gozi | 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

Analysis

max time kernel
150s
max time network
108s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2504 set thread context of 3220	2504	powershell.exe	Explorer.EXE
PID 3220 set thread context of 3700	3220	Explorer.EXE	RuntimeBroker.exe
PID 3220 set thread context of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 set thread context of 4408	3220	Explorer.EXE	WinMail.exe
PID 4104 set thread context of 4196	4104	cmd.exe	PING.EXE
PID 3220 set thread context of 1376	3220	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4196 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4196 PING.EXE

pid	process
4196	PING.EXE

pid	process
4196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exepowershell.exeExplorer.EXE

pid	process
4636	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
4636	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3220 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2504 powershell.exe
3220 Explorer.EXE
3220 Explorer.EXE
3220 Explorer.EXE
4104 cmd.exe
3220 Explorer.EXE

pid	process
3220	Explorer.EXE

pid	process
2504	powershell.exe
3220	Explorer.EXE
3220	Explorer.EXE
3220	Explorer.EXE
4104	cmd.exe
3220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3220 Explorer.EXE

pid	process
3220	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 2504	1276	mshta.exe	powershell.exe
PID 1276 wrote to memory of 2504	1276	mshta.exe	powershell.exe
PID 2504 wrote to memory of 3664	2504	powershell.exe	csc.exe
PID 2504 wrote to memory of 3664	2504	powershell.exe	csc.exe
PID 3664 wrote to memory of 4496	3664	csc.exe	cvtres.exe
PID 3664 wrote to memory of 4496	3664	csc.exe	cvtres.exe
PID 2504 wrote to memory of 3204	2504	powershell.exe	csc.exe
PID 2504 wrote to memory of 3204	2504	powershell.exe	csc.exe
PID 3204 wrote to memory of 4508	3204	csc.exe	cvtres.exe
PID 3204 wrote to memory of 4508	3204	csc.exe	cvtres.exe
PID 2504 wrote to memory of 3220	2504	powershell.exe	Explorer.EXE
PID 2504 wrote to memory of 3220	2504	powershell.exe	Explorer.EXE
PID 2504 wrote to memory of 3220	2504	powershell.exe	Explorer.EXE
PID 2504 wrote to memory of 3220	2504	powershell.exe	Explorer.EXE
PID 3220 wrote to memory of 3700	3220	Explorer.EXE	RuntimeBroker.exe
PID 3220 wrote to memory of 3700	3220	Explorer.EXE	RuntimeBroker.exe
PID 3220 wrote to memory of 3700	3220	Explorer.EXE	RuntimeBroker.exe
PID 3220 wrote to memory of 3700	3220	Explorer.EXE	RuntimeBroker.exe
PID 3220 wrote to memory of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 4104	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 4408	3220	Explorer.EXE	WinMail.exe
PID 3220 wrote to memory of 4408	3220	Explorer.EXE	WinMail.exe
PID 3220 wrote to memory of 4408	3220	Explorer.EXE	WinMail.exe
PID 3220 wrote to memory of 4408	3220	Explorer.EXE	WinMail.exe
PID 3220 wrote to memory of 4408	3220	Explorer.EXE	WinMail.exe
PID 4104 wrote to memory of 4196	4104	cmd.exe	PING.EXE
PID 4104 wrote to memory of 4196	4104	cmd.exe	PING.EXE
PID 4104 wrote to memory of 4196	4104	cmd.exe	PING.EXE
PID 4104 wrote to memory of 4196	4104	cmd.exe	PING.EXE
PID 4104 wrote to memory of 4196	4104	cmd.exe	PING.EXE
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe
PID 3220 wrote to memory of 1376	3220	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
"C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ps0o='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ps0o).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\9559E87B-F0DD-8FD8-A299-2433F6DD9817\\\LinkClass'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hfecvna -value gp; new-alias -name dtuakvl -value iex; dtuakvl ([System.Text.Encoding]::ASCII.GetString((hfecvna "HKCU:Software\AppDataLow\Software\Microsoft\9559E87B-F0DD-8FD8-A299-2433F6DD9817").ControlComputer))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tz03fmwq\tz03fmwq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FE.tmp" "c:\Users\Admin\AppData\Local\Temp\tz03fmwq\CSCFD03D10971F94170B364D0D459478367.TMP"
5⤵
PID:4496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gudwq1gm\gudwq1gm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB26.tmp" "c:\Users\Admin\AppData\Local\Temp\gudwq1gm\CSC86A9A881B9CC48C7853F72DE4C47A2C2.TMP"
5⤵
PID:4508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4196

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:4408

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9FE.tmp
Filesize
1KB

MD5
41b93d6bc6227109548443bb20adf121

SHA1
af4243d6a649298ae5ad886c10a64f941c84b3b9

SHA256
4ab272ca47ad32a40adcbb2343c782a35a0c23bd0b24d913436ddb2cbc4a18b4

SHA512
94c66446556f718ac0e5365a46612b1a897c609a0c91cde1e34f8e469ee7ee207b41378ccf61d034c210d48c51c5485bd8d28eed68b82cae0183fdbbbe30a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB26.tmp
Filesize
1KB

MD5
2f069f0cebc1a819dbd99531333925ba

SHA1
a66aea686a9a3e55f31a822652f659e75c2502b7

SHA256
a671a65dddf64325da713ee7f070d3245e5fc62c0aabeaa1d565b686d0b5c0c1

SHA512
fd3cbc45fb851186e8f3f4beb14f3cda59a61eb82b68d42081f9bcbb51d0d91ad09e7b7ec8f23bd9316bf2097c1d65a9900d024ee11950d33a873a290906281b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zqlwpvg.quw.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gudwq1gm\gudwq1gm.dll
Filesize
3KB

MD5
85af97cdd2bf2c15747c11e252170066

SHA1
00974ac99db7a380ff3c665e321c3475b0499b7a

SHA256
f0bda6ce6fa429201731b7ce8e6be6a5221ff9c9e28db00d1ceaf563da6d5bb1

SHA512
e8e99af7cecf1c5b6f3823fef016f865902301aadd017da3e7dc99b92c950b0fc46679675f456676530c44a0d76d985e22da35ccc9dcc5e86ef2a0818c2ae5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tz03fmwq\tz03fmwq.dll
Filesize
3KB

MD5
8c6a8bed5805ef3efdc4cd8e83feea87

SHA1
71fde2ef0276eb2b4579fe467087b1ffdcbc717e

SHA256
0bd925ceeb96b79f39c4882898c5ce4eb8bf6b2938113d1687cef84bcb05bef1

SHA512
a2b41b64ec07767d4e8f6b769f95535807278c38b14aed4f46b67df0a535c8e0f459150db82f54e236700739e8b0585639b451fb5313b824186515f9fd73d28d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudwq1gm\CSC86A9A881B9CC48C7853F72DE4C47A2C2.TMP
Filesize
652B

MD5
191adb6c19e05c36814c452bdb3ff1d4

SHA1
b7e91aa8bebc85e4f60208a8aa90e4b123905bad

SHA256
a4c6690361fae24f4ba2db53de0c97f7733917286b3afcfee8ad08c6b91b1e08

SHA512
98b7523ac2ed1f2beb678beb377b7ca5e0113848f426bc51f9851be3474b58d7151d519ec2fd5524a61349bf82c31f60255880e5cf959f89705e67a9289b7869

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudwq1gm\gudwq1gm.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudwq1gm\gudwq1gm.cmdline
Filesize
369B

MD5
0a28e801fef7e1b0583a50485f4c2dfb

SHA1
61f2644d04df142a78a9da9986879ec44b6c7384

SHA256
818162a89ae71dc93ac32adf73a79b2fc3dfc0e74f7fab0e6a9e479702529b74

SHA512
82925a61f7151a3fcf1461ba5215f29f2d044022204267f92a6f24e2e97ecc0a70ac65dd811b273a07cbb5a4730c3c2e2d80eb1d74c1fd6f0b2137222e6a23a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz03fmwq\CSCFD03D10971F94170B364D0D459478367.TMP
Filesize
652B

MD5
f8b1ccb88b0c277dbf3ef46b70ff9684

SHA1
8c40f1ecdfce0211a355a4eb25f7e792ae161df1

SHA256
9a42cc03b853c00e0bd8e5851c953aa2b444b126a147611fe663f10684ae12db

SHA512
13fe68da8b8a16dc97bef605ee3a96c411ba4abbb9226f9d32dec9d3625b8c220f34e3bdba4fc780808abd13a08cf8aa65a34f6b862f864d0e64f5910590db69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz03fmwq\tz03fmwq.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz03fmwq\tz03fmwq.cmdline
Filesize
369B

MD5
9fa5ed5b80c90040a63c53b3b6fc332e

SHA1
2054da5046b4ecea69c825ae44ca224ae9a29bf2

SHA256
93b0268b94b32b0772fb33ef669ca9fd6aa9dbbbfc7f624176f6de41cce5a283

SHA512
8b0944ef1ae1ad8d9533f9943732fd405d7a0a9ee0e1769bd46b286522441a184b69eeff17a716e16f7a739b9a325a1f018459c02ad4b1d6966ddcd6ffacffb1

Download Submit
memory/1376-133-0x00000000034A0000-0x0000000003538000-memory.dmp

Filesize
608KB

Download
memory/1376-136-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1376-140-0x00000000034A0000-0x0000000003538000-memory.dmp

Filesize
608KB

Download
memory/2504-24-0x000002784D770000-0x000002784D7E6000-memory.dmp

Filesize
472KB

Download
memory/2504-89-0x00007FF885AB0000-0x00007FF88649C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-19-0x00007FF885AB0000-0x00007FF88649C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-21-0x000002784D4E0000-0x000002784D4F0000-memory.dmp

Filesize
64KB

Download
memory/2504-55-0x000002784D6F0000-0x000002784D6F8000-memory.dmp

Filesize
32KB

Download
memory/2504-20-0x000002784D4E0000-0x000002784D4F0000-memory.dmp

Filesize
64KB

Download
memory/2504-18-0x000002784D440000-0x000002784D462000-memory.dmp

Filesize
136KB

Download
memory/2504-73-0x000002784D720000-0x000002784D75D000-memory.dmp

Filesize
244KB

Download
memory/2504-90-0x000002784D720000-0x000002784D75D000-memory.dmp

Filesize
244KB

Download
memory/2504-69-0x000002784D710000-0x000002784D718000-memory.dmp

Filesize
32KB

Download
memory/2504-71-0x000002784D4E0000-0x000002784D4F0000-memory.dmp

Filesize
64KB

Download
memory/3220-75-0x0000000002A80000-0x0000000002B24000-memory.dmp

Filesize
656KB

Download
memory/3220-134-0x0000000002A80000-0x0000000002B24000-memory.dmp

Filesize
656KB

Download
memory/3220-76-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3700-93-0x00000248A8370000-0x00000248A8371000-memory.dmp

Filesize
4KB

Download
memory/3700-92-0x00000248AA930000-0x00000248AA9D4000-memory.dmp

Filesize
656KB

Download
memory/3700-141-0x00000248AA930000-0x00000248AA9D4000-memory.dmp

Filesize
656KB

Download
memory/4104-142-0x00000236A7670000-0x00000236A7714000-memory.dmp

Filesize
656KB

Download
memory/4104-104-0x00000236A7670000-0x00000236A7714000-memory.dmp

Filesize
656KB

Download
memory/4104-105-0x00000236A73E0000-0x00000236A73E1000-memory.dmp

Filesize
4KB

Download
memory/4196-124-0x000001FFCEB10000-0x000001FFCEB11000-memory.dmp

Filesize
4KB

Download
memory/4196-143-0x000001FFCEDA0000-0x000001FFCEE44000-memory.dmp

Filesize
656KB

Download
memory/4196-122-0x000001FFCEDA0000-0x000001FFCEE44000-memory.dmp

Filesize
656KB

Download
memory/4408-120-0x00000167288F0000-0x0000016728994000-memory.dmp

Filesize
656KB

Download
memory/4408-114-0x00000167270F0000-0x00000167270F1000-memory.dmp

Filesize
4KB

Download
memory/4408-113-0x00000167288F0000-0x0000016728994000-memory.dmp

Filesize
656KB

Download
memory/4636-7-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/4636-9-0x00000000022F0000-0x00000000022FB000-memory.dmp

Filesize
44KB

Download
memory/4636-4-0x0000000002310000-0x000000000231D000-memory.dmp

Filesize
52KB

Download
memory/4636-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/4636-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

Filesize
44KB

Download
memory/4636-1-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/4636-8-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download