gozi | bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe
Size

37KB
MD5

532039d2f764d59a4c1cac5e6091aa52
SHA1

a1abbd3f89897952fc0a90e60ca49983c287a65c
SHA256

bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97
SHA512

711c7a4d7481b414178542aac5ef908b5b66b50ed96305c9f159ea4b1762ddb77f2125470bbb8101909ff4c77c51d3c7e0a121d65a7356bc28756f8028f01b0b
SSDEEP

768:MA3rPI5jShpW1v5wlZkyJ8Kl7aQixYgxYJmv0NHY7lbjNltdX2k:j3rPI5jSu1aZkyVJaf3C7YJj3HG

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 3224	4976	powershell.exe	44
PID 3224 set thread context of 3800	3224	Explorer.EXE	15
PID 3224 set thread context of 4016	3224	Explorer.EXE	39
PID 3224 set thread context of 3668	3224	Explorer.EXE	107
PID 3224 set thread context of 4480	3224	Explorer.EXE	27
PID 3668 set thread context of 2156	3668	cmd.exe	108
PID 3224 set thread context of 2888	3224	Explorer.EXE	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2156	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2156	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe
2740	bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe
4976	powershell.exe
4976	powershell.exe
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4976	powershell.exe
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3668	cmd.exe
3224	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3224	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3224	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 4976	1504	mshta.exe	100
PID 1504 wrote to memory of 4976	1504	mshta.exe	100
PID 4976 wrote to memory of 4268	4976	powershell.exe	102
PID 4976 wrote to memory of 4268	4976	powershell.exe	102
PID 4268 wrote to memory of 4808	4268	csc.exe	103
PID 4268 wrote to memory of 4808	4268	csc.exe	103
PID 4976 wrote to memory of 3748	4976	powershell.exe	104
PID 4976 wrote to memory of 3748	4976	powershell.exe	104
PID 3748 wrote to memory of 3700	3748	csc.exe	105
PID 3748 wrote to memory of 3700	3748	csc.exe	105
PID 4976 wrote to memory of 3224	4976	powershell.exe	44
PID 4976 wrote to memory of 3224	4976	powershell.exe	44
PID 4976 wrote to memory of 3224	4976	powershell.exe	44
PID 4976 wrote to memory of 3224	4976	powershell.exe	44
PID 3224 wrote to memory of 3800	3224	Explorer.EXE	15
PID 3224 wrote to memory of 3800	3224	Explorer.EXE	15
PID 3224 wrote to memory of 3800	3224	Explorer.EXE	15
PID 3224 wrote to memory of 3668	3224	Explorer.EXE	107
PID 3224 wrote to memory of 3668	3224	Explorer.EXE	107
PID 3224 wrote to memory of 3668	3224	Explorer.EXE	107
PID 3224 wrote to memory of 3800	3224	Explorer.EXE	15
PID 3224 wrote to memory of 4016	3224	Explorer.EXE	39
PID 3224 wrote to memory of 4016	3224	Explorer.EXE	39
PID 3224 wrote to memory of 4016	3224	Explorer.EXE	39
PID 3224 wrote to memory of 4016	3224	Explorer.EXE	39
PID 3224 wrote to memory of 4480	3224	Explorer.EXE	27
PID 3224 wrote to memory of 4480	3224	Explorer.EXE	27
PID 3224 wrote to memory of 3668	3224	Explorer.EXE	107
PID 3224 wrote to memory of 3668	3224	Explorer.EXE	107
PID 3224 wrote to memory of 4480	3224	Explorer.EXE	27
PID 3224 wrote to memory of 4480	3224	Explorer.EXE	27
PID 3668 wrote to memory of 2156	3668	cmd.exe	108
PID 3668 wrote to memory of 2156	3668	cmd.exe	108
PID 3668 wrote to memory of 2156	3668	cmd.exe	108
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109
PID 3668 wrote to memory of 2156	3668	cmd.exe	108
PID 3668 wrote to memory of 2156	3668	cmd.exe	108
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109
PID 3224 wrote to memory of 2888	3224	Explorer.EXE	109

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yqjq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yqjq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qdnhwxalw -value gp; new-alias -name wbgkqfv -value iex; wbgkqfv ([System.Text.Encoding]::ASCII.GetString((qdnhwxalw "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w2i3nbqb\w2i3nbqb.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2968.tmp" "c:\Users\Admin\AppData\Local\Temp\w2i3nbqb\CSCC13555F8879144EC86EA5F6CE334CE34.TMP"
        5⤵
        
        PID:4808
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojslv5tt\ojslv5tt.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A62.tmp" "c:\Users\Admin\AppData\Local\Temp\ojslv5tt\CSC9BBBE3B947D54A708FA3B2C1A51C49C1.TMP"
        5⤵
        
        PID:3700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97exe_JC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2156
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2968.tmp

Filesize
1KB

MD5
4716f0bcdcc9de5931f926ae28e981c8

SHA1
ac57d16adc72dc50ba8bbefe5e521ad4908be868

SHA256
fff9da789e16a60152b9fdcd1c047aec136c0a884fdbe62c51a72ba778dfcb05

SHA512
224d18c3d9cdb21cfb933e76ee89f486afcbb18cc9a2d5ed323078593387981761c802cc3745aa0dbe961e2d8d957642bec4792d5d28da6ea3ffccaef47ca610

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A62.tmp

Filesize
1KB

MD5
463ac6bea238a3012a7f569ff5d157e3

SHA1
36f075cd8a58080dbc26489780e731eb82ff28ef

SHA256
44caa2506d75aad6cdb9b1c7674d2dd7e106d374ef575525b5077f829c477af6

SHA512
8a1bf0e7d0362ca9552f05dfb3f9d89381578a795aa7efdd878573fa8bcf3a28696fc8ac61bf0ff0dad6c055a0c726143ee1971ce0e0c4a6fc7a50e3fd81b3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rogkjx4t.xx1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojslv5tt\ojslv5tt.dll

Filesize
3KB

MD5
66cab399d2bae269ddb9cd17449502fa

SHA1
1d63d25553dabe8c1ab8fb873d24025bc5ecebf0

SHA256
b15df7a85d2bc83272d782a4e6c36229f39410d9a101350429aefe37e13d704e

SHA512
3a003463813255e5e0cb7028cbe837bd86b246e9ec7e638042689d691da64803f29938a9f57fd3c9879e87bc94e07e7390eadbdd9679665fbd3939f79974201d

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2i3nbqb\w2i3nbqb.dll

Filesize
3KB

MD5
f2718ed7b45871cab16ffb61c8f80adf

SHA1
61cca455d65f309ebb6e6b4ef9c2dec30432ca80

SHA256
335983b9cd1f295f67934f82c7a9b82437f40bdc85bb03f7f53b0c29dd419861

SHA512
488d563f5c63647137759c2419069cc1c9605193185588cf97d0e4bd91fe98fae6090e114db9fcdcb74600c8e51a640ca74a2e861ab3a4224de20856d358b255

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojslv5tt\CSC9BBBE3B947D54A708FA3B2C1A51C49C1.TMP

Filesize
652B

MD5
f652de1c496caee7aff4cf07ea5cf659

SHA1
7fd956cd79e0d49c00c244f651018a1e3584bde7

SHA256
03f704ba3f40ea602fa52afd78e5d3563fe5a5d713450ecfb18a4c1af2bf1661

SHA512
4d37b2cd347bd754065767108638563d710e76d1a3426778ed8174a14f7483d577dbedfbd3b96013952a34b3fcd8ca6016c8a1cebd395cbeef0054af027360ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojslv5tt\ojslv5tt.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojslv5tt\ojslv5tt.cmdline

Filesize
369B

MD5
89c37fa4afd5fe940213919ff36f56f1

SHA1
3f6b135715b85e1b26ab4c2b3779af33a0cc4e5f

SHA256
4e3ab211b06eeab778337a6296d870fffd4004ca3b054710bbf46ecda4fd1bc6

SHA512
8f866d34ce9381b05d7c33907921435ad9220626e340cdd049d34ce0ae63059201a8874f8814c33e9158e14edb8d5ab750a93db2a2aeb1b9037b442bffcf2b67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2i3nbqb\CSCC13555F8879144EC86EA5F6CE334CE34.TMP

Filesize
652B

MD5
6baa0f0da2973092afcec6e6b495d4a6

SHA1
b36ca5068d8597e7f4ee44df2f139f8f799ac0a5

SHA256
b8b30a50be74846e5db32866aee18c139a4ab50bc3f7364cd347a526da5371c7

SHA512
6b22b5d978033dc17f22ace597011002ce3ed41e7ca954d241d467c8be50fbe8767abf459e575a536c17a91afe9cfcce43486b3e85e05961c534c9b8d95ed73c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2i3nbqb\w2i3nbqb.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2i3nbqb\w2i3nbqb.cmdline

Filesize
369B

MD5
bf5488495832c42660b16451e1b77f1c

SHA1
71ebffa8666d7a66c8d423e2c44455989d5f66f2

SHA256
ceec7925ca0d04f48a133bc3ec68f944ba19d7ddcd998761149a8879c0fc3562

SHA512
ccc44b561ab9a4f82defb80b86bb58c26135d6a2659b3f88acfb48ec933c1a9f72ea3fb44fd2d4b5491bb776d4991103d26bb443f316dfab8fc74f124451e975

Download Submit
memory/2156-88-0x000001ED407B0000-0x000001ED40854000-memory.dmp

Filesize
656KB

Download
memory/2156-89-0x000001ED40760000-0x000001ED40761000-memory.dmp

Filesize
4KB

Download
memory/2156-100-0x000001ED407B0000-0x000001ED40854000-memory.dmp

Filesize
656KB

Download
memory/2740-0-0x00000000004B0000-0x00000000004BD000-memory.dmp

Filesize
52KB

Download
memory/2888-93-0x0000000000C50000-0x0000000000CE8000-memory.dmp

Filesize
608KB

Download
memory/2888-94-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2888-98-0x0000000000C50000-0x0000000000CE8000-memory.dmp

Filesize
608KB

Download
memory/3224-48-0x0000000008730000-0x00000000087D4000-memory.dmp

Filesize
656KB

Download
memory/3224-96-0x0000000008730000-0x00000000087D4000-memory.dmp

Filesize
656KB

Download
memory/3224-49-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3668-101-0x000001BC0BFA0000-0x000001BC0C044000-memory.dmp

Filesize
656KB

Download
memory/3668-72-0x000001BC0BFA0000-0x000001BC0C044000-memory.dmp

Filesize
656KB

Download
memory/3668-76-0x000001BC0C050000-0x000001BC0C051000-memory.dmp

Filesize
4KB

Download
memory/3800-99-0x000002C6A9E60000-0x000002C6A9F04000-memory.dmp

Filesize
656KB

Download
memory/3800-61-0x000002C6A9E60000-0x000002C6A9F04000-memory.dmp

Filesize
656KB

Download
memory/3800-62-0x000002C6A9C30000-0x000002C6A9C31000-memory.dmp

Filesize
4KB

Download
memory/4016-102-0x000001E3F8100000-0x000001E3F81A4000-memory.dmp

Filesize
656KB

Download
memory/4016-67-0x000001E3F8100000-0x000001E3F81A4000-memory.dmp

Filesize
656KB

Download
memory/4016-69-0x000001E3F80C0000-0x000001E3F80C1000-memory.dmp

Filesize
4KB

Download
memory/4480-83-0x00000267F35D0000-0x00000267F35D1000-memory.dmp

Filesize
4KB

Download
memory/4480-80-0x00000267F3E20000-0x00000267F3EC4000-memory.dmp

Filesize
656KB

Download
memory/4480-103-0x00000267F3E20000-0x00000267F3EC4000-memory.dmp

Filesize
656KB

Download
memory/4976-46-0x000001E13E2E0000-0x000001E13E31D000-memory.dmp

Filesize
244KB

Download
memory/4976-30-0x000001E125CD0000-0x000001E125CD8000-memory.dmp

Filesize
32KB

Download
memory/4976-17-0x000001E125A00000-0x000001E125A10000-memory.dmp

Filesize
64KB

Download
memory/4976-15-0x000001E125A00000-0x000001E125A10000-memory.dmp

Filesize
64KB

Download
memory/4976-16-0x000001E125A00000-0x000001E125A10000-memory.dmp

Filesize
64KB

Download
memory/4976-14-0x00007FFDAB940000-0x00007FFDAC401000-memory.dmp

Filesize
10.8MB

Download
memory/4976-59-0x000001E13E2E0000-0x000001E13E31D000-memory.dmp

Filesize
244KB

Download
memory/4976-10-0x000001E13E130000-0x000001E13E152000-memory.dmp

Filesize
136KB

Download
memory/4976-58-0x00007FFDAB940000-0x00007FFDAC401000-memory.dmp

Filesize
10.8MB

Download
memory/4976-44-0x000001E13E2D0000-0x000001E13E2D8000-memory.dmp

Filesize
32KB

Download