gozi | bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

422KB
MD5

c788f8e7a2d0311297bd198ca9d05ec8
SHA1

64240992ba99ae27b0bb4fe277a95524a4b139db
SHA256

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
SHA512

2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
SSDEEP

6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/3292-0-0x0000000001560000-0x000000000156C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2252 set thread context of 3160	2252	powershell.exe	Explorer.EXE
PID 3160 set thread context of 3720	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 4064	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 set thread context of 2000	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 2948	3160	Explorer.EXE	RuntimeBroker.exe
PID 1692 set thread context of 2932	1692	cmd.exe	PING.EXE
PID 3160 set thread context of 3184	3160	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2932 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2932 PING.EXE

pid	process
2932	PING.EXE

pid	process
2932	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
3292	Client.exe
3292	Client.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2252 powershell.exe
3160 Explorer.EXE
3160 Explorer.EXE
3160 Explorer.EXE
3160 Explorer.EXE
3160 Explorer.EXE
1692 cmd.exe
3160 Explorer.EXE

pid	process
3160	Explorer.EXE

pid	process
2252	powershell.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
1692	cmd.exe
3160	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE

pid	process
3160	Explorer.EXE

pid	process
3160	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 2252	4660	mshta.exe	powershell.exe
PID 4660 wrote to memory of 2252	4660	mshta.exe	powershell.exe
PID 2252 wrote to memory of 4852	2252	powershell.exe	csc.exe
PID 2252 wrote to memory of 4852	2252	powershell.exe	csc.exe
PID 4852 wrote to memory of 2728	4852	csc.exe	cvtres.exe
PID 4852 wrote to memory of 2728	4852	csc.exe	cvtres.exe
PID 2252 wrote to memory of 2632	2252	powershell.exe	csc.exe
PID 2252 wrote to memory of 2632	2252	powershell.exe	csc.exe
PID 2632 wrote to memory of 4608	2632	csc.exe	cvtres.exe
PID 2632 wrote to memory of 4608	2632	csc.exe	cvtres.exe
PID 2252 wrote to memory of 3160	2252	powershell.exe	Explorer.EXE
PID 2252 wrote to memory of 3160	2252	powershell.exe	Explorer.EXE
PID 2252 wrote to memory of 3160	2252	powershell.exe	Explorer.EXE
PID 2252 wrote to memory of 3160	2252	powershell.exe	Explorer.EXE
PID 3160 wrote to memory of 3720	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3720	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3720	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3720	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4064	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4064	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4064	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4064	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2000	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2000	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 1692	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 2000	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2000	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2948	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2948	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2948	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 2948	3160	Explorer.EXE	RuntimeBroker.exe
PID 1692 wrote to memory of 2932	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 2932	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 2932	1692	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe
PID 1692 wrote to memory of 2932	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 2932	1692	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3184	3160	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pono='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pono).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sasspqrts -value gp; new-alias -name qndrfqnodu -value iex; qndrfqnodu ([System.Text.Encoding]::ASCII.GetString((sasspqrts "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B4A.tmp" "c:\Users\Admin\AppData\Local\Temp\leta0m15\CSCA338201AE52B40748DD7B34F92235A1B.TMP"
5⤵
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C25.tmp" "c:\Users\Admin\AppData\Local\Temp\ixanufpf\CSCEDBC93B74E10466EA17D921E4764D5B.TMP"
5⤵
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2932

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B4A.tmp
Filesize
1KB

MD5
79c24f3d3231d2d75b48b7ce9cef1d0b

SHA1
273283b27334e937d05c905fba9a2ef1c91884ca

SHA256
a7804a770d3da2ca88879a2c32fedd39e6d3b01de07ef73e11b91d44bf9a37a9

SHA512
0d6a1f8d37223b0b85ade2076d754a1d1fb8d9007a53fb04fdf127832d68b71ee505d84588e13e1e099e38dca8cf7035e2b635e169fc48aff5cf57d11a2a52f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C25.tmp
Filesize
1KB

MD5
116970d4592f4ae23052217cf77515bc

SHA1
84d6e1ff1a255fca1492f740abbea38b4c44f23e

SHA256
d4d9c959a593dc007fdb297d7b17b74fa53286b9360456bc8728b129a4deec5a

SHA512
99aa401c1c0dfd0fff29baba83d0ac120bc0671b78818ee60cb1aa970ce28076c59771cb94075b3173651e8c7f9ab520f26f1c6b3b8fee28b6b619ca69be32da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqqhaf5f.qgl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.dll
Filesize
3KB

MD5
05fe5aabad18a42fd35b72d765ea1b85

SHA1
8dc001edf577eb04fd372733114da30fbd70d0e9

SHA256
a804a9fc4ff05096714fb7d3b32b138548ae92a7b95d72ee45ec3fbce13329b5

SHA512
2969c790a6021c2a2c591f4590d00ae9d27f94c20e9860f80deef2efadd27af7df60c529cd5b33e98735b8cdb11fee19952446c80c1587e9e5840b6675d88555

Download Submit
C:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.dll
Filesize
3KB

MD5
741d9f01c2afd1175a61086fae7f47ff

SHA1
dd53ca6e21473548f3f140c9d1153253a4b2e4ca

SHA256
4bbcb4724db01067f61aa89d9897c7cd837db49fd93e253f99cdfff25fbe3fcb

SHA512
c419dd5d55809af42a5de1aceed7365e149d85ad8c62e574e589db6def6cd5764a1cc38e32b449a30d7203e1bac072cbb40ef48d4257735be7abd4a6993ce198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\CSCEDBC93B74E10466EA17D921E4764D5B.TMP
Filesize
652B

MD5
22535186cc1930e1dc0affee4d38d56e

SHA1
649b91f09303b8929a4865f2856d47d0e314b108

SHA256
e6f24d8c986e33106fffa22ef37e6cadcc7af211879dc7d7e60abb2b0485a8b1

SHA512
7192467d72e962a8f07adce074658abc731226a8d3516d19dcc0dcab730a3e556502a9f4c3f494c131610e1ee60a9c1b6069c20da20db63e14c5c5c000897b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixanufpf\ixanufpf.cmdline
Filesize
369B

MD5
ecd8b84a1ee40187880b3cbcd23d6d1a

SHA1
37c72ee7c144cc2cc92e9f65a5d7e4ca769fce98

SHA256
68299938b0266c4eec7aed03eeda2eff04b23eb418ac94568a683dba2318b0d3

SHA512
368403dc434ab968437235550ee7d39355fafb2679c90f0025290cf8cffa9d717521cd64824f615c556d1bc69d8c8d0f581a51519fdee4caa9bde5cbd6df91ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\CSCA338201AE52B40748DD7B34F92235A1B.TMP
Filesize
652B

MD5
d6d93579fe9a553e1e7e999dbb325466

SHA1
20b4443085cee5a8d5d74d86904a3a31bd9e5a0d

SHA256
bb9739bd1d1fa9d469d9b979a8d9904ec144aba1e62aefb6be4cf396028544a7

SHA512
ecf99d2d0802a7ef75b47bedea4aadaaca6d7349acb8fc4d9541292681af000e6db6f232d8cbe17b0332a5a165aef92e81abbfbb9536ce25b0b5eead0f45bf10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leta0m15\leta0m15.cmdline
Filesize
369B

MD5
f7df163ee2e5de94a2359407c63f2150

SHA1
734911a6d3bb23cca05cf98e62b60ad01425f160

SHA256
44471f29acbf6cea3d632a1dd18a1dec7d4c24aedaf3797cc34d464d07ab7138

SHA512
cc2c08e9ba9638c4694087b56820a5bf3614b20eace0a896fd0797654d7714ddd1a62a7ac6a8176014f1e1cfed7349204585cadbe8d0065a828004bfef7d5a48

Download Submit
memory/1692-83-0x0000025C28E40000-0x0000025C28E41000-memory.dmp

Filesize
4KB

Download
memory/1692-80-0x0000025C28E90000-0x0000025C28F34000-memory.dmp

Filesize
656KB

Download
memory/1692-118-0x0000025C28E90000-0x0000025C28F34000-memory.dmp

Filesize
656KB

Download
memory/2000-119-0x000001AAE7FB0000-0x000001AAE8054000-memory.dmp

Filesize
656KB

Download
memory/2000-90-0x000001AAE5DC0000-0x000001AAE5DC1000-memory.dmp

Filesize
4KB

Download
memory/2000-87-0x000001AAE7FB0000-0x000001AAE8054000-memory.dmp

Filesize
656KB

Download
memory/2252-64-0x00007FFE7C4B0000-0x00007FFE7CF71000-memory.dmp

Filesize
10.8MB

Download
memory/2252-40-0x0000028051F10000-0x0000028051F18000-memory.dmp

Filesize
32KB

Download
memory/2252-54-0x0000028051F30000-0x0000028051F38000-memory.dmp

Filesize
32KB

Download
memory/2252-27-0x0000028051E00000-0x0000028051E10000-memory.dmp

Filesize
64KB

Download
memory/2252-56-0x00000280520B0000-0x00000280520ED000-memory.dmp

Filesize
244KB

Download
memory/2252-24-0x0000028051F40000-0x0000028051F62000-memory.dmp

Filesize
136KB

Download
memory/2252-25-0x00007FFE7C4B0000-0x00007FFE7CF71000-memory.dmp

Filesize
10.8MB

Download
memory/2252-26-0x0000028051E00000-0x0000028051E10000-memory.dmp

Filesize
64KB

Download
memory/2252-65-0x00000280520B0000-0x00000280520ED000-memory.dmp

Filesize
244KB

Download
memory/2932-120-0x000002D8E3330000-0x000002D8E33D4000-memory.dmp

Filesize
656KB

Download
memory/2932-103-0x000002D8E31D0000-0x000002D8E31D1000-memory.dmp

Filesize
4KB

Download
memory/2932-102-0x000002D8E3330000-0x000002D8E33D4000-memory.dmp

Filesize
656KB

Download
memory/2948-97-0x0000019813F00000-0x0000019813F01000-memory.dmp

Filesize
4KB

Download
memory/2948-121-0x0000019813E50000-0x0000019813EF4000-memory.dmp

Filesize
656KB

Download
memory/2948-95-0x0000019813E50000-0x0000019813EF4000-memory.dmp

Filesize
656KB

Download
memory/3160-105-0x00000000091C0000-0x0000000009264000-memory.dmp

Filesize
656KB

Download
memory/3160-58-0x00000000091C0000-0x0000000009264000-memory.dmp

Filesize
656KB

Download
memory/3160-59-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/3184-109-0x00000000013D0000-0x0000000001468000-memory.dmp

Filesize
608KB

Download
memory/3184-110-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3184-116-0x00000000013D0000-0x0000000001468000-memory.dmp

Filesize
608KB

Download
memory/3292-11-0x00000000015A0000-0x00000000015AD000-memory.dmp

Filesize
52KB

Download
memory/3292-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3292-0-0x0000000001560000-0x000000000156C000-memory.dmp

Filesize
48KB

Download
memory/3292-1-0x0000000001570000-0x000000000157F000-memory.dmp

Filesize
60KB

Download
memory/3720-72-0x000002AF26B30000-0x000002AF26B31000-memory.dmp

Filesize
4KB

Download
memory/3720-112-0x000002AF26F00000-0x000002AF26FA4000-memory.dmp

Filesize
656KB

Download
memory/3720-71-0x000002AF26F00000-0x000002AF26FA4000-memory.dmp

Filesize
656KB

Download
memory/4064-79-0x000001BD7A070000-0x000001BD7A071000-memory.dmp

Filesize
4KB

Download
memory/4064-77-0x000001BD7A0B0000-0x000001BD7A154000-memory.dmp

Filesize
656KB

Download
memory/4064-117-0x000001BD7A0B0000-0x000001BD7A154000-memory.dmp

Filesize
656KB

Download