gozi | d96cfe4d4513c1c860bbc38ee8f5f0cc50a4c162165ec071de75c6101b84b7a6

Resubmissions

07-10-2023 03:42

231007-d9vl2sha5z 10

07-10-2023 02:04

231007-chrweabb25 10

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
Size

304KB
MD5

a3f4c907a088c99a8b7bf5f4280d7d0c
SHA1

9a9297bd0af1c008eb7477c1e310ce70c30c6d56
SHA256

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
SHA512

106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
SSDEEP

6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral3/memory/1368-1-0x0000000000090000-0x000000000009C000-memory.dmp	dave

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1504 cmd.exe

pid	process
1504	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2824 set thread context of 1208	2824	powershell.exe	Explorer.EXE
PID 1208 set thread context of 1504	1208	Explorer.EXE	cmd.exe
PID 1504 set thread context of 2284	1504	cmd.exe	PING.EXE
PID 1208 set thread context of 2884	1208	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2284 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2284 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2284	PING.EXE

pid	process
2284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exepowershell.exeExplorer.EXE

pid	process
1368	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
2824	powershell.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2824 powershell.exe
1208 Explorer.EXE
1504 cmd.exe
1208 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2824 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

pid	process
2824	powershell.exe
1208	Explorer.EXE
1504	cmd.exe
1208	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe

pid	process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 2824	1620	mshta.exe	powershell.exe
PID 1620 wrote to memory of 2824	1620	mshta.exe	powershell.exe
PID 1620 wrote to memory of 2824	1620	mshta.exe	powershell.exe
PID 2824 wrote to memory of 2424	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2424	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2424	2824	powershell.exe	csc.exe
PID 2424 wrote to memory of 1812	2424	csc.exe	cvtres.exe
PID 2424 wrote to memory of 1812	2424	csc.exe	cvtres.exe
PID 2424 wrote to memory of 1812	2424	csc.exe	cvtres.exe
PID 2824 wrote to memory of 2448	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2448	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2448	2824	powershell.exe	csc.exe
PID 2448 wrote to memory of 2176	2448	csc.exe	cvtres.exe
PID 2448 wrote to memory of 2176	2448	csc.exe	cvtres.exe
PID 2448 wrote to memory of 2176	2448	csc.exe	cvtres.exe
PID 2824 wrote to memory of 1208	2824	powershell.exe	Explorer.EXE
PID 2824 wrote to memory of 1208	2824	powershell.exe	Explorer.EXE
PID 2824 wrote to memory of 1208	2824	powershell.exe	Explorer.EXE
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 1504	1208	Explorer.EXE	cmd.exe
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1504 wrote to memory of 2284	1504	cmd.exe	PING.EXE
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2884	1208	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
"C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gh5b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gh5b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jhwqjwktbe -value gp; new-alias -name kghcbs -value iex; kghcbs ([System.Text.Encoding]::ASCII.GetString((jhwqjwktbe "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j-cclv_o.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B9D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B9C.tmp"
5⤵
PID:1812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml2zllxa.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1C76.tmp"
5⤵
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2284

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B9D.tmp

Filesize
1KB

MD5
770cd143cab08f38b02950d720af831e

SHA1
aa3822caf4e657e9f0003741b57190fb76250a1f

SHA256
061961b30fe7b01e100f17aed7587625d9540857b60a1c89da6497129a99e076

SHA512
c02b1bf3340eb105ae888973e9f9a263db20a951be305a5e6f75b2370427eaf526c5a26d28ef642cf3c8833729220acee69737f54244095a948e4db863ad0f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C87.tmp

Filesize
1KB

MD5
263a8936e8967af07d48a3f1d43cdcb7

SHA1
53a47c82e6f8733dddd7b2a85d516cecbc0aa61a

SHA256
a7ae99f398cfbb11b6130c1f5857f1badf71cfbfe04b4f3c72641b9278a0012b

SHA512
8119e8516b477accfe97f6da0a90f0b31d2081286a1ef26d4d08d32db8e4ea4d809e79f84789f3c27243fc9e94a13a07faa3c80837c328de885451da39b530e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j-cclv_o.dll

Filesize
3KB

MD5
1304cdb3b984cbed684076a0a5b77ca1

SHA1
51c9c2da09ce249326fcaf1eface30798dc0ccfd

SHA256
ec36b398b70d950976f94cb024c67f6b8fbe1ad995d3b3ea769f6e2e26c35230

SHA512
ad1fd6ff9d14a55f546d89a80c0c94d4220b9148ba3375d05234482d87358bba14eb88e9de321763dfc97a6481f1863f252608adc4c80b9c6d952b735bc59a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\j-cclv_o.pdb

Filesize
7KB

MD5
906347f45425ba3bc850e960d6399b41

SHA1
061dbcd1593d0790d3775cfabe7502106aa61214

SHA256
41f47b49a6ed31751ac5abb3d09b23263a1cebdea4a4911ac93d2ca84416f4e6

SHA512
e10b7b44a61f77a07e761a6511a9520ab3bf010edb17e82befd7b0a892776e024555ddb3f602f8e3b6f51075cafded1f6a029638b7eba26a79c7efd923bd040c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ml2zllxa.dll

Filesize
3KB

MD5
d705200ac094c53c6c3eac8ce3558cee

SHA1
fbf6b832f4c58c67430a31417cc7dee3af988a5b

SHA256
086592e303e00aa207bbc518b36a0d6e69d38397888aca69d3df5ebf8eb6be55

SHA512
543a433080c6cb6cd2e8d977638be6b3f2e66aaecd91fa762301e8f650967ff527b8f6a67069cbbede1985e34a877596a3b7858b615844d35b9ece1db3713840

Download Submit
C:\Users\Admin\AppData\Local\Temp\ml2zllxa.pdb

Filesize
7KB

MD5
8ee83f01aea9f689db2491b9ad8afcfd

SHA1
252f1fa533d4d1e30663afc38e19b7082cc3736e

SHA256
9fbc20e10b4d99afb2c7c435e2590388eb4ed60927edd7f9fca261006ddaa8f9

SHA512
ab922ff9d59d17e3b9897495112c946c9ce149b1ef50783509a209e246c0b40c0367886d14dfe49b4ff2c0f905f4b2851a76dc8dc211cad3e8dae9ef26b4c509

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1B9C.tmp

Filesize
652B

MD5
8062d5ea02f700c32d42cea65bc97b8f

SHA1
1c753dd5ed2ad08842cba9ceea0359995571ab9f

SHA256
b6de90db21ac5e559afc65e2bef0dade7fbfe68210b08158ebd458fa50259a0e

SHA512
5523841c4bb34b15469a1b8c8a849b5cd9d19828b70ce5544cb42031f7e35490fcad3bc2272b2ba4369d97c3ef3b239d41d9ac83ca6f56f9c2166d86e61da2e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1C76.tmp

Filesize
652B

MD5
b245975c1459152d3173532a7f123f7e

SHA1
62070af94f6103f57fca7e790fd97eea53a04b8a

SHA256
0f6410b59b925a473e0d298f0a5b5bdbc96a4e7236c19b08c0ffa8f151d5e021

SHA512
392fb85cf6b93ebde02920497ae95c7fbbdef3168b7b93a80fc6d59f529eae858e283b46c207b2485fc4dc50a2561d736a62cc5380007c3389884686466fa0d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j-cclv_o.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j-cclv_o.cmdline

Filesize
309B

MD5
fbb685837fd2676e0deb9e4a60cd4c7b

SHA1
69f81e07e8c11c7439b8def8537a799994f5e4c0

SHA256
f348dcfc6ec0601713287896f4715b2140e5f429a563e96ec448a07eb95c9280

SHA512
c68e065cb30b1f455c39a81e26a341a50741fa98c7daaadc6b1c8b5a561a0a6c461f7a65b42bfe82575a0d6bdb0bc01cfcfbfbc316df616641d77f8597bb177f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ml2zllxa.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ml2zllxa.cmdline

Filesize
309B

MD5
16fd7a9a4992587d5f0a7e0c97f42a64

SHA1
790d1a1b4904fd409b3b74211b4562560d452806

SHA256
885bcf692a896590b52fcb3521fae1115234b9345cc20a1b41f0c4b9c94a9f39

SHA512
ff9cf3ff71fca4b95ec62096f7c22930c4bb6a03f9b05c1e22be3e5a17ca1b96d28a1b242abba490ff2dc441c32118c43d771a530e4d0f85c85242a20f925e07

Download Submit
memory/1208-91-0x0000000003DF0000-0x0000000003E94000-memory.dmp

Filesize
656KB

Download
memory/1208-62-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1208-61-0x0000000003DF0000-0x0000000003E94000-memory.dmp

Filesize
656KB

Download
memory/1368-14-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/1368-1-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1368-11-0x0000000000180000-0x000000000018D000-memory.dmp

Filesize
52KB

Download
memory/1368-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1368-0-0x00000000000A0000-0x00000000000AF000-memory.dmp

Filesize
60KB

Download
memory/1504-72-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/1504-93-0x0000000001BA0000-0x0000000001C44000-memory.dmp

Filesize
656KB

Download
memory/1504-74-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1504-73-0x0000000001BA0000-0x0000000001C44000-memory.dmp

Filesize
656KB

Download
memory/2284-92-0x00000000001A0000-0x0000000000244000-memory.dmp

Filesize
656KB

Download
memory/2284-81-0x00000000001A0000-0x0000000000244000-memory.dmp

Filesize
656KB

Download
memory/2284-80-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2284-78-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2448-48-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/2824-20-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2824-25-0x000007FEF37B0000-0x000007FEF414D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-70-0x000007FEF37B0000-0x000007FEF414D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-71-0x0000000002850000-0x000000000288D000-memory.dmp

Filesize
244KB

Download
memory/2824-22-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2824-60-0x0000000002850000-0x000000000288D000-memory.dmp

Filesize
244KB

Download
memory/2824-23-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2824-24-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2824-57-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2824-21-0x000007FEF37B0000-0x000007FEF414D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-40-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2824-26-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2824-19-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2884-90-0x0000000000320000-0x00000000003B8000-memory.dmp

Filesize
608KB

Download
memory/2884-89-0x0000000000320000-0x00000000003B8000-memory.dmp

Filesize
608KB

Download
memory/2884-88-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2884-85-0x0000000000320000-0x00000000003B8000-memory.dmp

Filesize
608KB

Download