gozi | bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

422KB
MD5

c788f8e7a2d0311297bd198ca9d05ec8
SHA1

64240992ba99ae27b0bb4fe277a95524a4b139db
SHA256

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
SHA512

2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
SSDEEP

6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/940-0-0x0000000001500000-0x000000000150C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

Client.execontrol.exepowershell.exeExplorer.EXE

description	pid	process	target process
PID 940 set thread context of 2832	940	Client.exe	control.exe
PID 2832 set thread context of 2564	2832	control.exe	Explorer.EXE
PID 1416 set thread context of 2564	1416	powershell.exe	Explorer.EXE
PID 2564 set thread context of 3784	2564	Explorer.EXE	RuntimeBroker.exe
PID 2832 set thread context of 4532	2832	control.exe	rundll32.exe
PID 2564 set thread context of 3156	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 set thread context of 4792	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 set thread context of 3500	2564	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
940	Client.exe
940	Client.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE
2564	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2564 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Client.execontrol.exepowershell.exeExplorer.EXE

pid process

940 Client.exe
2832 control.exe
1416 powershell.exe
2564 Explorer.EXE
2832 control.exe
2564 Explorer.EXE
2564 Explorer.EXE
2564 Explorer.EXE

pid	process
2564	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeShutdownPrivilege	2564	Explorer.EXE
Token: SeCreatePagefilePrivilege	2564	Explorer.EXE
Token: SeShutdownPrivilege	2564	Explorer.EXE
Token: SeCreatePagefilePrivilege	2564	Explorer.EXE
Token: SeShutdownPrivilege	2564	Explorer.EXE
Token: SeCreatePagefilePrivilege	2564	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2564 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2564 Explorer.EXE

pid	process
2564	Explorer.EXE

pid	process
2564	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.exeClient.execsc.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 216 wrote to memory of 1416	216	mshta.exe	powershell.exe
PID 216 wrote to memory of 1416	216	mshta.exe	powershell.exe
PID 1416 wrote to memory of 1404	1416	powershell.exe	csc.exe
PID 1416 wrote to memory of 1404	1416	powershell.exe	csc.exe
PID 1404 wrote to memory of 4704	1404	csc.exe	cvtres.exe
PID 1404 wrote to memory of 4704	1404	csc.exe	cvtres.exe
PID 940 wrote to memory of 2832	940	Client.exe	control.exe
PID 940 wrote to memory of 2832	940	Client.exe	control.exe
PID 940 wrote to memory of 2832	940	Client.exe	control.exe
PID 1416 wrote to memory of 752	1416	powershell.exe	csc.exe
PID 1416 wrote to memory of 752	1416	powershell.exe	csc.exe
PID 752 wrote to memory of 3600	752	csc.exe	cvtres.exe
PID 752 wrote to memory of 3600	752	csc.exe	cvtres.exe
PID 940 wrote to memory of 2832	940	Client.exe	control.exe
PID 940 wrote to memory of 2832	940	Client.exe	control.exe
PID 2832 wrote to memory of 2564	2832	control.exe	Explorer.EXE
PID 2832 wrote to memory of 2564	2832	control.exe	Explorer.EXE
PID 2832 wrote to memory of 2564	2832	control.exe	Explorer.EXE
PID 2832 wrote to memory of 2564	2832	control.exe	Explorer.EXE
PID 1416 wrote to memory of 2564	1416	powershell.exe	Explorer.EXE
PID 1416 wrote to memory of 2564	1416	powershell.exe	Explorer.EXE
PID 2564 wrote to memory of 3784	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 3784	2564	Explorer.EXE	RuntimeBroker.exe
PID 1416 wrote to memory of 2564	1416	powershell.exe	Explorer.EXE
PID 2564 wrote to memory of 3784	2564	Explorer.EXE	RuntimeBroker.exe
PID 1416 wrote to memory of 2564	1416	powershell.exe	Explorer.EXE
PID 2832 wrote to memory of 4532	2832	control.exe	rundll32.exe
PID 2832 wrote to memory of 4532	2832	control.exe	rundll32.exe
PID 2832 wrote to memory of 4532	2832	control.exe	rundll32.exe
PID 2564 wrote to memory of 3784	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 3156	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 3156	2564	Explorer.EXE	RuntimeBroker.exe
PID 2832 wrote to memory of 4532	2832	control.exe	rundll32.exe
PID 2832 wrote to memory of 4532	2832	control.exe	rundll32.exe
PID 2564 wrote to memory of 3156	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 3156	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 4792	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 4792	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 4792	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 4792	2564	Explorer.EXE	RuntimeBroker.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe
PID 2564 wrote to memory of 3500	2564	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
4⤵
PID:4532

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>L8kj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(L8kj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uxgtak -value gp; new-alias -name eybtmdmub -value iex; eybtmdmub ([System.Text.Encoding]::ASCII.GetString((uxgtak "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "c:\Users\Admin\AppData\Local\Temp\20cwjbn4\CSC52B7EE14C994448EAF819F33A05BA9AB.TMP"
5⤵
PID:4704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33CD.tmp" "c:\Users\Admin\AppData\Local\Temp\ks23o1vi\CSC7AE502D2B30548C58CA85FC1F09AB123.TMP"
5⤵
PID:3600

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.dll
Filesize
3KB

MD5
e7d8d11adbc1e4301cf9a15fcb558b58

SHA1
dff6a97f6aa45056985c613b6db3616cc03d8f02

SHA256
30ffeb17ab954ec29b0fb9a046cba8f33071ec3a2a8662cca4cdc63bd95d6087

SHA512
4da772f425488f37a5a86849a50d29c1d7029e226cea791c940b537e64bb0f4c6379461f516f66c889d42442ebbe53634ff853c78664ef9388bb5acf96274522

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp
Filesize
1KB

MD5
1d8d8ea4f69cc28fc1de9161db517571

SHA1
3eace8d9c1df645a62bb87a53fffb91fd10842e0

SHA256
e4ca880eee08db9598d0151a0d1d403852ca696c904542b9011c7773c2768d61

SHA512
589298d9a308730a800de3e12ef33607adcb9976ace0b162a523a5e6eb5447b8b1ddeb3449a43819b5eef32f52316516537f320f4d8b3b93fbfc5d06e6aa1f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33CD.tmp
Filesize
1KB

MD5
8fe8a3b6187e5b418c8a9a34fb01e077

SHA1
4445c12b8f4710f3270a362303193edc174b8003

SHA256
63825946dcd27fba6f18823da1820d268ccbefc3c9151c1b2e745c8e2019fbb7

SHA512
417ea4feff836987db791d7fa96eb62cc6324c9ca23242796b3cdaeb48a9d99c2d6c96bdc330cf0f4c30420111a29e864cdcc31e73d4c02f63738734abbf28e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppld2nup.anz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.dll
Filesize
3KB

MD5
74b77b655e02da4ab3fda121f0584033

SHA1
9c27ffb193ff50b543da0c05722c86c464d65b07

SHA256
b76d80f773eb7ebff8fbb9a2b495b71c45701e2a8708ea5c5a69fb2a532e599d

SHA512
5c28a9348cdb2736a30e75ffd18b94be05257221cb5d31138db2521c3b2209889674a63a8a720476402d9bf1838dcd6a0531f173fc77b60d64f6b5c9060a41ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\20cwjbn4.cmdline
Filesize
369B

MD5
40df7a4f648e5de9d461bd77222912df

SHA1
a3705fa48e4cc624e3d3e889b4cb3974e2f972bb

SHA256
e880a3f59082b40f9080fabf764e4093bf0a3559ed3d6815fa89005595ae3cfe

SHA512
413012e9113fe1de720a630d8549c393f955b2c0596472ea3a26b9917297c3883fd1913b91a8a83b5b8c9198c6457e76dbf72885fc7c03bbefbb0bd6ea5ac33d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20cwjbn4\CSC52B7EE14C994448EAF819F33A05BA9AB.TMP
Filesize
652B

MD5
3a945055bb70d573215ab16a063125df

SHA1
78ca3a22949c6597f1d29825c34de12df595f000

SHA256
74abee4e18479a08bf4fe2e95ccfa582af52f0430cb6c629b88b42e74589588a

SHA512
c7deea56fc6bab6dd930b9d47c1e07ef6ad0b266b4daa390ed52d0b8fd26085ad35e6f09488b9b67dcbc1fbb88ea948b8517f9de11a405666310d27f943fbc6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\CSC7AE502D2B30548C58CA85FC1F09AB123.TMP
Filesize
652B

MD5
6d46b439e1f81a48b0d43494f5be675c

SHA1
2a2f902ca6a46c890f89f8fca02dd21a4fdd0016

SHA256
7da6ce758e6e0aea8939953a0f95ad8150753a3eed467c54f58b554508d5d4ed

SHA512
c9111f3b07453e7f222887246edabcce694f77066171a70c12d0fa94eaff9e18275463f74a0e0e9282bf6f1c7d40900f7405aa10ff5b185e5f03e63f5890f48c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ks23o1vi\ks23o1vi.cmdline
Filesize
369B

MD5
a24fad2cdc22de2b7a732027971c4129

SHA1
cec7937160a70ed7903f6b8cf668af15a586526d

SHA256
f0515f65571b8da9e6a7f681872493f14f92653791a7103454d62a3f13864ed1

SHA512
1e2fed98033b276d08516d88e390304c6578d0957fea694c91c8945ec0a5b76bae4871c22edd8033a797256371ea3678a0d0786dbe7acedb78d841e23d31f8fb

Download Submit
memory/940-0-0x0000000001500000-0x000000000150C000-memory.dmp

Filesize
48KB

Download
memory/940-11-0x0000000001540000-0x000000000154D000-memory.dmp

Filesize
52KB

Download
memory/940-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/940-1-0x0000000001510000-0x000000000151F000-memory.dmp

Filesize
60KB

Download
memory/1416-29-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/1416-41-0x000001A35AF30000-0x000001A35AF38000-memory.dmp

Filesize
32KB

Download
memory/1416-28-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/1416-30-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/1416-113-0x000001A3735B0000-0x000001A3735ED000-memory.dmp

Filesize
244KB

Download
memory/1416-114-0x00007FFB75D60000-0x00007FFB76821000-memory.dmp

Filesize
10.8MB

Download
memory/1416-80-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/1416-61-0x000001A3735A0000-0x000001A3735A8000-memory.dmp

Filesize
32KB

Download
memory/1416-27-0x00007FFB75D60000-0x00007FFB76821000-memory.dmp

Filesize
10.8MB

Download
memory/1416-63-0x000001A3735B0000-0x000001A3735ED000-memory.dmp

Filesize
244KB

Download
memory/1416-24-0x000001A35AD20000-0x000001A35AD42000-memory.dmp

Filesize
136KB

Download
memory/1416-91-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/1416-69-0x00007FFB75D60000-0x00007FFB76821000-memory.dmp

Filesize
10.8MB

Download
memory/1416-84-0x000001A359320000-0x000001A359330000-memory.dmp

Filesize
64KB

Download
memory/2564-66-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/2564-65-0x0000000008170000-0x0000000008214000-memory.dmp

Filesize
656KB

Download
memory/2564-77-0x00000000093A0000-0x0000000009444000-memory.dmp

Filesize
656KB

Download
memory/2564-119-0x00000000093A0000-0x0000000009444000-memory.dmp

Filesize
656KB

Download
memory/2564-118-0x0000000008170000-0x0000000008214000-memory.dmp

Filesize
656KB

Download
memory/2832-53-0x0000000000B80000-0x0000000000C24000-memory.dmp

Filesize
656KB

Download
memory/2832-54-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2832-103-0x0000000000B80000-0x0000000000C24000-memory.dmp

Filesize
656KB

Download
memory/3156-121-0x00000253EF200000-0x00000253EF2A4000-memory.dmp

Filesize
656KB

Download
memory/3156-97-0x00000253EF1C0000-0x00000253EF1C1000-memory.dmp

Filesize
4KB

Download
memory/3156-92-0x00000253EF200000-0x00000253EF2A4000-memory.dmp

Filesize
656KB

Download
memory/3500-117-0x00000000009B0000-0x0000000000A48000-memory.dmp

Filesize
608KB

Download
memory/3500-111-0x00000000009B0000-0x0000000000A48000-memory.dmp

Filesize
608KB

Download
memory/3500-112-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3784-86-0x00000240A96D0000-0x00000240A96D1000-memory.dmp

Filesize
4KB

Download
memory/3784-78-0x00000240A9C00000-0x00000240A9CA4000-memory.dmp

Filesize
656KB

Download
memory/3784-120-0x00000240A9C00000-0x00000240A9CA4000-memory.dmp

Filesize
656KB

Download
memory/4532-110-0x0000020CBAE70000-0x0000020CBAF14000-memory.dmp

Filesize
656KB

Download
memory/4532-94-0x0000020CBAD40000-0x0000020CBAD41000-memory.dmp

Filesize
4KB

Download
memory/4532-87-0x0000020CBAE70000-0x0000020CBAF14000-memory.dmp

Filesize
656KB

Download
memory/4792-106-0x0000018ECB5C0000-0x0000018ECB5C1000-memory.dmp

Filesize
4KB

Download
memory/4792-102-0x0000018ECBD20000-0x0000018ECBDC4000-memory.dmp

Filesize
656KB

Download
memory/4792-122-0x0000018ECBD20000-0x0000018ECBDC4000-memory.dmp

Filesize
656KB

Download