gozi | b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

296KB
MD5

3f39517fb0f5de4ba10e72242fb6cd9a
SHA1

d9c68d8110038c21b9d1c5763eab9331c2cf3b45
SHA256

b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3
SHA512

c69a9438a9915724233aff2a45a25421a33d05ff2fdcaa7ffdef7dd67f2c27aa1f0894e1c0b11def837d01515dbf42931d4ac829a0ea6a40b115002e615f7ebe
SSDEEP

3072:pqrRrmv3TwaCRNnA/UeXFa3mSRACC2IS/gc/LRxNuIY:QrRyvDwaCRNn4XQ2wACZgc/LR/u

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1688 cmd.exe

pid	process
1688	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2888 set thread context of 1232	2888	powershell.exe	Explorer.EXE
PID 1232 set thread context of 1688	1232	Explorer.EXE	cmd.exe
PID 1688 set thread context of 1508	1688	cmd.exe	PING.EXE
PID 1232 set thread context of 524	1232	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1508 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1508 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1508	PING.EXE

pid	process
1508	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2388	client.exe
2888	powershell.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2888 powershell.exe
1232 Explorer.EXE
1688 cmd.exe
1232 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2888 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE

pid	process
1232	Explorer.EXE

pid	process
2888	powershell.exe
1232	Explorer.EXE
1688	cmd.exe
1232	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe

pid	process
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 2888	2512	mshta.exe	powershell.exe
PID 2512 wrote to memory of 2888	2512	mshta.exe	powershell.exe
PID 2512 wrote to memory of 2888	2512	mshta.exe	powershell.exe
PID 2888 wrote to memory of 2656	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 2656	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 2656	2888	powershell.exe	csc.exe
PID 2656 wrote to memory of 2784	2656	csc.exe	cvtres.exe
PID 2656 wrote to memory of 2784	2656	csc.exe	cvtres.exe
PID 2656 wrote to memory of 2784	2656	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1660	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 1660	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 1660	2888	powershell.exe	csc.exe
PID 1660 wrote to memory of 1784	1660	csc.exe	cvtres.exe
PID 1660 wrote to memory of 1784	1660	csc.exe	cvtres.exe
PID 1660 wrote to memory of 1784	1660	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1232	2888	powershell.exe	Explorer.EXE
PID 2888 wrote to memory of 1232	2888	powershell.exe	Explorer.EXE
PID 2888 wrote to memory of 1232	2888	powershell.exe	Explorer.EXE
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1688	1232	Explorer.EXE	cmd.exe
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1688 wrote to memory of 1508	1688	cmd.exe	PING.EXE
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 524	1232	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Je2q='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Je2q).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3C64491B-6BF2-CEE4-D530-CFE2D9647336\\\MusicWhite'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name icridexk -value gp; new-alias -name xonavbd -value iex; xonavbd ([System.Text.Encoding]::ASCII.GetString((icridexk "HKCU:Software\AppDataLow\Software\Microsoft\3C64491B-6BF2-CEE4-D530-CFE2D9647336").ControlText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vz-vfyl9.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49DC.tmp"
5⤵
PID:2784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bb2tb-36.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A98.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A97.tmp"
5⤵
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1508

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES49DD.tmp
Filesize
1KB

MD5
067fddb9727d212399712aa84bd07445

SHA1
233f40a8bc132b2e49e121fab0ef3c1c5944d730

SHA256
c775a133a389f2e223931fb41bfc02d34b7e4b5507f597cf4bd2826a7df04e61

SHA512
76228c5966783679c84cab9036dffaa8bf90af2d68d6eb749025a6a633169526db1b1d14ed48038dcfcbbe2fcad8d6546b3c5b461f856e7daf162b33c0ee062a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A98.tmp
Filesize
1KB

MD5
24e3b22e2d9b0721ba42efc62d46549c

SHA1
7ced32c19c7c40eceb13deebd67105406dd4682f

SHA256
b02abffc0bd136d486042f2b8d550766ccef207640502864d1afcfb4bac621a6

SHA512
131cb73b1348350bbd29ef6bb2302a1e52e422c160df685451bdfc710f92e941985b95a197ff877e767394a3acb26569839da48b2d42f1a712062fc70e9fdcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb2tb-36.dll
Filesize
3KB

MD5
61bab0a4ff1bfc15c216613091efdb00

SHA1
c5e6cc7f5b9ea49c7d0ddabda80fecffc4b9ab08

SHA256
7c3ffcea169e8c3673e34ef8f41cd8e5ad0d8e3b284c88ea94df3fc5cce8575b

SHA512
46852ad1600ab79d277c91ae74243cd9f0f5029261ca1a81f6abb21e953732e035a27cde0039dc5b73ba3c97f7b9456d83cb9cc873aa2d413df225333486fe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb2tb-36.pdb
Filesize
7KB

MD5
5f22ca13b8123cebb1ce71ff13341a8a

SHA1
4b14351980e87bbb2fd9bf051ed90228aa2824db

SHA256
8c4bee22000bf31c10289fe1d8de9b065c5fcaae044924d60c8ac737be1bee5a

SHA512
4ecb25b962e1c6f16961b4e7ab48eb7196b721c08f8cd5836f715748bdefa599b29585221d591976db26b354a41cf4b8d69e218c49bf4c74484f3575e398ffc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vz-vfyl9.dll
Filesize
3KB

MD5
028a61c4cc48e54fe412d9906495fb6b

SHA1
265dc2cf67aad9acc343fe3643e1ffc12451b106

SHA256
bbf89f49989748c87bf5dd6cb5b6a31467fcf6c46921dad600fd16397618841a

SHA512
43c826e4f61a0870b5eda2eb69bd6b35dac229b5248f197dd34dcc93653c9bbfdfa572d620ed3de9c886916e0ea90ba5c1a3fa078685be44a00202b070ba8b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vz-vfyl9.pdb
Filesize
7KB

MD5
f195233346356a418dee56dfa2be7e9e

SHA1
80d8bc61ecdf8fbc99cdd6c570c3a7b6e8674497

SHA256
3b491d0000b614c2fcfba02f21b91b50b5f5afd2c908645c8bec31818065cdad

SHA512
8ef1b316f0b9b7bd629a761aafc61e923b05cb408bb60ba67022e8cfe3a988d3d4b54dfbca35d6e3e73a7250432d2b273c47eda568990269c4f2549b471dd890

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC49DC.tmp
Filesize
652B

MD5
67a7ba15471d7d65cee844498a0a88a9

SHA1
c29f59752fe2d0f98ea7f15dd6a9e4296ed63771

SHA256
b99907efabdbfdfae88b27add69359839cccea997a0adb6b1e246df8d6559375

SHA512
b08c020631de48dfcac0593d6292a30dbbed00a54215a4e1f67ec222feb0b9d280717ef1de2e3836005723abd6d00f4baaa22cb7ff1a04da4e0b504f2be12696

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4A97.tmp
Filesize
652B

MD5
e17c9d100b63f0caa8708a328c0f43db

SHA1
640fe992d75db3fcf439d047bd65813860be2ae3

SHA256
76723664b71cacc8a8077464ed0e016d07dbad504513e1d8e4f44a60ca0bc9f4

SHA512
1e0c81c9ad44cce4c3014916869e1ab85a8fc0008b82997b0d0ef35ab2c7d69e5dbf3ac38af20604ec52a426496aca267cd0b99f6aedfd70f5cc3c47ab0ee142

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bb2tb-36.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bb2tb-36.cmdline
Filesize
309B

MD5
a71c5c84d0bb9ea0b11a8d9ebc7c555c

SHA1
a7d0ea7a4793e8ac4a6905c2493d7e54fafa4b63

SHA256
3cb7f0ab3b365280ef6c91724e21ffdc7b7384a135661f4f900cd3e8032ce4a9

SHA512
e5babd707ac095521843629f75af8b3d3721046fb194d7ef13de85604d661ef5dfc540bd4bd76e6754f03915631e86d7afce3c1134f0adb19973d57736e13a75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vz-vfyl9.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vz-vfyl9.cmdline
Filesize
309B

MD5
89987a6f7c1bf04ed63792fef1269e66

SHA1
9b20c4d265a77124062029652b9aff7f7a994c07

SHA256
6121e234698547606518d205ebaa218156d9cb16fd342ce21de2c5f51476ecc2

SHA512
9d00b2f5222e32ad1a6e4b97851c254f0f83429ac7b8982d104320becb9f629f4cc990b3eed3e1408c9d17fbbfc90ae526d3c376872f7280138d928db58f6daf

Download Submit
memory/524-90-0x00000000004E0000-0x0000000000578000-memory.dmp

Filesize
608KB

Download
memory/524-88-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/524-89-0x00000000004E0000-0x0000000000578000-memory.dmp

Filesize
608KB

Download
memory/524-85-0x00000000004E0000-0x0000000000578000-memory.dmp

Filesize
608KB

Download
memory/1232-61-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1232-60-0x0000000004E00000-0x0000000004EA4000-memory.dmp

Filesize
656KB

Download
memory/1232-91-0x0000000004E00000-0x0000000004EA4000-memory.dmp

Filesize
656KB

Download
memory/1508-78-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/1508-80-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1508-79-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/1508-92-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/1660-47-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/1688-73-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1688-71-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1688-93-0x0000000001BD0000-0x0000000001C74000-memory.dmp

Filesize
656KB

Download
memory/1688-72-0x0000000001BD0000-0x0000000001C74000-memory.dmp

Filesize
656KB

Download
memory/2388-9-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2388-13-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/2388-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2388-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2388-4-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download
memory/2388-7-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/2388-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2388-84-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/2388-1-0x0000000002390000-0x0000000002490000-memory.dmp

Filesize
1024KB

Download
memory/2656-30-0x0000000002140000-0x00000000021C0000-memory.dmp

Filesize
512KB

Download
memory/2888-69-0x000007FEF3090000-0x000007FEF3A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-19-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/2888-18-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2888-56-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2888-24-0x000007FEF3090000-0x000007FEF3A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-39-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2888-70-0x0000000002A60000-0x0000000002A9D000-memory.dmp

Filesize
244KB

Download
memory/2888-23-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2888-20-0x000007FEF3090000-0x000007FEF3A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-21-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2888-59-0x0000000002A60000-0x0000000002A9D000-memory.dmp

Filesize
244KB

Download
memory/2888-22-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download