gozi | 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1412 cmd.exe

pid	process
1412	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3004 set thread context of 1328	3004	powershell.exe	Explorer.EXE
PID 1328 set thread context of 1412	1328	Explorer.EXE	cmd.exe
PID 1412 set thread context of 3052	1412	cmd.exe	PING.EXE
PID 1328 set thread context of 476	1328	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3052 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3052 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
3052	PING.EXE

pid	process
3052	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2328	client.exe
3004	powershell.exe
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1328 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3004 powershell.exe
1328 Explorer.EXE
1412 cmd.exe
1328 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3004 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1328 Explorer.EXE

pid	process
1328	Explorer.EXE

pid	process
3004	powershell.exe
1328	Explorer.EXE
1412	cmd.exe
1328	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3004	powershell.exe

pid	process
1328	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 3004	1640	mshta.exe	powershell.exe
PID 1640 wrote to memory of 3004	1640	mshta.exe	powershell.exe
PID 1640 wrote to memory of 3004	1640	mshta.exe	powershell.exe
PID 3004 wrote to memory of 2828	3004	powershell.exe	csc.exe
PID 3004 wrote to memory of 2828	3004	powershell.exe	csc.exe
PID 3004 wrote to memory of 2828	3004	powershell.exe	csc.exe
PID 2828 wrote to memory of 2868	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2868	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2868	2828	csc.exe	cvtres.exe
PID 3004 wrote to memory of 2888	3004	powershell.exe	csc.exe
PID 3004 wrote to memory of 2888	3004	powershell.exe	csc.exe
PID 3004 wrote to memory of 2888	3004	powershell.exe	csc.exe
PID 2888 wrote to memory of 1152	2888	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1152	2888	csc.exe	cvtres.exe
PID 2888 wrote to memory of 1152	2888	csc.exe	cvtres.exe
PID 3004 wrote to memory of 1328	3004	powershell.exe	Explorer.EXE
PID 3004 wrote to memory of 1328	3004	powershell.exe	Explorer.EXE
PID 3004 wrote to memory of 1328	3004	powershell.exe	Explorer.EXE
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 1412	1328	Explorer.EXE	cmd.exe
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3052	1412	cmd.exe	PING.EXE
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe
PID 1328 wrote to memory of 476	1328	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bh34='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bh34).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\4A3E94A1-2199-0CE0-FB1E-E5005F32E934\\\PlayContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kxdmpjke -value gp; new-alias -name xlqfutnmp -value iex; xlqfutnmp ([System.Text.Encoding]::ASCII.GetString((kxdmpjke "HKCU:Software\AppDataLow\Software\Microsoft\4A3E94A1-2199-0CE0-FB1E-E5005F32E934").PlayChar))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4g3ow3sb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES452C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC452B.tmp"
5⤵
PID:2868

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2mhkoj8.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45B8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4598.tmp"
5⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3052

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4g3ow3sb.dll
Filesize
3KB

MD5
bf5514b042c9cfd2b86af3640e5ffd8e

SHA1
74591b19af63f2db590bfcbd4aaa46d4f44c6a2e

SHA256
364f7c4ab01fad0855e385b434ee9c51ab712efff2c03f075f21b7d81f0b57fe

SHA512
4001f13fcb59cc7ffdec0972221c701f3f69cdfadb7833abbe612bac337bf9b078afa6c70e62b8a76b55af62e7fc47542e21bbe55f517c68d24f8ba85b16f965

Download Submit
C:\Users\Admin\AppData\Local\Temp\4g3ow3sb.pdb
Filesize
7KB

MD5
26b005d927449b04a8f804e5823476eb

SHA1
617c247011dc6c273118fc4dd07cf3127c32d979

SHA256
74afbaf555758bda55760e29de5d2b89a39e01e21c9898e6f074de0e63aef48a

SHA512
4441046021df07f3b789a3785141c2d10a7bc129e69faf35e418d2b9c6c6706f45d395920dfe571791a3c934476060e31ec7971a62098e6a69f2ed284f65285a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES452C.tmp
Filesize
1KB

MD5
95ed115cad877f5e166b98e596971088

SHA1
a3520bd66edf0242e7c4bc5c17ba72f6c941d0a5

SHA256
fa2e0c83ea0fecdaf2e27e9065f134b9bdcabe6b1c0a0404c5b73a6cdd26e74f

SHA512
8767a3d765465076329ba6baa54122ca2ade6f197ace2e787e09dfcfa37bd5401a00a703b67f5649163278a481ad50f219b854886c541d0c6ec08de3fa4ebea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES45B8.tmp
Filesize
1KB

MD5
f95fbf21829d5a55e7ef04b05c9c1b77

SHA1
32c6fcd2d94020adb8454afa64526d69c521b846

SHA256
b7649dd6d93dae98e379707cc3a8bf7a70ab07b193bf5cf432cca006724fe0ee

SHA512
25988e88ceda129e5d313f02b7529f5802a1c53a045f3d7bc511f4622d3369e87d43e857459c50488d39acc991a9f6e0c9dfece240e075a46d5df9955d898b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2mhkoj8.dll
Filesize
3KB

MD5
5c7089899aec21cafcc4bb806c410415

SHA1
a1041e8f5cdab3a9f0ce1a5a15f5641cc549c146

SHA256
9a7a1358d1186c90c93903a41959d204f87d674f9e5a30621c5166e41996ffee

SHA512
44d2fa2ede15309c8eaa8eb8dd139d163cb193060eebedb7665d26b5e30a18302fb09fac5ef314d2592efcb41cb7438e587398b481fe3638ad5de67687cada88

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2mhkoj8.pdb
Filesize
7KB

MD5
ba9cb1c7d5bb5b3af3d1d327e66fc577

SHA1
8a43956f18f3e4dc4b3f02d0ac7cc839cc670e14

SHA256
b00940bfb117455fe191fe7a0859882391b9bcda5210f886ed96f4faf57f4de6

SHA512
2aecf324c79765c758fb263d73d0b6038b00db91660ce2cf8a1d8d31f7547202c3d3ebbdf1dec82991a5ac0892fe9c50694f8c19c393978c28b5f08262a8e55f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4g3ow3sb.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4g3ow3sb.cmdline
Filesize
309B

MD5
943538bb113d2da957a41d7b921bc789

SHA1
4c27fb24c06d068365dd0c64c47158a2c5f447d2

SHA256
9639c1a59dc83ddd08148bd0ef0c4d97c690a985bb327687db20cbb36e0cd80e

SHA512
4e1e9e315b8b7bd1bc7693d25b55e80b01736d99293929a6263bdf0b233d0589dbdd533d55a9e407db3c2cec7bef9234566b149eda4fc5af2717f0878e28f8dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC452B.tmp
Filesize
652B

MD5
6b58631f5d6536edb1311439c544bb4b

SHA1
468b649262463ca0fcf6c3e2b7c1660a45e22dfb

SHA256
5cc056f61e026e15f5e0808779a8592c2434e859863bed8a3a5175e240fb7af2

SHA512
afc6622561b6caa1c0cf9ea37f4b3cb7548b7bf475ecb8a9ee2d8f8c4c9f9368643a5e8b68666cb7599a16d3aecddb7b16790861f8f786d2e32fa496e8970a5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4598.tmp
Filesize
652B

MD5
07fe6a2e6a1a23548af726249102f6e4

SHA1
353fa7a4bf84f180ed808cf84e9eb0ee53318d1b

SHA256
6b34b93dc347be619a2ef15ce56eac6751597101617b42646cdb1ff2bd3120ce

SHA512
7f8994b4ba29b2319aac2ba0dc9921e85484a197da7925e979cbf8a799a9f5045b12aeb3666df59fffd029991ef30d7956f73a293fa4ec8d4d47cf9c0ddd2096

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q2mhkoj8.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q2mhkoj8.cmdline
Filesize
309B

MD5
74f3b6bb73ebabe1aea6155a18074b92

SHA1
7715ef60e45486005b9fcf7b3c7c900329cafedb

SHA256
cf40fd937c1fcb259b2d2cc756325187e72552a727134f736bd64889e7790199

SHA512
87142a65f80e1f7704d1071570dec6dbb52053c53f1c45e9f73ddae80f76b29a3fb5267d60cfea6f4360135f8ce0f873be3890cd7b80ffe737b0ed73d511374d

Download Submit
memory/476-87-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/476-88-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/476-91-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/1328-64-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1328-92-0x0000000004130000-0x00000000041D4000-memory.dmp

Filesize
656KB

Download
memory/1328-63-0x0000000004130000-0x00000000041D4000-memory.dmp

Filesize
656KB

Download
memory/1412-75-0x0000000001C20000-0x0000000001CC4000-memory.dmp

Filesize
656KB

Download
memory/1412-76-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1412-74-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/1412-94-0x0000000001C20000-0x0000000001CC4000-memory.dmp

Filesize
656KB

Download
memory/2328-1-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2328-15-0x00000000042E0000-0x00000000042E2000-memory.dmp

Filesize
8KB

Download
memory/2328-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2328-7-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2328-4-0x0000000000350000-0x000000000035D000-memory.dmp

Filesize
52KB

Download
memory/2328-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2328-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2828-34-0x00000000022C0000-0x0000000002340000-memory.dmp

Filesize
512KB

Download
memory/3004-25-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-27-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/3004-59-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/3004-72-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-73-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download
memory/3004-43-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/3004-28-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/3004-62-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download
memory/3004-21-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/3004-22-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/3004-26-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/3004-24-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/3004-23-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-83-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3052-93-0x0000000001C20000-0x0000000001CC4000-memory.dmp

Filesize
656KB

Download
memory/3052-81-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download