gozi | 26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

287KB
MD5

bbf59fbbb9de660e113d82597c289cff
SHA1

85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be
SHA256

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
SHA512

8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa
SSDEEP

3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2716-0-0x0000000002F70000-0x0000000002F7C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process	target process
PID 4412 set thread context of 3136	4412	powershell.exe	Explorer.EXE
PID 3136 set thread context of 3752	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4088	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 3428	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 3772	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 3868	3136	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
2716	Client.exe
2716	Client.exe
4412	powershell.exe
4412	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

4412 powershell.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE

pid	process
3136	Explorer.EXE

pid	process
4412	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3752	RuntimeBroker.exe
Token: SeShutdownPrivilege	3752	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 1684 wrote to memory of 4412	1684	mshta.exe	powershell.exe
PID 1684 wrote to memory of 4412	1684	mshta.exe	powershell.exe
PID 4412 wrote to memory of 2552	4412	powershell.exe	csc.exe
PID 4412 wrote to memory of 2552	4412	powershell.exe	csc.exe
PID 2552 wrote to memory of 2188	2552	csc.exe	cvtres.exe
PID 2552 wrote to memory of 2188	2552	csc.exe	cvtres.exe
PID 4412 wrote to memory of 3956	4412	powershell.exe	csc.exe
PID 4412 wrote to memory of 3956	4412	powershell.exe	csc.exe
PID 3956 wrote to memory of 2584	3956	csc.exe	cvtres.exe
PID 3956 wrote to memory of 2584	3956	csc.exe	cvtres.exe
PID 4412 wrote to memory of 3136	4412	powershell.exe	Explorer.EXE
PID 4412 wrote to memory of 3136	4412	powershell.exe	Explorer.EXE
PID 4412 wrote to memory of 3136	4412	powershell.exe	Explorer.EXE
PID 4412 wrote to memory of 3136	4412	powershell.exe	Explorer.EXE
PID 3136 wrote to memory of 3752	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3752	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3752	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3752	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4088	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4088	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4088	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4088	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3428	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3428	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3428	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3428	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3772	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3772	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3772	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3772	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3868	3136	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yukg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yukg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qgiaiafc -value gp; new-alias -name yjfbicua -value iex; yjfbicua ([System.Text.Encoding]::ASCII.GetString((qgiaiafc "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftf2kbiv\ftf2kbiv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3553.tmp" "c:\Users\Admin\AppData\Local\Temp\ftf2kbiv\CSCE6EC44E081F9414EB64D9F3B1D20DCB1.TMP"
5⤵
PID:2188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhkwjx44\rhkwjx44.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362E.tmp" "c:\Users\Admin\AppData\Local\Temp\rhkwjx44\CSCACDF69066FC54CF0A05281A9C33120D3.TMP"
5⤵
PID:2584

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3553.tmp
Filesize
1KB

MD5
72debe304578cecdaae427262f04ef68

SHA1
4b03b9b31e5f964e31a4f9a8d0ccdc0cb0a99413

SHA256
c5e1f2b658f4a4a12dd25b0e6463ee221ff391cf124f38715d0c7da5d3585cb5

SHA512
78c26b32c5b93e9e196d491a210ff960bcf67a21e22495dc99194891ef03d31eaa693b5ca9c6ca49ad48e312003f5156a7392734901397ae6659c79af3c76dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES362E.tmp
Filesize
1KB

MD5
4927f51d9d0f8f9920656d04fde0e61a

SHA1
284aa66615bc4fc4bf3b2c3d2bf67b538b17abeb

SHA256
06ff3c94ffc07c77fcb692fccbe0c681df0176ef5613da5f0e20cb195b49fc9c

SHA512
7063319178e04a2f95e48d9eb97dcac1705b427b00a853ba00c5c4fee0b3650ab06613e8441d9440df397ab26367a349d8134f062c8b4eef244e7240652cd51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_weqiwzck.bnq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftf2kbiv\ftf2kbiv.dll
Filesize
3KB

MD5
1efbdbf5ab289d64741a545480ecb6e2

SHA1
5305da0f48cda3cfb92be41e4d9a03ae1adfab49

SHA256
5fb9c9f645f2333adadce08871b845860a30c0b41895f37d6838dceec2d522e4

SHA512
f39a98749af3f8a56768cc6b052332b68ff803f89305a39293b3b7a236c7674ece7bed5ab4d3479bce5b2aaf555fd07a11ad90e6711c25536c39db08ddcd09e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhkwjx44\rhkwjx44.dll
Filesize
3KB

MD5
610180a3be8e0751a0230c4037ddab5e

SHA1
eb73f63fe792f6a879b280bcf4a6745d4487337d

SHA256
71e842c97a1c1583e5111f48c8610f159e2ebf69d75f9acb04fa490a7acc85af

SHA512
90ba66c810929dc9a254e31e21b5d46f857119307b1f0f3548c2c3e39f1247391e7a2e90350cee30c44c52295747dbe5622fb98e0bb4b414ff97f47b36814ce6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftf2kbiv\CSCE6EC44E081F9414EB64D9F3B1D20DCB1.TMP
Filesize
652B

MD5
77ba93b9ab5e72fdb575d1b450883931

SHA1
b2a5a3904644c03e1c48dcbe7b04bb7852a29890

SHA256
77cfb805517bf169c5288801a0ad2615a448cd2885b7c1b0b40132e53a6ab200

SHA512
d099e37a4f6ac64577ee22eb8392f8642d6f1871439efca4748166fbea568a59c5991200146cb961c8e0e59ba8f3fa4c82895471aaf51c9ea8d5f350ecf86d40

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftf2kbiv\ftf2kbiv.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftf2kbiv\ftf2kbiv.cmdline
Filesize
369B

MD5
b8f56b66d8587617d091f2ca93cdafdd

SHA1
b6dbe74b76912769159edf50733683f75efc7f2f

SHA256
9f9d957b478df80cd017f04b90f5074bd3cfe3607f6147eb78eeb6459c427bbb

SHA512
78948a5442e6aa80360b6aa1994b20fdf626242d4c3cf22f18f75f0a0fd558448f809e8db50d70845ffa4c1813724f8b40ff4c6f7b1fec812889bbffcebb51bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhkwjx44\CSCACDF69066FC54CF0A05281A9C33120D3.TMP
Filesize
652B

MD5
58b9cee2cfc5f71cde9aa9138858c672

SHA1
8c21a3b3e09e175e57cd280e8db51939dd073729

SHA256
8618d839fa7d633a0f0fb7e19f190b0ce28febe29218a1801b0ce89925d5ef30

SHA512
5e517e56ee6ff02bbb53b52522cbbb9fdba172f174d2d8c28c45b1ed06e9022f5346dd2260cfa9a6292f05a8a4c6dccf863b3fdc7aa3aa53c93b4de2fc911450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhkwjx44\rhkwjx44.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhkwjx44\rhkwjx44.cmdline
Filesize
369B

MD5
540cf945aec8bc2e2a15a676c0aaa98a

SHA1
8abc60a98d0a1ec523920dede1fe3388cb7680fe

SHA256
7a5636a2da6eed1d887232b4231843b46e3866387ef3229e5110d4c5acfaf2f4

SHA512
00da258473fce06c2138a8db6d18335be13f63c1379b77845030b0b0511beaca264c7b617dd0cf5d3fd062c4734e36f379d5c580297224ed4b4ca74fb0fd8040

Download Submit
memory/2716-0-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/2716-1-0x0000000002F80000-0x0000000002F8F000-memory.dmp

Filesize
60KB

Download
memory/2716-11-0x00000000030F0000-0x00000000030FD000-memory.dmp

Filesize
52KB

Download
memory/2716-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3136-58-0x0000000008210000-0x00000000082B4000-memory.dmp

Filesize
656KB

Download
memory/3136-59-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/3136-95-0x0000000008210000-0x00000000082B4000-memory.dmp

Filesize
656KB

Download
memory/3428-84-0x0000018746C50000-0x0000018746CF4000-memory.dmp

Filesize
656KB

Download
memory/3428-99-0x0000018746C50000-0x0000018746CF4000-memory.dmp

Filesize
656KB

Download
memory/3428-85-0x00000187463F0000-0x00000187463F1000-memory.dmp

Filesize
4KB

Download
memory/3752-96-0x000001EA7B800000-0x000001EA7B8A4000-memory.dmp

Filesize
656KB

Download
memory/3752-73-0x000001EA7B390000-0x000001EA7B391000-memory.dmp

Filesize
4KB

Download
memory/3752-72-0x000001EA7B800000-0x000001EA7B8A4000-memory.dmp

Filesize
656KB

Download
memory/3772-100-0x0000023515D60000-0x0000023515E04000-memory.dmp

Filesize
656KB

Download
memory/3772-88-0x0000023515D60000-0x0000023515E04000-memory.dmp

Filesize
656KB

Download
memory/3772-90-0x0000023515E10000-0x0000023515E11000-memory.dmp

Filesize
4KB

Download
memory/3868-105-0x0000000001860000-0x00000000018F8000-memory.dmp

Filesize
608KB

Download
memory/3868-102-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/3868-101-0x0000000001860000-0x00000000018F8000-memory.dmp

Filesize
608KB

Download
memory/4088-97-0x000001B238350000-0x000001B2383F4000-memory.dmp

Filesize
656KB

Download
memory/4088-79-0x000001B235FF0000-0x000001B235FF1000-memory.dmp

Filesize
4KB

Download
memory/4088-78-0x000001B238350000-0x000001B2383F4000-memory.dmp

Filesize
656KB

Download
memory/4412-69-0x00007FFA79DC0000-0x00007FFA7A881000-memory.dmp

Filesize
10.8MB

Download
memory/4412-24-0x00000173FB9B0000-0x00000173FB9D2000-memory.dmp

Filesize
136KB

Download
memory/4412-25-0x00007FFA79DC0000-0x00007FFA7A881000-memory.dmp

Filesize
10.8MB

Download
memory/4412-70-0x00000173FBF30000-0x00000173FBF6D000-memory.dmp

Filesize
244KB

Download
memory/4412-40-0x00000173FBF00000-0x00000173FBF08000-memory.dmp

Filesize
32KB

Download
memory/4412-26-0x00000173FB870000-0x00000173FB880000-memory.dmp

Filesize
64KB

Download
memory/4412-27-0x00000173FB870000-0x00000173FB880000-memory.dmp

Filesize
64KB

Download
memory/4412-56-0x00000173FBF30000-0x00000173FBF6D000-memory.dmp

Filesize
244KB

Download
memory/4412-54-0x00000173FBF20000-0x00000173FBF28000-memory.dmp

Filesize
32KB

Download