gozi | 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3036 cmd.exe

pid	process
3036	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2920 set thread context of 1372	2920	powershell.exe	Explorer.EXE
PID 1372 set thread context of 3036	1372	Explorer.EXE	cmd.exe
PID 3036 set thread context of 2356	3036	cmd.exe	PING.EXE
PID 1372 set thread context of 2324	1372	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2356 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2356 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2356	PING.EXE

pid	process
2356	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exepowershell.exeExplorer.EXE

pid	process
2692	NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
2920	powershell.exe
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2920 powershell.exe
1372 Explorer.EXE
3036 cmd.exe
1372 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2920 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE

pid	process
1372	Explorer.EXE

pid	process
2920	powershell.exe
1372	Explorer.EXE
3036	cmd.exe
1372	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2920	powershell.exe

pid	process
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 2920	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2920	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2920	2792	mshta.exe	powershell.exe
PID 2920 wrote to memory of 624	2920	powershell.exe	csc.exe
PID 2920 wrote to memory of 624	2920	powershell.exe	csc.exe
PID 2920 wrote to memory of 624	2920	powershell.exe	csc.exe
PID 624 wrote to memory of 1680	624	csc.exe	cvtres.exe
PID 624 wrote to memory of 1680	624	csc.exe	cvtres.exe
PID 624 wrote to memory of 1680	624	csc.exe	cvtres.exe
PID 2920 wrote to memory of 1908	2920	powershell.exe	csc.exe
PID 2920 wrote to memory of 1908	2920	powershell.exe	csc.exe
PID 2920 wrote to memory of 1908	2920	powershell.exe	csc.exe
PID 1908 wrote to memory of 1632	1908	csc.exe	cvtres.exe
PID 1908 wrote to memory of 1632	1908	csc.exe	cvtres.exe
PID 1908 wrote to memory of 1632	1908	csc.exe	cvtres.exe
PID 2920 wrote to memory of 1372	2920	powershell.exe	Explorer.EXE
PID 2920 wrote to memory of 1372	2920	powershell.exe	Explorer.EXE
PID 2920 wrote to memory of 1372	2920	powershell.exe	Explorer.EXE
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 3036	1372	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2356	3036	cmd.exe	PING.EXE
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2324	1372	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>S21l='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(S21l).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\14432B37-6353-66A1-8D88-47FA113C6BCE\\\ClassLocal'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sxumlvyk -value gp; new-alias -name deudrum -value iex; deudrum ([System.Text.Encoding]::ASCII.GetString((sxumlvyk "HKCU:Software\AppDataLow\Software\Microsoft\14432B37-6353-66A1-8D88-47FA113C6BCE").OperatorTime))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r1-7acld.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC32C4.tmp"
5⤵
PID:1680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pry0xezn.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3351.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3350.tmp"
5⤵
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2356

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES32C5.tmp

Filesize
1KB

MD5
e0d3cc86caa7ae4d010c5df73b700be7

SHA1
5695bc34a1411acbb631c326bc17eaf9625e5268

SHA256
c162815895419c3f5fb62c51aceaf176158eb3532597235a08a404f48586b3c0

SHA512
e3201c1e6c1ab6770b4a1086c2413e838db44338a8bb6eab17d754f093cb80d7200701f78ca40e826b891e3638d0f8ee4d3570d6b88900bf7aea8d646979a28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3351.tmp

Filesize
1KB

MD5
e92a3329bef577ec8bf7dc1e1fa0660f

SHA1
2f894ae623b9dd4f863bbb00cb4d301095e376cf

SHA256
02d08fd8924dc3f22b371d21ed395c53b206f51370e1f82242ab03dccaedafd2

SHA512
bd21eaeb1904bbcaf45fff01ad49130692bed3f0396a56be19eb9d5f6451addbe757dc9865be0c49d403c837543a14875b0916ede402175c7e3bf09a7dd370dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pry0xezn.dll

Filesize
3KB

MD5
97b4c8dfe70feae0cb0be5f9d6efe1ee

SHA1
52e57492349e2953d80c41777562f761951e6403

SHA256
d93519f71f2e8effd6cb959b92e8f8f6a4cf8cdf81d70b922e8af8abc131f3d3

SHA512
9503eecab95f865ce2b8da726cc91ca09eefcb9835315596437ac084aef352c931af39cb81e8069f0f55ce1e562cde821626b44ce9998df7d5553adc787bfc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\pry0xezn.pdb

Filesize
7KB

MD5
f801fb966ab32c33182baaa29eb910f1

SHA1
1011994ff419da2608db27a1ebe96cab9c576728

SHA256
86c55bf9420782b437c8734832f65c861e1ceb6791e1fa22ad750ab36a7fe660

SHA512
82b26561995ed89424a7b1f0f5292b5cf98bab986eac648df3639e6a828b676f91efe335e8374913c54e006456879cf19e3199aefb794ec5ff6352775f63bc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1-7acld.dll

Filesize
3KB

MD5
01918321443232c3376d2fe935524c4b

SHA1
af106a7cc81fdb9db4b5b18b3d5e9a12ff0b5837

SHA256
8b2c111355582c9f1912a2bcf2b6784579b68fe78cdc82cb0010e9c16bdddb9c

SHA512
08db234adc1b89731dede39c0839ce8184639e231e5fb2c7cdaf9deb1412d7b40d3ebe5a1b323cd9a5ac2e8161eb287d4873d2dbcd8e63297d1816b421065633

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1-7acld.pdb

Filesize
7KB

MD5
2c6eb4f78974e61bdc5520c3fa238a79

SHA1
fe1c8be6fb41040813e2f706842d5ada0dcc8167

SHA256
3ab8cf9d154071eb6cb5780e8b6a4e148049fff846bdfff3341e4fee476762a7

SHA512
f3a495aadd355e1403bf51855c4179df99744ffaaa6292622559f9b43c45cb5028bfa0d9e54159e3158899b18cbcb6573047906bb0f89929a8035909ce7b5cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC32C4.tmp

Filesize
652B

MD5
0f66da9b86d56ecda32257007371c9f1

SHA1
d0f856f9ea04bc698d3c944945268296b4034b50

SHA256
f565b2deeac46dd4aa9b2061d346466653c16bed19222b449fca9ceda4a822e2

SHA512
3691fbb3e1064fed024d6a78cb5d5592e7032f86abfdbfed55052dab6ace85ba147f8da20cdc9953e1499559868d968c3eb9ba47aec8cb408b149aba58f611e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3350.tmp

Filesize
652B

MD5
5848a982f712e6a2e212cd13e080a567

SHA1
a898c87c932e46d403314994ab9f33b2bb37d7f6

SHA256
1e4bf1cf1b77679030b439719f737f7e09344aafbd7ac005fb0b99575ce3d1f1

SHA512
85d429e22f7a68587c24b4a8d0192969eaaa19d856edc374f627051af6119acb105f42323be991ec94bc2cafe87a021feb12a8bebba2db0ddba2a1d7c3e3224c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pry0xezn.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pry0xezn.cmdline

Filesize
309B

MD5
edac9e4501f6ce3c8cc743ba724015a9

SHA1
52a956b7d7628db25c181865bcd9d98cad254824

SHA256
2d5aac54cc3467b6b9fa067e7cb90619d2e6cd15b3051a2dedfbfe48f6f901e2

SHA512
2278a3fa8bd6f10247fb5ea960dc22bc68bef3168d75a0173e23ce2b6f8ca0ccf567ad49286e902912077f530fedf52d80131a3dcc0645f47cdda6f385730eed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1-7acld.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1-7acld.cmdline

Filesize
309B

MD5
fd3781a6ea4bc1a73df458b0d56905b6

SHA1
4f0e71c15e8827b52f44f3636e89298c3e31e817

SHA256
c4aedd857be015dc3591ec66cd5693b14c06c0e1c37cdbb8492dc81f64973117

SHA512
147a7acc9b1b33fc6db6d911a6b14060eb06624733d63da1f8991afc581d09eb869520bca677eafe2399952be3b92c2b0a99016c1b3eb48e18283fc511124d2c

Download Submit
memory/624-38-0x0000000002140000-0x00000000021C0000-memory.dmp

Filesize
512KB

Download
memory/1372-98-0x0000000006C10000-0x0000000006CB4000-memory.dmp

Filesize
656KB

Download
memory/1372-69-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1372-68-0x0000000006C10000-0x0000000006CB4000-memory.dmp

Filesize
656KB

Download
memory/1908-59-0x00000000020C0000-0x0000000002140000-memory.dmp

Filesize
512KB

Download
memory/2324-93-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/2324-97-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/2324-96-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2356-86-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2356-99-0x0000000000310000-0x00000000003B4000-memory.dmp

Filesize
656KB

Download
memory/2356-89-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2356-88-0x0000000000310000-0x00000000003B4000-memory.dmp

Filesize
656KB

Download
memory/2692-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2692-20-0x00000000045F0000-0x00000000045F2000-memory.dmp

Filesize
8KB

Download
memory/2692-9-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2692-8-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2692-7-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2692-4-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2692-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2692-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2920-29-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2920-27-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-64-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2920-72-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-74-0x00000000027A0000-0x00000000027DD000-memory.dmp

Filesize
244KB

Download
memory/2920-25-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-26-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2920-67-0x00000000027A0000-0x00000000027DD000-memory.dmp

Filesize
244KB

Download
memory/2920-47-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2920-32-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2920-31-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-30-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2920-28-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/3036-81-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3036-80-0x0000000001BE0000-0x0000000001C84000-memory.dmp

Filesize
656KB

Download
memory/3036-79-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/3036-100-0x0000000001BE0000-0x0000000001C84000-memory.dmp

Filesize
656KB

Download