qulab | 8351d952377c34ffbbf065f39567dbaf3907af610b5ef77831bcabf154795188

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7v20201028
submitted
11-01-2021 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

translator.exe
Size

3.5MB
MD5

a7cf97de0e85e78c2e9a78c8c1ffcc8d
SHA1

ec1eb927bfdb0d2696941ee1b4d9f310eabd18e2
SHA256

8351d952377c34ffbbf065f39567dbaf3907af610b5ef77831bcabf154795188
SHA512

c585bacd64ac61019652de6958750e5688d70f52e2635b0e426490a1b189d2d0c21ab4356b675b0589fbe3228c3d1491bc3733b79589a3244c5fa4c900955339

Score

10^/10

qulab discovery evasion spyware stealer upx

Malware Config

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab
Executes dropped EXE 1 IoCs

Processes:

puiapi.module.exe

pid process

568 puiapi.module.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
568	puiapi.module.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe	upx

Loads dropped DLL 6 IoCs

Processes:

puiapi.exepuiapi.exe

pid process

1948 puiapi.exe
1948 puiapi.exe
1548 puiapi.exe
1548 puiapi.exe
1548 puiapi.exe
1548 puiapi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipapi.co
6 ipapi.co

pid	process
1948	puiapi.exe
1948	puiapi.exe
1548	puiapi.exe
1548	puiapi.exe
1548	puiapi.exe
1548	puiapi.exe

flow	ioc
5	ipapi.co
6	ipapi.co

Drops file in System32 directory 3 IoCs

Processes:

puiapi.exepuiapi.exepuiapi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	puiapi.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	puiapi.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	puiapi.exe

NTFS ADS 2 IoCs

Processes:

translator.exepuiapi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	translator.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\winmgmts:\localhost\	puiapi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

puiapi.exe

pid process

1548 puiapi.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

translator.exe

pid process

1616 translator.exe

pid	process
1548	puiapi.exe

pid	process
1616	translator.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

puiapi.module.exe

description	pid	process
Token: SeRestorePrivilege	568	puiapi.module.exe
Token: 35	568	puiapi.module.exe
Token: SeSecurityPrivilege	568	puiapi.module.exe
Token: SeSecurityPrivilege	568	puiapi.module.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

translator.exetaskeng.exepuiapi.exe

description	pid	process	target process
PID 1616 wrote to memory of 1948	1616	translator.exe	puiapi.exe
PID 1616 wrote to memory of 1948	1616	translator.exe	puiapi.exe
PID 1616 wrote to memory of 1948	1616	translator.exe	puiapi.exe
PID 1616 wrote to memory of 1948	1616	translator.exe	puiapi.exe
PID 1644 wrote to memory of 1548	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1548	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1548	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1548	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1752	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1752	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1752	1644	taskeng.exe	puiapi.exe
PID 1644 wrote to memory of 1752	1644	taskeng.exe	puiapi.exe
PID 1548 wrote to memory of 568	1548	puiapi.exe	puiapi.module.exe
PID 1548 wrote to memory of 568	1548	puiapi.exe	puiapi.module.exe
PID 1548 wrote to memory of 568	1548	puiapi.exe	puiapi.module.exe
PID 1548 wrote to memory of 568	1548	puiapi.exe	puiapi.module.exe
PID 1548 wrote to memory of 1776	1548	puiapi.exe	puiapi.exe
PID 1548 wrote to memory of 1776	1548	puiapi.exe	puiapi.exe
PID 1548 wrote to memory of 1776	1548	puiapi.exe	puiapi.exe
PID 1548 wrote to memory of 1776	1548	puiapi.exe	puiapi.exe
PID 1548 wrote to memory of 612	1548	puiapi.exe	attrib.exe
PID 1548 wrote to memory of 612	1548	puiapi.exe	attrib.exe
PID 1548 wrote to memory of 612	1548	puiapi.exe	attrib.exe
PID 1548 wrote to memory of 612	1548	puiapi.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

612 attrib.exe

pid	process
612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\translator.exe
"C:\Users\Admin\AppData\Local\Temp\translator.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  PID:1948

C:\Windows\system32\taskeng.exe
taskeng.exe {DD5E750E-E72A-4E18-B81A-A74D64585B15} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ENU_687FE97606A3954E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
    3⤵
    - Drops file in System32 directory
    PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic"
    3⤵
    - Views/modifies file attributes
    PID:612
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.exe
  2⤵
  - Drops file in System32 directory
  PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\Are.docx

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\ConvertFromConvert.doc

MD5
aa714a82c144899701bc3139956d8749

SHA1
b1622b1adc6ba669ed2ac3df1682f76904bcc1a1

SHA256
cab48e2dee14b45c68a6421eb6070417854e09770c7afa32faa61ff4c66326ce

SHA512
6dc9ff8ea158fdf20f4ca73c39177681c71e0282e6e86d859f8cf1c32053d2ff1bd0017fef0b02a8419436b5f22842e58676ed1a2ed44c0411d6a9444f50d62b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\Files.docx

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\GrantRemove.docx

MD5
8c7ed59bbd41e6e38e3f245c6795aede

SHA1
15293c08b759f53807165d765903623bc91a252f

SHA256
98b11e55c672e8b4a491e4ac3aca8c9faba0a0ea04da0b281eba0ec910c68e63

SHA512
4ade1aa04eb93db910b26519c9a2da06af57efdba70d231a6665be168cf74f1fcdc03869f780769a9c20e958e4146ee49f2d9d62a25e9a7e9d4751640618bb73

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\ImportStop.pdf

MD5
bb04544d0c88f740312ac3daaf1cc8a2

SHA1
679a69e33f3d6619127c6f870c7e10e51bb9b449

SHA256
42c33b307c044dfa17e46ac016523ec4764e7d9901ff865589b810dfa5a57387

SHA512
d0d4569d15f847da76bbc60ad791bb1bbb4fda5c3a50c83bb64558fa62e5be8c6f4ba7954e492563c5e342068d1fe9c218d6fa3d21978f373eae809d893bc32e

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\JoinClose.doc

MD5
75ecc6802096e922d10c848bd90e7159

SHA1
19d3e70d02a794d2eb4fcfef014c0193aa508b72

SHA256
da39065644a6c37baab954edf6dcca91b75dae4db1a19c2ae1ccd6225b74d65a

SHA512
3f168971ee6a1dc9fc03088a3d41ba2c66714e2c2a3e244cd4b14521bf09179f79d79dcf96a0160a58ce5e2a8d9a72b73ed6b3a817f72181fad0751871b09d04

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\Opened.docx

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\Recently.docx

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\SuspendWatch.xlsx

MD5
67a440b2e26be4d5eb7575d1ed418ca3

SHA1
52e3d6585b0247e868af1f50344ed1d303271686

SHA256
0e758a19aca6a5798075f8b27909853c170ffbce51a14519c4b7c65149365cca

SHA512
7f70e65cdb8a0458a87d0510f3f7dc1c75fc9198370af4fa71e7966d40537dfcf217f5333597523046fbefde5a3ef5e23923814556ac14db63ba2e166777216d

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\These.docx

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Desktop TXT Files\ts\WaitFormat.txt

MD5
6039b1421e3440e427b417fb8a6365a3

SHA1
b3f8d4f9bae332a03e1052bf99bf97a404d25a82

SHA256
507a1ca01a89cf86ee71830fb39a5cc7f86463869146f163190d85b769977978

SHA512
acb7c9063cc60d368b67ff23a34b261c8345e47c589bdab6324bef97505c05c06eca14427c2963a2e8b5494caf37364df91fd07a254a33ada25b653445d021b9

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Information.txt

MD5
91b91a4222fb445f1a0b46aecabe9e12

SHA1
6ca03cfdd7b1f48dbf0661c0f00dfd48e67f2f34

SHA256
1824e3fe5d2ac20919549ba5b1c5e1fdfb05df344ea79e902df795bc8e6e0bc8

SHA512
285caaded5c793c6d4ae56adf615bd796cfc49c5dd302114a7367ebec3240aa8c045685018e462aea7b6f07694eb1f10584d88678737a4e2b311a1f7ae6e835d

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\ABC\Screen.jpg

MD5
7fa3d86f6577b5737a511adb6d51441e

SHA1
32f15aae9b02fbf625ba91043b8e70659895c019

SHA256
56abd400235472ab332f6283c3c11d71780df964bdba28fcd9c48d0f2a190f4e

SHA512
299c72251a9b60f67b68ffe6746ad52f2b51e4a10fadedb14be6e5d7badb35ddc36de273fbb51eca7fd90d8664f28b7340789a327c088233b746c0dbfa81944d

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\E

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.module.exe

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-videodiagnostic\puiapi.sqlite3.module.dll

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/568-15-0x0000000000000000-mapping.dmp

Download
memory/612-31-0x0000000000000000-mapping.dmp

Download
memory/1548-10-0x0000000065080000-0x0000000065237000-memory.dmp

Filesize
1.7MB

Download
memory/1548-6-0x0000000000000000-mapping.dmp

Download
memory/1676-12-0x000007FEF7540000-0x000007FEF77BA000-memory.dmp

Filesize
2.5MB

Download
memory/1752-11-0x0000000000000000-mapping.dmp

Download
memory/1776-30-0x0000000000000000-mapping.dmp

Download
memory/1948-5-0x0000000065080000-0x0000000065237000-memory.dmp

Filesize
1.7MB

Download
memory/1948-2-0x0000000000000000-mapping.dmp

Download