gozi | 3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

Analysis

max time kernel
182s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

406KB
MD5

2f5a00394c3568e91f6302dc6c8b196c
SHA1

116f6ba99db4592f1ab5ccb1a734fdc5a52021bc
SHA256

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
SHA512

a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36
SSDEEP

12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4576-1-0x0000000001340000-0x000000000134C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

Client.execontrol.exerundll32.exeExplorer.EXE

description	pid	process	target process
PID 4576 set thread context of 3976	4576	Client.exe	control.exe
PID 3976 set thread context of 3136	3976	control.exe	Explorer.EXE
PID 3976 set thread context of 2392	3976	control.exe	rundll32.exe
PID 2392 set thread context of 3136	2392	rundll32.exe	Explorer.EXE
PID 3136 set thread context of 3740	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 4004	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 2116	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 set thread context of 1016	3136	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
4576	Client.exe
4576	Client.exe
4112	powershell.exe
4112	powershell.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Client.execontrol.exerundll32.exeExplorer.EXE

pid process

4576 Client.exe
3976 control.exe
3976 control.exe
2392 rundll32.exe
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE
3136 Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3740	RuntimeBroker.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
3136 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE

pid	process
3136	Explorer.EXE
3136	Explorer.EXE

pid	process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Client.exemshta.execontrol.exerundll32.exeExplorer.EXEpowershell.execsc.execsc.exe

description	pid	process	target process
PID 4576 wrote to memory of 3976	4576	Client.exe	control.exe
PID 4576 wrote to memory of 3976	4576	Client.exe	control.exe
PID 4576 wrote to memory of 3976	4576	Client.exe	control.exe
PID 4576 wrote to memory of 3976	4576	Client.exe	control.exe
PID 4576 wrote to memory of 3976	4576	Client.exe	control.exe
PID 4776 wrote to memory of 4112	4776	mshta.exe	powershell.exe
PID 4776 wrote to memory of 4112	4776	mshta.exe	powershell.exe
PID 3976 wrote to memory of 3136	3976	control.exe	Explorer.EXE
PID 3976 wrote to memory of 3136	3976	control.exe	Explorer.EXE
PID 3976 wrote to memory of 3136	3976	control.exe	Explorer.EXE
PID 3976 wrote to memory of 3136	3976	control.exe	Explorer.EXE
PID 3976 wrote to memory of 2392	3976	control.exe	rundll32.exe
PID 3976 wrote to memory of 2392	3976	control.exe	rundll32.exe
PID 3976 wrote to memory of 2392	3976	control.exe	rundll32.exe
PID 3976 wrote to memory of 2392	3976	control.exe	rundll32.exe
PID 3976 wrote to memory of 2392	3976	control.exe	rundll32.exe
PID 2392 wrote to memory of 3136	2392	rundll32.exe	Explorer.EXE
PID 2392 wrote to memory of 3136	2392	rundll32.exe	Explorer.EXE
PID 2392 wrote to memory of 3136	2392	rundll32.exe	Explorer.EXE
PID 2392 wrote to memory of 3136	2392	rundll32.exe	Explorer.EXE
PID 3136 wrote to memory of 3740	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3740	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3740	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 3740	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4004	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4004	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4004	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 4004	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 2116	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 2116	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 2116	3136	Explorer.EXE	RuntimeBroker.exe
PID 3136 wrote to memory of 2116	3136	Explorer.EXE	RuntimeBroker.exe
PID 4112 wrote to memory of 456	4112	powershell.exe	csc.exe
PID 4112 wrote to memory of 456	4112	powershell.exe	csc.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 3136 wrote to memory of 1016	3136	Explorer.EXE	cmd.exe
PID 456 wrote to memory of 4616	456	csc.exe	cvtres.exe
PID 456 wrote to memory of 4616	456	csc.exe	cvtres.exe
PID 4112 wrote to memory of 500	4112	powershell.exe	csc.exe
PID 4112 wrote to memory of 500	4112	powershell.exe	csc.exe
PID 500 wrote to memory of 4720	500	csc.exe	cvtres.exe
PID 500 wrote to memory of 4720	500	csc.exe	cvtres.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>C6an='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(C6an).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name spbjcmn -value gp; new-alias -name ugokyvk -value iex; ugokyvk ([System.Text.Encoding]::ASCII.GetString((spbjcmn "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1469.tmp" "c:\Users\Admin\AppData\Local\Temp\wcwewm4x\CSCCFB8D7E354FB44EE86AA3CE618854048.TMP"
5⤵
PID:4616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16F9.tmp" "c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\CSCD7776EEEDCD044C2AF49A07BCED3C0CC.TMP"
5⤵
PID:4720

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.dll
Filesize
3KB

MD5
0718594d9107b9c12bbd13ea59b79952

SHA1
e8cb4573e136b39215b3197fbc14563eb17daf2b

SHA256
5b1ae8af3fada39f1047dc0d65f72289dcea53b0ce801dabf99eb545ac650e8e

SHA512
c4c552340bdfd38989691d6d3cf995a6435b0239618331b2e5a1e4650608025fe6268085a79d7cb854e80f767be54f3214f146103270470e46aeddbe1db7a33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1469.tmp
Filesize
1KB

MD5
02dbecb898ea9d4645ab822fcf4098fb

SHA1
4c2390955755357f858fe860ba20998b7d8fc925

SHA256
8a74a0e77c590b23788a8c88ea51e87065ad191fc8f5eeb8b3db753e1e539b32

SHA512
c798556d9b8cbde668e88e74c3e20d0a6dc8b3f6c0d2adf4c1b0380d5642582f40baca49502a89499d9e4011515eb79c7ee68dafd0e202edab3462cabf51f16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES16F9.tmp
Filesize
1KB

MD5
81eeaf40f52d7db55ae4799f3c3dbb69

SHA1
f85793c45373b43c420dd3a0efbebac7c5b4f849

SHA256
c36ca23038f4412d0ea1eda1fd89a4f143d616f9e3a292eaf3a2fde6d8efa278

SHA512
f82d5a800871d39d384dbca4d7f25e60ee1cc6ae8ccda38171b2b9382a75f33e5c7ab30ce130586cf3c4e39d555922b1e4fcd252c39e9af05ecaed5d3a2d10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4txaqru4.5uj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.dll
Filesize
3KB

MD5
1e47dd279f0e9dd61b94a636116a2855

SHA1
ba795923bd08a8f4999e42f48a35b80e878d0236

SHA256
16ee241ae2b774be338618b30819de9e2ca38b14db5db975e922504a7151ec8d

SHA512
cba903534812f0796f31349426f34da66cb6e6a544337bd7b1a2a651810433b852d4f2081406c3e3cca666939e3d2bdd0145d2513df0fa66cdbcae460e6fa69d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\4v1l0yo4.cmdline
Filesize
369B

MD5
bf9e72f9a0e342e183e8eda9f15220bf

SHA1
d4da7dc73be51646e6547e51b7cd465f0be54ac4

SHA256
f0349687c26a57fb315d248efb4b6962d686dd6fa2684caf83221dd740c5a637

SHA512
639f36bdcd46987ee9e499d228acf05173c78cf816806753666ebf184780866d6f4a3135b30b8a8e80f4dcf05562ad8ea9e48646536dede26b728b0722f8e748

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4v1l0yo4\CSCD7776EEEDCD044C2AF49A07BCED3C0CC.TMP
Filesize
652B

MD5
3d6be2008a1fe74da5792aa9a23caa1c

SHA1
865c3daea6cd977a6350e086afd12c2dff2cabbb

SHA256
e56e05df7fabd15168bc95eb42d942927d54bad4d400faecdb7861737efd4b1e

SHA512
58ec6d36a8c8cc5a908673cd49b7b4157635f4ef243b7c800f9d7c4d699c6d0e6770d2677109c3e6a8240af1a8cf5dc74e6e5eb9d73dd0663066f9abaf444604

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\CSCCFB8D7E354FB44EE86AA3CE618854048.TMP
Filesize
652B

MD5
1d7c52ac7f782ace0db09c75dae8bcc0

SHA1
b1252d1d47595b4f33f35aa0f3574261ac023bcc

SHA256
e42e977e36134a8d739fc61e07b245453797a75d469ff362610b59f579bf744a

SHA512
9d10474e511749ff8a02e8147c1520106894ca39b6ddb035d8e1d926811b7995081b3077bef01381fabb456e6128c90b28808c6b573b82b3767b19ceedcb9768

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcwewm4x\wcwewm4x.cmdline
Filesize
369B

MD5
33e455a134ce0cfd1303c8c911e445a0

SHA1
7fcda010d50a12a9ea45e0d023141817adff991e

SHA256
f1302d7448455351710b4c60ab503e09b53f523faf15bfa5e9f6fe13789acc0e

SHA512
86b3ffb173838c92fb26da35343b00249fc0ee86c3422528d51589ffab182441737be3d165155b015af61e23f78f744fdc5fa3acd7707921169ea18adfb972f7

Download Submit
memory/1016-96-0x0000000000F20000-0x0000000000FB8000-memory.dmp

Filesize
608KB

Download
memory/1016-89-0x0000000000F20000-0x0000000000FB8000-memory.dmp

Filesize
608KB

Download
memory/1016-90-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2116-84-0x0000014DC4C20000-0x0000014DC4CC4000-memory.dmp

Filesize
656KB

Download
memory/2116-82-0x0000014DC43D0000-0x0000014DC43D1000-memory.dmp

Filesize
4KB

Download
memory/2116-68-0x0000014DC4C20000-0x0000014DC4CC4000-memory.dmp

Filesize
656KB

Download
memory/2392-55-0x000002068A9C0000-0x000002068AA64000-memory.dmp

Filesize
656KB

Download
memory/2392-37-0x000002068A9C0000-0x000002068AA64000-memory.dmp

Filesize
656KB

Download
memory/3136-83-0x00000000089B0000-0x0000000008A54000-memory.dmp

Filesize
656KB

Download
memory/3136-121-0x00000000089B0000-0x0000000008A54000-memory.dmp

Filesize
656KB

Download
memory/3136-32-0x0000000008900000-0x00000000089A4000-memory.dmp

Filesize
656KB

Download
memory/3136-79-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3136-80-0x0000000008900000-0x00000000089A4000-memory.dmp

Filesize
656KB

Download
memory/3136-46-0x00000000089B0000-0x0000000008A54000-memory.dmp

Filesize
656KB

Download
memory/3740-58-0x000001BCB9730000-0x000001BCB97D4000-memory.dmp

Filesize
656KB

Download
memory/3740-87-0x000001BCB9730000-0x000001BCB97D4000-memory.dmp

Filesize
656KB

Download
memory/3740-86-0x000001BCB95B0000-0x000001BCB95B1000-memory.dmp

Filesize
4KB

Download
memory/3976-17-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3976-16-0x0000000000570000-0x0000000000614000-memory.dmp

Filesize
656KB

Download
memory/3976-56-0x0000000000570000-0x0000000000614000-memory.dmp

Filesize
656KB

Download
memory/4004-81-0x00000257E6830000-0x00000257E68D4000-memory.dmp

Filesize
656KB

Download
memory/4004-85-0x00000257E67F0000-0x00000257E67F1000-memory.dmp

Filesize
4KB

Download
memory/4004-63-0x00000257E6830000-0x00000257E68D4000-memory.dmp

Filesize
656KB

Download
memory/4112-101-0x000002C6F4900000-0x000002C6F4908000-memory.dmp

Filesize
32KB

Download
memory/4112-78-0x000002C6DC280000-0x000002C6DC290000-memory.dmp

Filesize
64KB

Download
memory/4112-30-0x000002C6F4930000-0x000002C6F4952000-memory.dmp

Filesize
136KB

Download
memory/4112-88-0x000002C6DC280000-0x000002C6DC290000-memory.dmp

Filesize
64KB

Download
memory/4112-76-0x00007FF86E150000-0x00007FF86EC11000-memory.dmp

Filesize
10.8MB

Download
memory/4112-115-0x000002C6F4920000-0x000002C6F4928000-memory.dmp

Filesize
32KB

Download
memory/4112-117-0x000002C6F4CA0000-0x000002C6F4CDD000-memory.dmp

Filesize
244KB

Download
memory/4112-119-0x00007FF86E150000-0x00007FF86EC11000-memory.dmp

Filesize
10.8MB

Download
memory/4112-77-0x000002C6DC280000-0x000002C6DC290000-memory.dmp

Filesize
64KB

Download
memory/4576-1-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/4576-11-0x0000000001510000-0x000000000151D000-memory.dmp

Filesize
52KB

Download
memory/4576-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4576-0-0x0000000001350000-0x000000000135F000-memory.dmp

Filesize
60KB

Download