gozi | fe05e50be407f5efcb1870991f86ec721fd7088e92782a60aa815e0a68eb486e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05-10-2023 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

304KB
MD5

27b1d878636e00e43436184b70e9f41c
SHA1

b175d86922e1e837d8d74b588ff746ea7b8670df
SHA256

fe05e50be407f5efcb1870991f86ec721fd7088e92782a60aa815e0a68eb486e
SHA512

086b34070946d275ef50552969c6e561349299eb7eece513ca4504c84ad7810a02428a1540ecd715541139f500137209c94297a331dfa87c18afa2d91e24349e
SSDEEP

6144:R+91vEOpa6NK56upTHirwtRinshvjxdyhgAw8Fi5r+IxsN+:8Dsf4K56u1HqLshvjxia8Mr+/

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000100000-0x000000000010C000-memory.dmp	dave

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1296 cmd.exe

pid	process
1296	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1128 set thread context of 1192	1128	powershell.exe	Explorer.EXE
PID 1192 set thread context of 1296	1192	Explorer.EXE	cmd.exe
PID 1296 set thread context of 1148	1296	cmd.exe	PING.EXE
PID 1192 set thread context of 2576	1192	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1148 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1148 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1148	PING.EXE

pid	process
1148	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
2084	client.exe
1128	powershell.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1128 powershell.exe
1192 Explorer.EXE
1296 cmd.exe
1192 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1128 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

pid	process
1128	powershell.exe
1192	Explorer.EXE
1296	cmd.exe
1192	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1128	powershell.exe

pid	process
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1128	2024	mshta.exe	powershell.exe
PID 2024 wrote to memory of 1128	2024	mshta.exe	powershell.exe
PID 2024 wrote to memory of 1128	2024	mshta.exe	powershell.exe
PID 1128 wrote to memory of 1824	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1824	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1824	1128	powershell.exe	csc.exe
PID 1824 wrote to memory of 744	1824	csc.exe	cvtres.exe
PID 1824 wrote to memory of 744	1824	csc.exe	cvtres.exe
PID 1824 wrote to memory of 744	1824	csc.exe	cvtres.exe
PID 1128 wrote to memory of 2788	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 2788	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 2788	1128	powershell.exe	csc.exe
PID 2788 wrote to memory of 1248	2788	csc.exe	cvtres.exe
PID 2788 wrote to memory of 1248	2788	csc.exe	cvtres.exe
PID 2788 wrote to memory of 1248	2788	csc.exe	cvtres.exe
PID 1128 wrote to memory of 1192	1128	powershell.exe	Explorer.EXE
PID 1128 wrote to memory of 1192	1128	powershell.exe	Explorer.EXE
PID 1128 wrote to memory of 1192	1128	powershell.exe	Explorer.EXE
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 1296	1192	Explorer.EXE	cmd.exe
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1148	1296	cmd.exe	PING.EXE
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2576	1192	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bat1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bat1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3C64491B-6BF2-CEE4-D530-CFE2D9647336\\\MusicWhite'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hnouomb -value gp; new-alias -name okdfsimvoc -value iex; okdfsimvoc ([System.Text.Encoding]::ASCII.GetString((hnouomb "HKCU:Software\AppDataLow\Software\Microsoft\3C64491B-6BF2-CEE4-D530-CFE2D9647336").ControlText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C20.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C10.tmp"
5⤵
PID:744

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezf6vonx.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CAC.tmp"
5⤵
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1148

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2C20.tmp
Filesize
1KB

MD5
e3eaff0ff446a82420a055338bd63cf5

SHA1
279541fc2a66898a32e5fcfd31e2b4157f0c4f2c

SHA256
c068629b23890ec42e09dc9803462094a68f28189d183d6b86276bf154604d03

SHA512
2401f053efa732a538734e50f580b0105ecee2d99bf504399f73c79f73e5c96bc7ba845ed00789d497fb0e6c8338728e44cc6b8412a9b35e19059b7df672d1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmp
Filesize
1KB

MD5
fc827bea931f369fbcb9a00dcaa63c82

SHA1
4d4366ed2b8ca0cb9c6ee8731811db3fd5d5055d

SHA256
488f4d9b2e1c89ae4b61fb005d6435e233b9592fd19b63f23e4cbf0f9399bef7

SHA512
99b54c18311a5eb5ca9460580302a8e5266b0387f05d9120db08194f254c109c4c2d29df77d9a5d730fd396e8b8f26f69777880977e3da83cac104237c7e7a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezf6vonx.dll
Filesize
3KB

MD5
c4b697214905956caa633e6cf9d05f3a

SHA1
09d823442633a17d50c09f435fba2ca978c11f0b

SHA256
6b484ccad3b77a6763e22a5e32e688f1cf744d56a2c19fcf79fcde9124013fe3

SHA512
764d5f8d8b009a53cc2dbc43235e52791ef75f6bc7f31a2e74dee3f3121871841214e1ac1a71926195b3aee0cf9fb169bbc76435c010af62711ee55b0a6aa161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezf6vonx.pdb
Filesize
7KB

MD5
da789a2a26b0a117f4d3dbef06097a2a

SHA1
0c7553470afcf608e495db6031966d9526d3d86a

SHA256
77f9ebf711ff2142edd485a6798d1616dd296892a8d21402df27b143c1e8a6b6

SHA512
20fe32a9bd3c5872200832fcde845f3af47467f78f413a743276a0c40b042db8af559eeb1def50cf8aa3ce3640d72279d46e1080bdd431c89b7c2b21f35e06ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.dll
Filesize
3KB

MD5
59192b3243170490fc96d7b25129e3a0

SHA1
bcc2f5c28978eaf7d9cd02ad1c00e749190181bc

SHA256
b4f918ae7d8457a95c0eb2f184bf0ad7c8d1d9447b35b4e14deba7c136f77fd4

SHA512
b9873cefb4d2019f86c79a1ebf5ea853309a755c925e45e5ea8b27cd8fc701fd73129f8bb6c73c61093cde8674e855ee470b7aa583da6393ab5a3c76d721d799

Download Submit
C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.pdb
Filesize
7KB

MD5
7346e21009d7d8a2a2bf35e44543b0eb

SHA1
8eca369949752d636574365591fc85dae7e9d7d2

SHA256
6d7cfc7d01fc4c59cebbaf542b70f115da0e46c14604c812f82acdd7f26f0941

SHA512
dcb32326efeaa0a3c5fd5f5fc3002527540d89504e005e4a84f09f6d713348c6c7d85c45aa59284d05bd50791758fc796f50dccd5e113dcd4b032260b760b4d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2C10.tmp
Filesize
652B

MD5
d68fe77c49942b7099ec44b7da531aa4

SHA1
964f04da7ff79e84f90b0ef5557d7a93159203f7

SHA256
27985032a8194490ed5b39f3253620602b8d2ce097cac5a9259e7e7caf18c972

SHA512
12c4806e5ab54335e7a38be28645eaa614967a82876b83c57876a4f86e73f208ba5f86b943eb9ad9c5ef53daf702abf36535a285280cdecf74e320a1624fd5e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2CAC.tmp
Filesize
652B

MD5
46401ca99542585019f9cfb18ee6d7dc

SHA1
827197da7d8987100d6a3bd70afa449481489597

SHA256
2c38f1310bc6161bf0975be52e92341ee66273ab5a14dcde88cece39ec30ed53

SHA512
9d5c5a9b0d4555a4a45b1038e6c9b17946296b971e8cfcbf3d9284d58ad10426339d8d4e3bf523636d881d90655a32c51762020bf5d845695019cec1288c75fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezf6vonx.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezf6vonx.cmdline
Filesize
309B

MD5
98c844338e4eb2dba16ebc6ea63b50b3

SHA1
516a363178076019a0541942509fbbbf797c36e1

SHA256
1b3d1b8dd3e3f2aa330c472a62b8b4193d1cbf1a1677f2430c7cdaa092cb24b5

SHA512
315f5f01564affac53d7acf87c72e09f4f4fac0cc4ac656f77818d47ddeff8d0ee5c2589c70269c606aa06363700469bef5fd0f99be4bad6fea5fc83dd8c9f6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q-jz-g0e.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q-jz-g0e.cmdline
Filesize
309B

MD5
d045ad73eb545d1891baaff3e545d5b0

SHA1
0fbf1740f1041af78a544eef9d4aad95d5787920

SHA256
38ef44ce5c7b6830d102e93c4024b78c9b31f5a49de64f5eae0572e7ec4af295

SHA512
ff551387a4c0e10a15e5d7918f7c9f18cf5b3619b9d63a64bdd13aa36ae449ec55df6f602b2041f517e621e5d5b6b6e7b082557771c15ea8623f0fe437cc019f

Download Submit
memory/1128-25-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1128-19-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/1128-24-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1128-23-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1128-22-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1128-39-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/1128-21-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1128-20-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1128-69-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1128-70-0x00000000028D0000-0x000000000290D000-memory.dmp

Filesize
244KB

Download
memory/1128-59-0x00000000028D0000-0x000000000290D000-memory.dmp

Filesize
244KB

Download
memory/1128-56-0x00000000028B0000-0x00000000028B8000-memory.dmp

Filesize
32KB

Download
memory/1148-78-0x0000000001B60000-0x0000000001C04000-memory.dmp

Filesize
656KB

Download
memory/1148-79-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1148-77-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/1148-89-0x0000000001B60000-0x0000000001C04000-memory.dmp

Filesize
656KB

Download
memory/1192-88-0x0000000003C20000-0x0000000003CC4000-memory.dmp

Filesize
656KB

Download
memory/1192-61-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1192-60-0x0000000003C20000-0x0000000003CC4000-memory.dmp

Filesize
656KB

Download
memory/1296-72-0x0000000000380000-0x0000000000424000-memory.dmp

Filesize
656KB

Download
memory/1296-71-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1296-73-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1296-90-0x0000000000380000-0x0000000000424000-memory.dmp

Filesize
656KB

Download
memory/2084-1-0x0000000000190000-0x000000000019F000-memory.dmp

Filesize
60KB

Download
memory/2084-0-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download
memory/2084-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2084-11-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/2084-14-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2576-84-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2576-83-0x0000000000420000-0x00000000004B8000-memory.dmp

Filesize
608KB

Download
memory/2576-87-0x0000000000420000-0x00000000004B8000-memory.dmp

Filesize
608KB

Download
memory/2788-47-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download