gozi | b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

296KB
MD5

3f39517fb0f5de4ba10e72242fb6cd9a
SHA1

d9c68d8110038c21b9d1c5763eab9331c2cf3b45
SHA256

b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3
SHA512

c69a9438a9915724233aff2a45a25421a33d05ff2fdcaa7ffdef7dd67f2c27aa1f0894e1c0b11def837d01515dbf42931d4ac829a0ea6a40b115002e615f7ebe
SSDEEP

3072:pqrRrmv3TwaCRNnA/UeXFa3mSRACC2IS/gc/LRxNuIY:QrRyvDwaCRNn4XQ2wACZgc/LR/u

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2460 cmd.exe

pid	process
2460	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2888 set thread context of 1192	2888	powershell.exe	Explorer.EXE
PID 1192 set thread context of 2460	1192	Explorer.EXE	cmd.exe
PID 2460 set thread context of 1684	2460	cmd.exe	PING.EXE
PID 1192 set thread context of 2980	1192	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1684 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1684 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1684	PING.EXE

pid	process
1684	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2364	client.exe
2888	powershell.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2888 powershell.exe
1192 Explorer.EXE
2460 cmd.exe
1192 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2888 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

pid	process
2888	powershell.exe
1192	Explorer.EXE
2460	cmd.exe
1192	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe

pid	process
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 2888	3044	mshta.exe	powershell.exe
PID 3044 wrote to memory of 2888	3044	mshta.exe	powershell.exe
PID 3044 wrote to memory of 2888	3044	mshta.exe	powershell.exe
PID 2888 wrote to memory of 1720	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 1720	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 1720	2888	powershell.exe	csc.exe
PID 1720 wrote to memory of 2852	1720	csc.exe	cvtres.exe
PID 1720 wrote to memory of 2852	1720	csc.exe	cvtres.exe
PID 1720 wrote to memory of 2852	1720	csc.exe	cvtres.exe
PID 2888 wrote to memory of 268	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 268	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 268	2888	powershell.exe	csc.exe
PID 268 wrote to memory of 2864	268	csc.exe	cvtres.exe
PID 268 wrote to memory of 2864	268	csc.exe	cvtres.exe
PID 268 wrote to memory of 2864	268	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1192	2888	powershell.exe	Explorer.EXE
PID 2888 wrote to memory of 1192	2888	powershell.exe	Explorer.EXE
PID 2888 wrote to memory of 1192	2888	powershell.exe	Explorer.EXE
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2460	1192	Explorer.EXE	cmd.exe
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 2460 wrote to memory of 1684	2460	cmd.exe	PING.EXE
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2980	1192	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ypmd='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ypmd).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DF95A089-B269-693D-B483-06AD28679A31\\\MusicPlay'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ccntadck -value gp; new-alias -name oqmbxyd -value iex; oqmbxyd ([System.Text.Encoding]::ASCII.GetString((ccntadck "HKCU:Software\AppDataLow\Software\Microsoft\DF95A089-B269-693D-B483-06AD28679A31").ContactSettings))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jklle2vb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF661.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF660.tmp"
5⤵
PID:2852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzqfv5go.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF70D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF70C.tmp"
5⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1684

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF661.tmp
Filesize
1KB

MD5
8790516dcde7bee21e3e89ab162667e7

SHA1
bb75b54fabad00d8c7dd4d0b39183eeaea6be84c

SHA256
e8fb189dea021b4a5a01f57aed805d9e0619f4a009c4fe82ac9a722de220a2ce

SHA512
83507f3fa03eeb3e2b737259821aa2d2cef314d48dfaac58b1aa7474ff0474c0320b6c36c5e916acbb6d057573508088d601ab5c96172c67e0f9367b28a4ecde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF70D.tmp
Filesize
1KB

MD5
3ca80d14db9d322051fd47d033aaee65

SHA1
915168d8ba0131d5a086f7c569bf28a38427b430

SHA256
35bcd50a08e1eca03faef174de7025ffad1a55c6baf2a33c9ae57b09873b7f74

SHA512
ae9d6b78f53118d26e9df41fe412a37a13d33c2975d41b155e6a1750aa8640e75fbd61fd271736984e6c90261cd918f69dc58448101c43471143bc742ae4b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jklle2vb.dll
Filesize
3KB

MD5
db74a4c7e039792d1c941a55f3d2c6ee

SHA1
c5d46d44df627eb945bd29f383dfdc283c20fac5

SHA256
9f62d688c324a593fa6d94bf549910f5372ec83e397b3d5cb5a675b88aa736b4

SHA512
1c59ab1411e07d6bd38220d69a743c6a632f062c524fafa0fe9d3b214e0e58ab2cd6a5bdd7d29bb74edd16e542d2ec7b6db81496f62a65f75a444f7206a07d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\jklle2vb.pdb
Filesize
7KB

MD5
6ffbd3b846b752541764d98fde124934

SHA1
f7617c11abb1ffdbdc1fdc0de4e9d43017bd20b3

SHA256
16865659d4249e0743e93e2ff268768cc6a6e49f3953f1a35c94ec7740721704

SHA512
8f10b76e398ab2783881e926888c7dc7c0406578b8346c50237df7b5a07f5016be558b0d5e9ccf21aaa3511835b7123c5802d9b589642cffede2643bf11adc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzqfv5go.dll
Filesize
3KB

MD5
831b2c81603d6cdf8e8bad871538cdd9

SHA1
17d8cadcd3a233a76bbaff12ab94bea92471afb7

SHA256
41cc093f69562f412078ace857810b61d8339a3ccc14a4fc46826de3aba0730d

SHA512
8b4fc0b77a8f1db5b3a3c4f3720e4d4205e9ca3255273dc809c017abc9f21608be0f739f39d8503fb3895bfcd43ce1a1f72669e205ee5437cb8887dc49f63c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzqfv5go.pdb
Filesize
7KB

MD5
e8ae2420d6fd3d0ac906d574e4f3db98

SHA1
7ab77c47a298e1c87abd4766249a5dfb4b28fe14

SHA256
d1ae95e379cb9413b2471213de6d9b9b87086c3990141241767b9eb91eb44b96

SHA512
117dcab505466893cb35c300c8cbcea8cc2dced9a4b8d0ca02e1a5d1ce3f13e95a1234b1221c17c318b5c436c3b4bd050d718f4d6fa4db77471d212e8ef22450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF660.tmp
Filesize
652B

MD5
e8302cbcd80f63a6169c10a2e3f8d7d5

SHA1
8f2746776cca5f2c189aa7da0798a5b9f9f86431

SHA256
8c1d50246e89fe654e1362eafd053b5390f5467aac5eee8bef5353697506ce05

SHA512
f83b5979515f24fa9d2254bba205bf7ad6f3b1408e379124b2a53685e02ba8bfbdd8add3496b7d777925ef8416551b0025abd0f7c574622dae074caa7164f2ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF70C.tmp
Filesize
652B

MD5
fac6222466bdf969045c5f5038f32a01

SHA1
2828cdebe94b9363f9c689f6f1dd47803761c0fc

SHA256
51ac541139425f1fe0c043c4812a000bfc98ecede426494d45bff33a47cecc99

SHA512
c0568574919d9f0b7b3f2d20eec36c63442860bc4ad6688dc24d8e4efa7ca80e4633c5590f18dccb0980c0b9642859e78b3c8fd956b89ac1dcaa9c2afcfbb69d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jklle2vb.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jklle2vb.cmdline
Filesize
309B

MD5
e70f775178407ecca76ca47b309ca338

SHA1
f9dffe0a653622e3cb51eb689aa9cb2260c4a505

SHA256
6658cea0a6b5da0ab6cab4d7d0cbc9620bbb3395ca1c672fe1b1e25231f9e6b5

SHA512
e3fdd83eae13a7d9c4495a228ec21a647c364ca70ac83b98add398f932c6e5f1add1e6b37b1544a6ad3e7cb5f9dccec3afb0f7a561dc30dad9278e15230ff78c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzqfv5go.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzqfv5go.cmdline
Filesize
309B

MD5
b556d4a34d6bc6ae7fe9a995f24360fa

SHA1
250c8ce963b7c4c31604710087ce0d51c632d695

SHA256
e018775e86cf6738411f255975009b5c3521e1b3e51c5919ef19be9dd2365c0d

SHA512
d3ec436d750ef7590d1f6cb29cce7460ea517af5b1620bef56228ac2be51c7ad591070308dd96b1439d31a47ccb4f292caca1a6d11c77c481387f42bc7c6dc66

Download Submit
memory/268-54-0x0000000000660000-0x00000000006E0000-memory.dmp

Filesize
512KB

Download
memory/1192-68-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1192-100-0x0000000002CB0000-0x0000000002D54000-memory.dmp

Filesize
656KB

Download
memory/1192-67-0x0000000002CB0000-0x0000000002D54000-memory.dmp

Filesize
656KB

Download
memory/1684-101-0x0000000001B30000-0x0000000001BD4000-memory.dmp

Filesize
656KB

Download
memory/1684-88-0x0000000001B30000-0x0000000001BD4000-memory.dmp

Filesize
656KB

Download
memory/1684-90-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1684-87-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2364-19-0x0000000004D20000-0x0000000004D22000-memory.dmp

Filesize
8KB

Download
memory/2364-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2364-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2364-7-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2364-4-0x0000000002390000-0x000000000239D000-memory.dmp

Filesize
52KB

Download
memory/2364-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2364-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2460-81-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2460-78-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2460-102-0x0000000001B90000-0x0000000001C34000-memory.dmp

Filesize
656KB

Download
memory/2460-79-0x0000000001B90000-0x0000000001C34000-memory.dmp

Filesize
656KB

Download
memory/2888-70-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-28-0x0000000001E10000-0x0000000001E90000-memory.dmp

Filesize
512KB

Download
memory/2888-63-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2888-77-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-32-0x0000000001E10000-0x0000000001E90000-memory.dmp

Filesize
512KB

Download
memory/2888-30-0x0000000001E10000-0x0000000001E90000-memory.dmp

Filesize
512KB

Download
memory/2888-80-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2888-66-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2888-29-0x0000000001E10000-0x0000000001E90000-memory.dmp

Filesize
512KB

Download
memory/2888-31-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-27-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-46-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2888-25-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2888-26-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2980-99-0x00000000002E0000-0x0000000000378000-memory.dmp

Filesize
608KB

Download
memory/2980-98-0x00000000002E0000-0x0000000000378000-memory.dmp

Filesize
608KB

Download
memory/2980-97-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2980-94-0x00000000002E0000-0x0000000000378000-memory.dmp

Filesize
608KB

Download