gozi | 2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

293KB
MD5

01435632dca9afc151eec77862bfbc2b
SHA1

9bbb4ae83131fafcd14d580810b14f48d2d30837
SHA256

2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40
SHA512

61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677
SSDEEP

3072:28g/bYYX0XH1anZAsaA6eRESzHxHH3zt8l7Mjd1i0ot:DyYa0XUZdaAnEqHxn3R82i0o

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2900 cmd.exe

pid	process
2900	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2584 set thread context of 1280	2584	powershell.exe	Explorer.EXE
PID 1280 set thread context of 2900	1280	Explorer.EXE	cmd.exe
PID 2900 set thread context of 988	2900	cmd.exe	PING.EXE
PID 1280 set thread context of 1312	1280	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

988 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

988 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
988	PING.EXE

pid	process
988	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

putty.exepowershell.exeExplorer.EXE

pid	process
3040	putty.exe
2584	powershell.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2584 powershell.exe
1280 Explorer.EXE
2900 cmd.exe
1280 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2584 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE

pid	process
1280	Explorer.EXE

pid	process
2584	powershell.exe
1280	Explorer.EXE
2900	cmd.exe
1280	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2584	powershell.exe

pid	process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 2584	2348	mshta.exe	powershell.exe
PID 2348 wrote to memory of 2584	2348	mshta.exe	powershell.exe
PID 2348 wrote to memory of 2584	2348	mshta.exe	powershell.exe
PID 2584 wrote to memory of 2932	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2932	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2932	2584	powershell.exe	csc.exe
PID 2932 wrote to memory of 3068	2932	csc.exe	cvtres.exe
PID 2932 wrote to memory of 3068	2932	csc.exe	cvtres.exe
PID 2932 wrote to memory of 3068	2932	csc.exe	cvtres.exe
PID 2584 wrote to memory of 2804	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2804	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2804	2584	powershell.exe	csc.exe
PID 2804 wrote to memory of 1880	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 1880	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 1880	2804	csc.exe	cvtres.exe
PID 2584 wrote to memory of 1280	2584	powershell.exe	Explorer.EXE
PID 2584 wrote to memory of 1280	2584	powershell.exe	Explorer.EXE
PID 2584 wrote to memory of 1280	2584	powershell.exe	Explorer.EXE
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2900	1280	Explorer.EXE	cmd.exe
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 988	2900	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pdkm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pdkm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E\\\StopDiagram'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kdxvsley -value gp; new-alias -name rwhpcnio -value iex; rwhpcnio ([System.Text.Encoding]::ASCII.GetString((kdxvsley "HKCU:Software\AppDataLow\Software\Microsoft\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E").ListMail))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggsj99te.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC79D1.tmp"
5⤵
PID:3068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9ic8k09z.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B48.tmp"
5⤵
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:988

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9ic8k09z.dll

Filesize
3KB

MD5
1a1ab0440c7c4dc2e08accb02222ea66

SHA1
53c96d9a50d6894c0f7ecc3a1ab4f51d0f0d4ffe

SHA256
045dd05367e1c725dcee1588e87e8452332cbf60fbdd6c54ea6f4baf5ed6e163

SHA512
91634d0536cfe9c368bb925029790c66270695b3596cd893e6a4a6f3d71663c16e1ba2957d22a689d8a8c4c313172108405fd4ea0c8b530479345d0302f93f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ic8k09z.pdb

Filesize
7KB

MD5
e91e9283c0b1e7d367e049080e038a0f

SHA1
8f65e841191f9d67682506954bd71ebf59c29d96

SHA256
8d678ac49d5f1a74808aab6340af1380a818c5db4293e348d7d656efd4c4626a

SHA512
2c70686a5bdbb6b1e638c4e7ba7c75768bf6f134908a9a727ba2c6c7a10efd599b067a421ef72af56ee8741de8f59535b2996abeb5b0898087402e10ea9216ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79E2.tmp

Filesize
1KB

MD5
3f4eabc1b783dd9b71bba625456dc750

SHA1
32beb1f1a4f981873f5c54e2a6d59b167287179f

SHA256
5c99886882b90d29baec60ad2ab8914eae036e996379d2005fbcd77f22557579

SHA512
6a87059f284677efc5a0a2653b2845a556afd98789133f2b362d8d1ed3a18ba5eb49f819025fdb25f325e1dfa0341afb21ef79f063de5ae5cb0acf79241c1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B49.tmp

Filesize
1KB

MD5
e0a5cd3c39d8d453fe3b61e67005eeac

SHA1
5ac8e9cc7e8d5252dec0ce2621797f2010c937e4

SHA256
5ecf5884d6bcd2e747a381a256fb841437617230cf9886d19ee27bde156e7034

SHA512
937a66d99ca394a5146b5ea944ec9eec9590911e0e0cd4baa5c4212bdeeb92679708c59029b4bef8ae2ed2d9ab38b93c24ba903f4bdcfb0e9cd94dcdb47f85dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggsj99te.dll

Filesize
3KB

MD5
f1c9b88a7d9b78504003203446c9513e

SHA1
b3b92474d652a1a2849fe8be76717dd330e8541f

SHA256
b2597aaafd266a4c4fee7e7f378a5e659edea74af56e33d0151fb7f79dcb09ba

SHA512
fac97ee800d9245e5c7eb3196578b011aa707b2f725fe257a8ec30a158ffbf98d9bfc08303a701aeb3cdec78b89c4f01a6a510da821f3a844ac221597b23b4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggsj99te.pdb

Filesize
7KB

MD5
02a9f1ee7ba2f7afaeb072b43da61c9f

SHA1
60a459647bf9fc49c19065a9bac656093c181733

SHA256
44d50d98cb533e6bcb35f659f2c1f104d0c805c8ad56c68682b56017e0574861

SHA512
4e36d57d53e1f77d51215c29f2697b0c76ccf2b710be752ab7559bf90214f6db2240b356d34b0606f3ed5c6fc27cbe1fcbc248996a25633e4907f883d48ee9a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9ic8k09z.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9ic8k09z.cmdline

Filesize
309B

MD5
7709b0120cb7cb03414ce46bcdf8ebb0

SHA1
fcd6a97c203f7971f424332bd1b1da3aaee53d04

SHA256
aa0afc7d370e651607b9144efb860ab67a28ac309da9ae3ba6f0e0016329bec3

SHA512
44e541930f44625b475392780d34069ddd8cfd25a3690a1a92a417112cb94f0f5d615d8e7e107629120267c137079aaa47068b5b02f875ce1c7dc7b98f082527

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC79D1.tmp

Filesize
652B

MD5
85b99c511a314357af0b82742e40c30c

SHA1
37aad490f94d282aa90bc2683a80d9b99c51f534

SHA256
077a6fbdc438e25eb4fa4908e0024d6347c39bc8dc5f12044eddf7a9f8de48c7

SHA512
f3a7612e78e2b2c074cc0f36c05744616dc97957da07906dba73a72b0f73730a1ec43df105228d5076fa2c11343aa811b0ad90577794a97a34ea3dcc7069e134

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7B48.tmp

Filesize
652B

MD5
2837e344df43e5a76edff649a4dc4534

SHA1
b975935239b4305bf92d301a64b99506092002da

SHA256
13fd8eff28e3fe8d77a6e5af5729cea4cf6034cf87b992899882da75db4f70fc

SHA512
84e0cea534a386d780aa9f49db32ba9b6edca001dfe69742f07fcdb33864f028b11031a95f63c0aac87012e1f5ed13458db9345ec0cd91b960beeb81e6f4a0fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggsj99te.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggsj99te.cmdline

Filesize
309B

MD5
de220fb68860b20be179d4cfbae57373

SHA1
01c6429eabb6f39c457c5d83816fd71e6cf4994f

SHA256
7ea8544e5ef9839f3de63f1412d8f8234d8aeaba624193c298782645bb023d30

SHA512
1035c5364e7d8b582ddfe5c66500c1702280bb31f5033e587b37e398a8d666bdefbf90254693515fe02553f0bdf3f37c68b744ac25932132770fc57435037f3d

Download Submit
memory/988-76-0x00000000002E0000-0x0000000000384000-memory.dmp

Filesize
656KB

Download
memory/988-89-0x00000000002E0000-0x0000000000384000-memory.dmp

Filesize
656KB

Download
memory/988-74-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/988-77-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1280-57-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1280-56-0x0000000006BD0000-0x0000000006C74000-memory.dmp

Filesize
656KB

Download
memory/1280-88-0x0000000006BD0000-0x0000000006C74000-memory.dmp

Filesize
656KB

Download
memory/1312-84-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1312-91-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/1312-87-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/1312-81-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/2584-16-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2584-35-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/2584-15-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-20-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-17-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-52-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2584-18-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2584-55-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2584-19-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2584-21-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2584-65-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-66-0x000000001B650000-0x000000001B68D000-memory.dmp

Filesize
244KB

Download
memory/2804-43-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2900-69-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-68-0x0000000001B60000-0x0000000001C04000-memory.dmp

Filesize
656KB

Download
memory/2900-90-0x0000000001B60000-0x0000000001C04000-memory.dmp

Filesize
656KB

Download
memory/2900-67-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/3040-9-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/3040-10-0x00000000042F0000-0x00000000042F2000-memory.dmp

Filesize
8KB

Download
memory/3040-1-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/3040-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3040-7-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/3040-4-0x0000000000340000-0x000000000034D000-memory.dmp

Filesize
52KB

Download
memory/3040-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3040-75-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/3040-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download