gozi | 5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

294KB
MD5

bb35f8c1a3236ad31c754cdfe795d57f
SHA1

b744f8ae31e2b3f7c3b72b9615823a3a3ad02989
SHA256

5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2
SHA512

fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0
SSDEEP

3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2864 cmd.exe

pid	process
2864	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2564 set thread context of 1236	2564	powershell.exe	Explorer.EXE
PID 1236 set thread context of 2864	1236	Explorer.EXE	cmd.exe
PID 2864 set thread context of 2076	2864	cmd.exe	PING.EXE
PID 1236 set thread context of 1548	1236	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2076 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2076 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2076	PING.EXE

pid	process
2076	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2044	client.exe
2564	powershell.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2564 powershell.exe
1236 Explorer.EXE
2864 cmd.exe
1236 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2564 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE

pid	process
1236	Explorer.EXE

pid	process
2564	powershell.exe
1236	Explorer.EXE
2864	cmd.exe
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2564	powershell.exe

pid	process
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2496 wrote to memory of 2564	2496	mshta.exe	powershell.exe
PID 2496 wrote to memory of 2564	2496	mshta.exe	powershell.exe
PID 2496 wrote to memory of 2564	2496	mshta.exe	powershell.exe
PID 2564 wrote to memory of 2920	2564	powershell.exe	csc.exe
PID 2564 wrote to memory of 2920	2564	powershell.exe	csc.exe
PID 2564 wrote to memory of 2920	2564	powershell.exe	csc.exe
PID 2920 wrote to memory of 3044	2920	csc.exe	cvtres.exe
PID 2920 wrote to memory of 3044	2920	csc.exe	cvtres.exe
PID 2920 wrote to memory of 3044	2920	csc.exe	cvtres.exe
PID 2564 wrote to memory of 2300	2564	powershell.exe	csc.exe
PID 2564 wrote to memory of 2300	2564	powershell.exe	csc.exe
PID 2564 wrote to memory of 2300	2564	powershell.exe	csc.exe
PID 2300 wrote to memory of 892	2300	csc.exe	cvtres.exe
PID 2300 wrote to memory of 892	2300	csc.exe	cvtres.exe
PID 2300 wrote to memory of 892	2300	csc.exe	cvtres.exe
PID 2564 wrote to memory of 1236	2564	powershell.exe	Explorer.EXE
PID 2564 wrote to memory of 1236	2564	powershell.exe	Explorer.EXE
PID 2564 wrote to memory of 1236	2564	powershell.exe	Explorer.EXE
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2864	1236	Explorer.EXE	cmd.exe
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 2864 wrote to memory of 2076	2864	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1548	1236	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eo8e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eo8e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gmjqsvbhgd -value gp; new-alias -name ddpeynnvc -value iex; ddpeynnvc ([System.Text.Encoding]::ASCII.GetString((gmjqsvbhgd "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivoxmh5l.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCACD3.tmp"
5⤵
PID:3044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6c2uj06e.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADCD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADCC.tmp"
5⤵
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2076

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6c2uj06e.dll
Filesize
3KB

MD5
8166a5981a068dbe3324938c6ec89e99

SHA1
a398bd438654f600e064d96915891c25911fe268

SHA256
7be9db505661c4df909621261bb411336ad916fc65e26f35c7a8e183aad1d099

SHA512
3d59ba9b9cdba8705f4c708da5bc5924c8a34c307ac2c573d66037095c948e228147d15aa44819d7d4bd41f170e13747685c89bae3a2ae4f49e1f0b863976861

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c2uj06e.pdb
Filesize
7KB

MD5
8a375c2ca7d2a6ac408c05778d3fe0b1

SHA1
a688c3af312e824b3efbd60327814106c3783fb0

SHA256
2580775f1f4b765f5db97e97c1b2e53852d0553fbaa696ee6661c210bd9db139

SHA512
7def59bc8f8c141778dff0015d887fa007a984b6bff2185d8d093650e1de085245bc9d53e2e0d54aa650f3b73487385b909592a0da7e3b1f26fd479d1dc6e410

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp
Filesize
1KB

MD5
de5c4f8375f6622e6beca1a8c478db35

SHA1
1df837bb8ecfef5cb873fd0ca2f0e03e4ac4e6bf

SHA256
dc6da79dafa5b5e63005587cb33f7a75f4fe11f7ade703808daaeed53e666c7e

SHA512
a2062185ab55dcb059ee182771cb64749caae28707b5e4119181b586453cb591fa26805aacbc94c4c3cd7ea8f76507920cf790533e697cf00cce39176a44d75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADCD.tmp
Filesize
1KB

MD5
ec549c4cf31669d270f2234fd5c1c6be

SHA1
759ba1a47bb516d3ae8df8be76c783129a689b31

SHA256
19c25b08ce9964a2cd904a110be54666ae89374c236fd12a0d6433a72e5ac787

SHA512
7d58de3c96146b0d684fa0a7b5ff6ede9ceb26843eaec0b8e1b276cce810f57b092df042c52639604fed9e0a2e903cdf7246a63c4ae069a74287dc24d5df6148

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivoxmh5l.dll
Filesize
3KB

MD5
8294bbc6bd8811f7edd6a98fa979f5b3

SHA1
261a76ab18c35f7dd132ed980f94e001aef0d82e

SHA256
fa87b663ed50cd82edc533f5132f89174e8590d1bf11017949569f7cd0386ea4

SHA512
43aa6ad55a5332a62bdfd357e3e295f1071cdde3237f8458e75098da05a89b174c8ddf7539f4a448cbb3639c7b5094df063a47133af65dddc10610b5cf544c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivoxmh5l.pdb
Filesize
7KB

MD5
4658eebf69f06cb1b4782cfae1c17cfa

SHA1
fb2c0744d571cbde71cf489f710f1b3252df0710

SHA256
4edb2a8e847c7840cccc3b3bc9f4378601635656a5fdaeafbc5bae88d78304f7

SHA512
1b3624f754b6a55bd6de7234b2c93b5b41043f8120abecb6ff64d5afa699ccf53fdcddefada211c2ce369f8dd271676df3184624b503b16105eb540003670e2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6c2uj06e.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6c2uj06e.cmdline
Filesize
309B

MD5
0ce5de90233d8966af9af1fa04736b03

SHA1
95274fbd2b2fead15a5227abab0e7e320b453d65

SHA256
d2be811e796d478b91658850a565691fe2e45104af4245871d2b71da52dce037

SHA512
a6840b47a36501a1526375c50d92cc63550e132b7cfba78fe13a9a79d14d5fbef35b04a089e4314f4afc8045caa66d12d55e78e70242cf31648b4f51c125a715

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCACD3.tmp
Filesize
652B

MD5
50765690e9efdb5992697d042c17930f

SHA1
b627d95ffcd39283f79447cd4bb45eec3c736857

SHA256
70c473ee2e4e9f8aa649643dc322a371026e73c2648e5a696b1fa8bf84159143

SHA512
a41e397e68ccf85d6008e487c645ea7b314633308aebb4e6a7effa37e55d47a0319f66396968699895eb61671ae5038fe355de630ba72c955d241ad1d73f9868

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCADCC.tmp
Filesize
652B

MD5
28a8bf7ca8bdb1e296f0ddcb1605407e

SHA1
d50907c38baa3f270e1c42e3739a15be421d3d6f

SHA256
7c8678b7aaa35021332a74f47eacbc0fcaadc0c867ac2799111d79f4f36f8783

SHA512
3ebbc36a7ff8093510f5cd3511f5c19d9e36d1150b360d6cf56d574dc55d198df9509ee6afea43da64ad40c84448fd23f19cf3d44a8a0d5d2d357bbfb75b3270

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivoxmh5l.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivoxmh5l.cmdline
Filesize
309B

MD5
38b3fb4586bd95934f5926959b775dc8

SHA1
e229fd35575c007e28be4acf2d8a20058f698660

SHA256
bb0578f1db99467dfe94b35411adad6344dd76949b280018e6fb6ffb52e1f242

SHA512
9600fbcfe83bd5be91f4a5303a2dfc580655b8fc251d794095eeb690d7a8023914022d18f3bf6cf11f9b7db32f82c7982152cf5f08f3676ff68c8051918bd645

Download Submit
memory/1236-58-0x0000000007130000-0x00000000071D4000-memory.dmp

Filesize
656KB

Download
memory/1236-91-0x0000000007130000-0x00000000071D4000-memory.dmp

Filesize
656KB

Download
memory/1236-59-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1548-90-0x0000000001C60000-0x0000000001CF8000-memory.dmp

Filesize
608KB

Download
memory/1548-86-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1548-83-0x0000000001C60000-0x0000000001CF8000-memory.dmp

Filesize
608KB

Download
memory/2044-11-0x0000000003E50000-0x0000000003E52000-memory.dmp

Filesize
8KB

Download
memory/2044-1-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2044-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2044-8-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2044-7-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2044-4-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2044-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2044-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2076-77-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2076-80-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2076-92-0x0000000001BE0000-0x0000000001C84000-memory.dmp

Filesize
656KB

Download
memory/2076-78-0x0000000001BE0000-0x0000000001C84000-memory.dmp

Filesize
656KB

Download
memory/2300-45-0x0000000002140000-0x00000000021C0000-memory.dmp

Filesize
512KB

Download
memory/2564-20-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2564-18-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-62-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-68-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-69-0x00000000029A0000-0x00000000029DD000-memory.dmp

Filesize
244KB

Download
memory/2564-16-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2564-17-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2564-57-0x00000000029A0000-0x00000000029DD000-memory.dmp

Filesize
244KB

Download
memory/2564-54-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2564-37-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2564-22-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2564-21-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-19-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2864-71-0x0000000001B80000-0x0000000001C24000-memory.dmp

Filesize
656KB

Download
memory/2864-72-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2864-70-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2864-93-0x0000000001B80000-0x0000000001C24000-memory.dmp

Filesize
656KB

Download