gozi | 3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe
Size

406KB
MD5

2f5a00394c3568e91f6302dc6c8b196c
SHA1

116f6ba99db4592f1ab5ccb1a734fdc5a52021bc
SHA256

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
SHA512

a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36
SSDEEP

12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2952-0-0x0000000000F40000-0x0000000000F4C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1504 set thread context of 3176	1504	powershell.exe	Explorer.EXE
PID 3176 set thread context of 3752	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 set thread context of 3952	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 set thread context of 4792	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 set thread context of 5088	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 set thread context of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 set thread context of 3136	3176	Explorer.EXE	cmd.exe
PID 4200 set thread context of 4268	4200	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4268 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4268 PING.EXE

pid	process
4268	PING.EXE

pid	process
4268	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exepowershell.exeExplorer.EXE

pid	process
2952	3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe
2952	3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1504 powershell.exe
3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE
4200 cmd.exe

pid	process
3176	Explorer.EXE

pid	process
1504	powershell.exe
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
4200	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE

pid	process
3176	Explorer.EXE

pid	process
3176	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3840 wrote to memory of 1504	3840	mshta.exe	powershell.exe
PID 3840 wrote to memory of 1504	3840	mshta.exe	powershell.exe
PID 1504 wrote to memory of 4892	1504	powershell.exe	csc.exe
PID 1504 wrote to memory of 4892	1504	powershell.exe	csc.exe
PID 4892 wrote to memory of 3556	4892	csc.exe	cvtres.exe
PID 4892 wrote to memory of 3556	4892	csc.exe	cvtres.exe
PID 1504 wrote to memory of 1344	1504	powershell.exe	csc.exe
PID 1504 wrote to memory of 1344	1504	powershell.exe	csc.exe
PID 1344 wrote to memory of 4584	1344	csc.exe	cvtres.exe
PID 1344 wrote to memory of 4584	1344	csc.exe	cvtres.exe
PID 1504 wrote to memory of 3176	1504	powershell.exe	Explorer.EXE
PID 1504 wrote to memory of 3176	1504	powershell.exe	Explorer.EXE
PID 1504 wrote to memory of 3176	1504	powershell.exe	Explorer.EXE
PID 1504 wrote to memory of 3176	1504	powershell.exe	Explorer.EXE
PID 3176 wrote to memory of 3752	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3752	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3752	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3752	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3952	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3952	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3952	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 3952	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 4792	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 4792	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 4792	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 4792	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 5088	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 5088	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 5088	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 5088	3176	Explorer.EXE	RuntimeBroker.exe
PID 3176 wrote to memory of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 4200	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3136	3176	Explorer.EXE	cmd.exe
PID 4200 wrote to memory of 4268	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4268	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4268	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4268	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4268	4200	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mhvuomrse -value gp; new-alias -name cavrxiylnf -value iex; cavrxiylnf ([System.Text.Encoding]::ASCII.GetString((mhvuomrse "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cx3nwtl1\cx3nwtl1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3294.tmp" "c:\Users\Admin\AppData\Local\Temp\cx3nwtl1\CSC391A650656D541488C14E661BAF9D62.TMP"
5⤵
PID:3556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sc0ozrvk\sc0ozrvk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3479.tmp" "c:\Users\Admin\AppData\Local\Temp\sc0ozrvk\CSC8B991A88A8B2434E85CD4A78033D37C.TMP"
5⤵
PID:4584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4268

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3136

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3294.tmp
Filesize
1KB

MD5
c7756ccfa535b7e2d3646a83f05bdc05

SHA1
2ed6369a0558c270c7550d3c331230f6d3d3746e

SHA256
8f6705617a00e3fe8bf4d5eaae7c2d86555b379a76de165dc99a7b01015fd35d

SHA512
a85aa057d11a33c7d5ffc5b3345241a20d0d27cf5e963f904afd29b2df66296e7e23e9e89fab63d653b15d78fe0952b7a51641de5a0a6a8a7ae76931aa439c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3479.tmp
Filesize
1KB

MD5
06f4ae5b1194900b6b06bcae9b807214

SHA1
76947def9d653a6926d9afa21ccb8c5776aea210

SHA256
dbc5cd00795ff11e4d1091485e82238e2c15eade984c580f9f5c534eafa401e6

SHA512
52c249393f11ad8f35dba6b47ff4b09708b6b0369b90e834f03ae758f9b5bb023bc453e9584ea6b7749a8f093ac215b7747d0594610164a02e3ee709e148c9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogvuipis.jjg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cx3nwtl1\cx3nwtl1.dll
Filesize
3KB

MD5
75ee7cf90208f32f5fc8301692a89065

SHA1
a58ecd1a9fb9f073085f908c4f1c3d84222cd33f

SHA256
4dbf4a498e2852ba555023deecebeda5975e933425d9043384c1da2f4750f1ec

SHA512
42772c3bbda41d98181747dd4fe8212f251b418c9e68860ecc3cfabf77c4bbe5e25ced699d7f6961b7745a3f1cf99b532c42038167a24b5da9ca3b98ee87723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sc0ozrvk\sc0ozrvk.dll
Filesize
3KB

MD5
8efd9f4d5e04e5a9c850f96ddccbe0c2

SHA1
8ca35638b0e057834cc25200d1506e3d65e64fbf

SHA256
89d9a1232e9ed0c67a585198deaf02bbfafc58079ef560398081e32df560f703

SHA512
b3ecd4e325cf3674406dd63b90cb1573c7609b4d95ecf2d7835f79be76e500edc733a244b4700dc4c3c69c0825349292fa669068cc82ac75507511b1f729117d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cx3nwtl1\CSC391A650656D541488C14E661BAF9D62.TMP
Filesize
652B

MD5
4ad60d1b7a23a159451506d8f287fe68

SHA1
53d76e3601afced2bfb73e6ed19eea9b0fd5d512

SHA256
eb4bb7ed14b171bdf857f9dc31584d1c629e7c6964185dd2a1ab67a3390dffe3

SHA512
4caee26857cf3cc47cf8c34a7cd0ae3559446a7e93f33439c2f481fe08280208696b42bf69aedaa35789c89302c5d0e5603d9589b51f938c1079565f1044f55f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cx3nwtl1\cx3nwtl1.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cx3nwtl1\cx3nwtl1.cmdline
Filesize
369B

MD5
f12295169655efdc64f52da53dddbce1

SHA1
50f6f6e70e2980ab28accc2da5a8fd74253354f5

SHA256
0414da431bc515a94b9c92a0ec4b3b6f93f70121ad96003218cbad8c77a3c3a7

SHA512
794606d4c9e3fdd5719ba0caae3c56fe11596497b28de6ef4e14668be93420f858f5331ac2ab7ba680a3e6d3fe3e763d47fef823b1eadd308ee46c76938f0903

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sc0ozrvk\CSC8B991A88A8B2434E85CD4A78033D37C.TMP
Filesize
652B

MD5
2a806ecf18862dc45b4733d91b52b4f7

SHA1
de4c34fd081532ea544b4ff4c734c3feadb0a84c

SHA256
b769b131729d6b2c9e35599f6f1a8eedcd5398c46bf972ce239c6208b36deedc

SHA512
967a24e0665abb3bc0439a28ae5ef62a8ecbd9a51972e596d18840b8eb631ce494276cfcf36fceba17d116a4d7cb466ae3da2cf73d2098c945c08ae1ca33c88e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sc0ozrvk\sc0ozrvk.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sc0ozrvk\sc0ozrvk.cmdline
Filesize
369B

MD5
68f85d66a352ac2be80b9e2d71f67d6b

SHA1
ca78bdc66f133e6907249688e6d15f093ee84fe1

SHA256
226edf5319e12ed1d292693476b3786e21674d79d82eaa93b57ae40b221a0ba9

SHA512
2fc8752a6871847a8c8329cd6be4fbc80683c98046f990589526efc8c17f936abdf88b68b75c072e4cb9ea92dd1886cd288c204dc30d300f7793f822fc0c485d

Download Submit
memory/1504-57-0x0000022347180000-0x00000223471BD000-memory.dmp

Filesize
244KB

Download
memory/1504-28-0x000002232E6D0000-0x000002232E6E0000-memory.dmp

Filesize
64KB

Download
memory/1504-55-0x0000022347170000-0x0000022347178000-memory.dmp

Filesize
32KB

Download
memory/1504-76-0x0000022347180000-0x00000223471BD000-memory.dmp

Filesize
244KB

Download
memory/1504-41-0x000002232E920000-0x000002232E928000-memory.dmp

Filesize
32KB

Download
memory/1504-27-0x000002232E6D0000-0x000002232E6E0000-memory.dmp

Filesize
64KB

Download
memory/1504-21-0x0000022346C80000-0x0000022346CA2000-memory.dmp

Filesize
136KB

Download
memory/1504-25-0x00007FFEAC350000-0x00007FFEACE11000-memory.dmp

Filesize
10.8MB

Download
memory/1504-74-0x00007FFEAC350000-0x00007FFEACE11000-memory.dmp

Filesize
10.8MB

Download
memory/1504-26-0x000002232E6D0000-0x000002232E6E0000-memory.dmp

Filesize
64KB

Download
memory/1504-67-0x0000022346DF0000-0x0000022346F3E000-memory.dmp

Filesize
1.3MB

Download
memory/2952-11-0x0000000002B60000-0x0000000002B6D000-memory.dmp

Filesize
52KB

Download
memory/2952-1-0x0000000000F50000-0x0000000000F5F000-memory.dmp

Filesize
60KB

Download
memory/2952-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2952-0-0x0000000000F40000-0x0000000000F4C000-memory.dmp

Filesize
48KB

Download
memory/3136-108-0x00000000014F0000-0x0000000001588000-memory.dmp

Filesize
608KB

Download
memory/3136-106-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3136-100-0x00000000014F0000-0x0000000001588000-memory.dmp

Filesize
608KB

Download
memory/3176-60-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3176-59-0x0000000008720000-0x00000000087C4000-memory.dmp

Filesize
656KB

Download
memory/3176-99-0x0000000008720000-0x00000000087C4000-memory.dmp

Filesize
656KB

Download
memory/3752-71-0x0000019CB2B00000-0x0000019CB2BA4000-memory.dmp

Filesize
656KB

Download
memory/3752-113-0x0000019CB2B00000-0x0000019CB2BA4000-memory.dmp

Filesize
656KB

Download
memory/3752-72-0x0000019CB2720000-0x0000019CB2721000-memory.dmp

Filesize
4KB

Download
memory/3952-117-0x000001D68A010000-0x000001D68A0B4000-memory.dmp

Filesize
656KB

Download
memory/3952-78-0x000001D68A010000-0x000001D68A0B4000-memory.dmp

Filesize
656KB

Download
memory/3952-79-0x000001D689FD0000-0x000001D689FD1000-memory.dmp

Filesize
4KB

Download
memory/4200-98-0x000001AD60030000-0x000001AD600D4000-memory.dmp

Filesize
656KB

Download
memory/4200-121-0x000001AD60030000-0x000001AD600D4000-memory.dmp

Filesize
656KB

Download
memory/4200-103-0x000001AD600E0000-0x000001AD600E1000-memory.dmp

Filesize
4KB

Download
memory/4268-110-0x00000246C8E80000-0x00000246C8F24000-memory.dmp

Filesize
656KB

Download
memory/4268-111-0x00000246C8CC0000-0x00000246C8CC1000-memory.dmp

Filesize
4KB

Download
memory/4268-120-0x00000246C8E80000-0x00000246C8F24000-memory.dmp

Filesize
656KB

Download
memory/4792-85-0x0000020B4D450000-0x0000020B4D4F4000-memory.dmp

Filesize
656KB

Download
memory/4792-86-0x0000020B4CBF0000-0x0000020B4CBF1000-memory.dmp

Filesize
4KB

Download
memory/4792-119-0x0000020B4D450000-0x0000020B4D4F4000-memory.dmp

Filesize
656KB

Download
memory/5088-91-0x0000015109E40000-0x0000015109EE4000-memory.dmp

Filesize
656KB

Download
memory/5088-118-0x0000015109E40000-0x0000015109EE4000-memory.dmp

Filesize
656KB

Download
memory/5088-92-0x0000015109760000-0x0000015109761000-memory.dmp

Filesize
4KB

Download