gozi | 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

272 cmd.exe

pid	process
272	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2844 set thread context of 1280	2844	powershell.exe	Explorer.EXE
PID 1280 set thread context of 272	1280	Explorer.EXE	cmd.exe
PID 272 set thread context of 1356	272	cmd.exe	PING.EXE
PID 1280 set thread context of 1136	1280	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1356 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1356 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1356	PING.EXE

pid	process
1356	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exepowershell.exeExplorer.EXE

pid	process
3064	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
2844	powershell.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2844 powershell.exe
1280 Explorer.EXE
272 cmd.exe
1280 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2844 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE

pid	process
1280	Explorer.EXE

pid	process
2844	powershell.exe
1280	Explorer.EXE
272	cmd.exe
1280	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2844	powershell.exe

pid	process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 2844	3044	mshta.exe	powershell.exe
PID 3044 wrote to memory of 2844	3044	mshta.exe	powershell.exe
PID 3044 wrote to memory of 2844	3044	mshta.exe	powershell.exe
PID 2844 wrote to memory of 2476	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 2476	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 2476	2844	powershell.exe	csc.exe
PID 2476 wrote to memory of 2572	2476	csc.exe	cvtres.exe
PID 2476 wrote to memory of 2572	2476	csc.exe	cvtres.exe
PID 2476 wrote to memory of 2572	2476	csc.exe	cvtres.exe
PID 2844 wrote to memory of 1552	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 1552	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 1552	2844	powershell.exe	csc.exe
PID 1552 wrote to memory of 1960	1552	csc.exe	cvtres.exe
PID 1552 wrote to memory of 1960	1552	csc.exe	cvtres.exe
PID 1552 wrote to memory of 1960	1552	csc.exe	cvtres.exe
PID 2844 wrote to memory of 1280	2844	powershell.exe	Explorer.EXE
PID 2844 wrote to memory of 1280	2844	powershell.exe	Explorer.EXE
PID 2844 wrote to memory of 1280	2844	powershell.exe	Explorer.EXE
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 272	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 1136	1280	Explorer.EXE	cmd.exe
PID 272 wrote to memory of 1356	272	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
"C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>T4mp='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(T4mp).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C9426CAD-946D-E37B-E60D-08C77A91BCEB\\\UtilChar'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vodgrosjei -value gp; new-alias -name soingfocq -value iex; soingfocq ([System.Text.Encoding]::ASCII.GetString((vodgrosjei "HKCU:Software\AppDataLow\Software\Microsoft\C9426CAD-946D-E37B-E60D-08C77A91BCEB").SettingsTime))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbpqm2ny.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F25.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F24.tmp"
5⤵
PID:2572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ao6lfovu.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES200F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC200E.tmp"
5⤵
PID:1960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1356

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1F25.tmp

Filesize
1KB

MD5
4a32ac55da043569557552b540e46d5f

SHA1
d38cf29abbc052f9ba9d35c3aafb82061bf0c7b3

SHA256
02734346bfca876294ee8f4ec64b677dce074b8f869899c339566fa8b61292e1

SHA512
f056e46487c93e93ee72dfb7a53c7074bb0b33f64656678746e5238ecd1eeefa342d3198cd9c11be38b5817223753bc718276dc7c67ad07bc8f2160a5795bf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES200F.tmp

Filesize
1KB

MD5
5c6edeb6816ab6d88c3411383c932a68

SHA1
af87d1423fa405201c9e32baea9efea7bb2ed688

SHA256
3f737c312b58a20f0bbd51a4d26fcfcde3121d1d5958c99c820f3319ce4c408c

SHA512
cfa8c1f05606686db59b0eced2b98c3607a4dd69ec74ba3993f707fecb53070fc5088d2f70fa72867262df4afbfb271303500b3d34308d2f02ac4f794418e7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ao6lfovu.dll

Filesize
3KB

MD5
99545fa8c0a1808b4aed7fbdb9bbe6be

SHA1
26f546779d481688f33bc19e24dfe1d4c296ddf2

SHA256
0361bc3eeb4c37ea0aeb4156442bc23c0816b0c30e5bbee2f74cfd2d64ec854f

SHA512
002be6daadbe4d6169fecf2a3f4cad16a8893b3c583fea2bd43d3cc5e69342f8e4bc44149d80105fbafadc77bc85c7facf08bc66b1e400d84ab1324e7dade187

Download Submit
C:\Users\Admin\AppData\Local\Temp\ao6lfovu.pdb

Filesize
7KB

MD5
ffb1926c9dcf59a7f99e8265a0bfa1fa

SHA1
6711dbfbbe190b2f2dfd94286b35c87c7e5c88c4

SHA256
98ba63e21b3d72c4c73c9ab89c20e2190ec6d11163ae59b9de10f893015a8c68

SHA512
afe3d7d156e1c0a04a3eca54e990190632fb54215cd4418544de32025e044cf0209b3b66ac7d440b82910c32ec7185efc94801599c2106468e41be98a5c14d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbpqm2ny.dll

Filesize
3KB

MD5
f476360f561a358b2dd104c297ea9349

SHA1
754bf82d6ad520ae41c7cb92358aaae0f7dcd15d

SHA256
a73165af735e80c99de3f896527a4fb7c581cfdad8c1a15ae7552a408f244237

SHA512
cd8bbada175cb29b96bfbe748dd993d509753d49fcbc824f5a9d1c1fcc461d050c27711342bef7e2dce1851c43179fd6812245ade26078c190dc320eb10cedc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbpqm2ny.pdb

Filesize
7KB

MD5
637691a5585aa5dce4b103be0d956259

SHA1
8dc27fe148a54d64195ddf3014b26ed059c341e5

SHA256
f5417d2d60bea28dfe7d696e80fd3effe0160171c451b8b755ff571d730e5ed9

SHA512
8afcc661289132092d8824104c5f5b723afcf6637034f1a04237c9838629502baf23abbed96b7c6c982d3109611faf05accc4b958b583d7fa55f6b1b2a11e008

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F24.tmp

Filesize
652B

MD5
532c402b27fe0d5df1423f569b657f99

SHA1
bcb124a4e55c019a94bcec23fdba54dceaa65367

SHA256
9fb71f88c089db777d605f3ac6aa4ea8de719b28205f7a9b96a32e9b24b466e2

SHA512
28a063866876ff6e6fc4ced89960475bb78b3b3124beac9ee08a090470aebcfc578f56240b13a57801f2ed09f92629ec43ef6f7670a3649da7e6cfe866a3b45c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC200E.tmp

Filesize
652B

MD5
8aca79e13fd0bea4ea9e066ec420b056

SHA1
fa80cb4e4474f3816db482939a98013b094c0f59

SHA256
378e44ef69754a3f121c38a95194b8ad896408c3591010f68077cbfc741df72a

SHA512
72504640172f19c16aec1d31a83ed36181e91f9d4783f28110557429c618f0a8bfb954bda73c4cfce5c6c7a325eab8be0e1d878f03b2ee2c0726bdd129a95906

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao6lfovu.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao6lfovu.cmdline

Filesize
309B

MD5
08c826eb29957ad17e94a3731c0c1f52

SHA1
1b293e4606c39643b0e3350c650cccb5af1c78de

SHA256
01835fe7b2a721c7373f5d7c86f291b1d30410ea7b7379b80f9c392b13fbab13

SHA512
e8502cdf6c82523731df44b44526b7e1d458762f2d59aa5c57f41faffe1d8adc7e1f6b856149d610c949f4b56124ea2de0e06b9724fbd890af91bc5be9bfb88d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbpqm2ny.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbpqm2ny.cmdline

Filesize
309B

MD5
9d126c897383ae33fc8a43da2cbb7804

SHA1
422424b01ea37e1667b317222cf76f2fa20adfef

SHA256
e5b72cc6cdd7c64dd9d500e1f330f805f92c1ce67dcc0f0923b4c19d4675ac42

SHA512
965f7924ec25f67d915974b6b601aa184d4b6d25d6ec664204dd7e076a182eda5108ccf642805c45c63c1629b4407bd8ce263c204cd161b03050eeda1b665b9c

Download Submit
memory/272-75-0x0000000000210000-0x00000000002B4000-memory.dmp

Filesize
656KB

Download
memory/272-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/272-81-0x0000000000210000-0x00000000002B4000-memory.dmp

Filesize
656KB

Download
memory/272-73-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/272-96-0x0000000000210000-0x00000000002B4000-memory.dmp

Filesize
656KB

Download
memory/1136-93-0x0000000000180000-0x0000000000218000-memory.dmp

Filesize
608KB

Download
memory/1136-83-0x0000000000180000-0x0000000000218000-memory.dmp

Filesize
608KB

Download
memory/1136-84-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1280-63-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1280-59-0x00000000069B0000-0x0000000006A54000-memory.dmp

Filesize
656KB

Download
memory/1280-94-0x00000000069B0000-0x0000000006A54000-memory.dmp

Filesize
656KB

Download
memory/1356-82-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1356-86-0x0000000001C90000-0x0000000001D34000-memory.dmp

Filesize
656KB

Download
memory/1356-95-0x0000000001C90000-0x0000000001D34000-memory.dmp

Filesize
656KB

Download
memory/1356-88-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2844-21-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2844-19-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-55-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2844-25-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2844-23-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2844-58-0x00000000027A0000-0x00000000027DD000-memory.dmp

Filesize
244KB

Download
memory/2844-24-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2844-61-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-65-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2844-22-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2844-70-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-71-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-72-0x00000000027A0000-0x00000000027DD000-memory.dmp

Filesize
244KB

Download
memory/2844-39-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2844-20-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3064-1-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/3064-14-0x0000000004250000-0x0000000004252000-memory.dmp

Filesize
8KB

Download
memory/3064-13-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3064-10-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/3064-9-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3064-87-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/3064-7-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3064-6-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/3064-5-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3064-4-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/3064-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3064-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download