtres.exe
PID 3796 wrote to memory of 3084	3796	powershell.exe	Explorer.EXE
PID 3796 wrote to memory of 3084	3796	powershell.exe	Explorer.EXE
PID 3796 wrote to memory of 3084	3796	powershell.exe	Explorer.EXE
PID 3796 wrote to memory of 3084	3796	powershell.exe	Explorer.EXE
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4724	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4724	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4724	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 4724	3084	Explorer.EXE	RuntimeBroker.exe
PID 3084 wrote to memory of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 1904	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 3084 wrote to memory of 4368	3084	Explorer.EXE	cmd.exe
PID 1904 wrote to memory of 2984	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 2984	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 2984	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 2984	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 2984	1904	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tfct='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tfct).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qkwudvcj -value gp; new-alias -name ypjmemrtt -value iex; ypjmemrtt ([System.Text.Encoding]::ASCII.GetString((qkwudvcj "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aao1rayk\aao1rayk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C4B.tmp" "c:\Users\Admin\AppData\Local\Temp\aao1rayk\CSCA383A5EC3FC64DD685F5B9163D992EFF.TMP"
5⤵
PID:3388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qx3bi1rk\qx3bi1rk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D74.tmp" "c:\Users\Admin\AppData\Local\Temp\qx3bi1rk\CSC3F343B7FF00C4C91916CF02A4DBF17A1.TMP"
5⤵
PID:2600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2984

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2C4B.tmp
Filesize
1KB

MD5
ea4aafe0a3a3696fa11309c62bb9c4e3

SHA1
be0f54ec0561ba76c7529902d87532f7b523fa4f

SHA256
cab1e09a04e686996b5ea50a437a4a9ec614c2b42ab620289d9ed3b1d01ca99d

SHA512
c29510e78458e57b1136ef03c642958c802162b499709581a8a5982d15e02748c1024f9f98eb12515102439662fbcbea6e9014bdd832a14eec0ff3e3fb065f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D74.tmp
Filesize
1KB

MD5
1bf97163c1adebe783d83cbfa2f4f2d7

SHA1
478a1bb93e7f1af01df104dfc8563dd3ab767231

SHA256
7c5dc34e47f204d0f5492dbb34187bda6426def65772898ff6c4ca84634f8de1

SHA512
ea1a17267261653e81deb9ccf34790c4f35ff3226c1da6ba4089f03d13c5131e41e3a0e78174e10c4b0b8745e9399941eeba1eba1b4a961b0b7959e46b27cb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acssny3o.ayw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aao1rayk\aao1rayk.dll
Filesize
3KB

MD5
e426405f1ae88e93331179ed301a4b9a

SHA1
9b7264c9527ac3a5428addf68f8d5a352dc09a9e

SHA256
bb43ec4a28a336bfe468562c2bc2410425363b34281def4c90170d68c34f921e

SHA512
f694379c5bc9041558a068ffd1606a1b928fd961303321d8a7000fee5648331c323d6d4f96a9c7ca762ef667e5db24f868ff57271968831091848852ffb37632

Download Submit
C:\Users\Admin\AppData\Local\Temp\qx3bi1rk\qx3bi1rk.dll
Filesize
3KB

MD5
233d0c9480fd035e4e219ae7a5a8a49f

SHA1
b309f25a33372efa4b30e45e787bf706dae9c8f4

SHA256
675bd0712decb4327b927f4eb8bc0a3b4fbd2facdffc11c90b0c261ec14eeffb

SHA512
ee629bafda4bbdda201a4274e7ae72d74f5daaaecf024deec5b9bfe4616ff2a4f0df26952e65bace920f2c069437661797a1880f7b2f0e4af01147de5f666db6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aao1rayk\CSCA383A5EC3FC64DD685F5B9163D992EFF.TMP
Filesize
652B

MD5
cc2bd97acf329aafbb6300947990cbd3

SHA1
577efb8e8f04caaec0a44d165bc7e4ed3a6dbd15

SHA256
2f55f72643cce6cd1efdca867e072648a6513e30780a8b077fb2770122835474

SHA512
602c23f75a58f185cc8a8aaef306924622708ccb303ed252bff08470223776a128453b6bc05c3dbe0a59a464c63aacfb65c209fa720fcfa30e7c34a62b04e6bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aao1rayk\aao1rayk.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aao1rayk\aao1rayk.cmdline
Filesize
369B

MD5
c5a48d0a3a49d69db0d97a0ea463c5a6

SHA1
e61854dda589bc2b27d00a7742738c5d4551ac9b

SHA256
dec8b724f58cb2912bba9e644fe8c9942153c78822d6629745bed099745b26aa

SHA512
375d70abc42711026418c76b605533143019ff4344d6a651838478c66907f0ab605fe5ee4890617025f5297a98db4573f70731dbf0a218d12046531bdd463268

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx3bi1rk\CSC3F343B7FF00C4C91916CF02A4DBF17A1.TMP
Filesize
652B

MD5
636253e8038d641e7284721cbab6cdc2

SHA1
20be56daae51b28870ac031fc01f4feb93fcdc31

SHA256
95ba997514434449ab9433f85aad3df11c391924df0ee9d76409485c39f1c3f9

SHA512
60b3256a1158e7d7cb2096ee7d5456f1a86d4d5df18ca41549b04f25a73d7e94ad0e20e8a9f8d5d3598e8bc4478b6129b53aee167eb28fc4d19bd5841080fe04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx3bi1rk\qx3bi1rk.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx3bi1rk\qx3bi1rk.cmdline
Filesize
369B

MD5
e57cf1bf23391f4bab65cd3e27542538

SHA1
0d1a2bd36fa844578d415e6e384c9771408de5c3

SHA256
06bcc7ac4b25e4ed9a436893632e1b35cfa5c55ee7f9178692c529e60f8bef8e

SHA512
b5d2509b5ff2c2ad8ffb3d2058262cca6b0a2fa638b9777a3cb734bce6792d917cf3e16e890a6dec7af9f4b778e9d4d9ec288762b74500f3167116f3d77c7e1b

Download Submit
memory/1904-103-0x0000015E39180000-0x0000015E39181000-memory.dmp

Filesize
4KB

Download
memory/1904-98-0x0000015E39360000-0x0000015E39404000-memory.dmp

Filesize
656KB

Download
memory/1904-119-0x0000015E39360000-0x0000015E39404000-memory.dmp

Filesize
656KB

Download
memory/2984-110-0x0000023379610000-0x00000233796B4000-memory.dmp

Filesize
656KB

Download
memory/2984-111-0x00000233796C0000-0x00000233796C1000-memory.dmp

Filesize
4KB

Download
memory/2984-118-0x0000023379610000-0x00000233796B4000-memory.dmp

Filesize
656KB

Download
memory/3084-60-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3084-99-0x0000000008810000-0x00000000088B4000-memory.dmp

Filesize
656KB

Download
memory/3084-59-0x0000000008810000-0x00000000088B4000-memory.dmp

Filesize
656KB

Download
memory/3596-1-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/3596-11-0x0000000002390000-0x000000000239D000-memory.dmp

Filesize
52KB

Download
memory/3596-5-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download
memory/3596-0-0x00000000004C0000-0x00000000004CF000-memory.dmp

Filesize
60KB

Download
memory/3780-73-0x0000022575510000-0x0000022575511000-memory.dmp

Filesize
4KB

Download
memory/3780-72-0x0000022575690000-0x0000022575734000-memory.dmp

Filesize
656KB

Download
memory/3780-113-0x0000022575690000-0x0000022575734000-memory.dmp

Filesize
656KB

Download
memory/3796-17-0x000002AA2D960000-0x000002AA2D982000-memory.dmp

Filesize
136KB

Download
memory/3796-69-0x00007FF8BB100000-0x00007FF8BBBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-57-0x000002AA2DD30000-0x000002AA2DD6D000-memory.dmp

Filesize
244KB

Download
memory/3796-27-0x000002AA2D9B0000-0x000002AA2D9C0000-memory.dmp

Filesize
64KB

Download
memory/3796-70-0x000002AA2DD30000-0x000002AA2DD6D000-memory.dmp

Filesize
244KB

Download
memory/3796-26-0x000002AA2D9B0000-0x000002AA2D9C0000-memory.dmp

Filesize
64KB

Download
memory/3796-55-0x000002AA2DB10000-0x000002AA2DB18000-memory.dmp

Filesize
32KB

Download
memory/3796-25-0x00007FF8BB100000-0x00007FF8BBBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-28-0x000002AA2D9B0000-0x000002AA2D9C0000-memory.dmp

Filesize
64KB

Download
memory/3796-41-0x000002AA15380000-0x000002AA15388000-memory.dmp

Filesize
32KB

Download
memory/4008-78-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp

Filesize
656KB

Download
memory/4008-79-0x000001FBB3070000-0x000001FBB3071000-memory.dmp

Filesize
4KB

Download
memory/4008-116-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp

Filesize
656KB

Download
memory/4368-105-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4368-108-0x0000000001200000-0x0000000001298000-memory.dmp

Filesize
608KB

Download
memory/4368-100-0x0000000001200000-0x0000000001298000-memory.dmp

Filesize
608KB

Download
memory/4724-91-0x000001C395FD0000-0x000001C395FD1000-memory.dmp

Filesize
4KB

Download
memory/4724-90-0x000001C3966E0000-0x000001C396784000-memory.dmp

Filesize
656KB

Download
memory/4724-120-0x000001C3966E0000-0x000001C396784000-memory.dmp

Filesize
656KB

Download
memory/4768-117-0x000001A23A3A0000-0x000001A23A444000-memory.dmp

Filesize
656KB

Download
memory/4768-85-0x000001A2381B0000-0x000001A2381B1000-memory.dmp

Filesize
4KB

Download
memory/4768-84-0x000001A23A3A0000-0x000001A23A444000-memory.dmp

Filesize
656KB

Download