laplas | 6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f

Analysis

max time kernel
244s
max time network
248s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03-04-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
Size

5.9MB
MD5

aa57f0d7a099773175006624cc891b29
SHA1

44598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA256

6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512

e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
SSDEEP

98304:5fsK1JWzYls9x4CwqEZSK84oBfrNy+yvsHrj0XXrmca/mDU9vf2eESEGMeNR:hbJWzY4x4Tq7Kx4ybsHEnrmyg9vsSEps

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 5 IoCs

pid	Process
4448	svcservice.exe
3612	svcservice.exe
3616	svcservice.exe
4172	svcservice.exe
2572	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4448 set thread context of 2572	4448	svcservice.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4988	powershell.exe
4988	powershell.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4988	powershell.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	4448	svcservice.exe
Token: SeDebugPrivilege	4452	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4988	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	66
PID 4080 wrote to memory of 4988	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	66
PID 4080 wrote to memory of 4988	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	66
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4080 wrote to memory of 4460	4080	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	68
PID 4460 wrote to memory of 4448	4460	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	69
PID 4460 wrote to memory of 4448	4460	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	69
PID 4460 wrote to memory of 4448	4460	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	69
PID 4448 wrote to memory of 4452	4448	svcservice.exe	70
PID 4448 wrote to memory of 4452	4448	svcservice.exe	70
PID 4448 wrote to memory of 4452	4448	svcservice.exe	70
PID 4448 wrote to memory of 3612	4448	svcservice.exe	72
PID 4448 wrote to memory of 3612	4448	svcservice.exe	72
PID 4448 wrote to memory of 3612	4448	svcservice.exe	72
PID 4448 wrote to memory of 3616	4448	svcservice.exe	73
PID 4448 wrote to memory of 3616	4448	svcservice.exe	73
PID 4448 wrote to memory of 3616	4448	svcservice.exe	73
PID 4448 wrote to memory of 4172	4448	svcservice.exe	75
PID 4448 wrote to memory of 4172	4448	svcservice.exe	75
PID 4448 wrote to memory of 4172	4448	svcservice.exe	75
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74
PID 4448 wrote to memory of 2572	4448	svcservice.exe	74

C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
"C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
  C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      Executes dropped EXE
      PID:3612
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      Executes dropped EXE
      PID:3616
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      Executes dropped EXE
      PID:2572
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      Executes dropped EXE
      PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
78e2e4085d897107e6c5872478e1dcae

SHA1
383339defc5671d4934c9aa462da3bea7a33bcba

SHA256
7d80adf84821393bb082bffc7ccf8ae6e4a0f3942af95d586d13bf12a5d2fe4a

SHA512
38105677e19ecfe14354939e5a06a611ae9842757057428889856d1acbd3f7480cdc4893584ae845e6d954175fb0d34b4cfa775d80ea145d935c3b0b00968b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmbvcghq.2qf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
765.9MB

MD5
167a897e8af0a3c402a7a0388d6117fb

SHA1
c41b754e00cdcd036d1aabd51d3001140229ead1

SHA256
6a596a9ee9a32732fe3a19e731e3ea8baa15b594519d0ad2abeec37d42668c9a

SHA512
51e8a36639c0714a5234278a1b55a837911f3596baaf67221855c76aaf4a3621809d30c79b750bfd15723ef9d58b830f2fc39c87fa5315d72ef89d02eef9ba9c

Download Submit
memory/2572-209-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2572-206-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2572-205-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4080-125-0x0000000005CC0000-0x0000000005CE2000-memory.dmp

Filesize
136KB

Download
memory/4080-119-0x0000000000740000-0x0000000000988000-memory.dmp

Filesize
2.3MB

Download
memory/4080-126-0x0000000005CF0000-0x0000000006040000-memory.dmp

Filesize
3.3MB

Download
memory/4080-124-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/4080-123-0x0000000005B80000-0x0000000005BB6000-memory.dmp

Filesize
216KB

Download
memory/4080-122-0x0000000005950000-0x0000000005A84000-memory.dmp

Filesize
1.2MB

Download
memory/4080-154-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4080-121-0x0000000005740000-0x00000000058DE000-memory.dmp

Filesize
1.6MB

Download
memory/4080-120-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4448-195-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/4448-173-0x0000000006010000-0x0000000006360000-memory.dmp

Filesize
3.3MB

Download
memory/4448-172-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/4452-196-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/4452-178-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/4452-177-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/4460-165-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4460-164-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4460-170-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4460-163-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4460-161-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4988-132-0x0000000004230000-0x0000000004240000-memory.dmp

Filesize
64KB

Download
memory/4988-156-0x0000000004230000-0x0000000004240000-memory.dmp

Filesize
64KB

Download
memory/4988-155-0x0000000004230000-0x0000000004240000-memory.dmp

Filesize
64KB

Download
memory/4988-153-0x0000000008C70000-0x0000000008C8A000-memory.dmp

Filesize
104KB

Download
memory/4988-152-0x0000000009560000-0x0000000009BD8000-memory.dmp

Filesize
6.5MB

Download
memory/4988-137-0x0000000007F70000-0x0000000007FE6000-memory.dmp

Filesize
472KB

Download
memory/4988-136-0x0000000007EA0000-0x0000000007EEB000-memory.dmp

Filesize
300KB

Download
memory/4988-135-0x00000000075E0000-0x00000000075FC000-memory.dmp

Filesize
112KB

Download
memory/4988-134-0x0000000007700000-0x0000000007766000-memory.dmp

Filesize
408KB

Download
memory/4988-133-0x00000000074B0000-0x0000000007516000-memory.dmp

Filesize
408KB

Download
memory/4988-131-0x0000000004230000-0x0000000004240000-memory.dmp

Filesize
64KB

Download
memory/4988-130-0x0000000006E10000-0x0000000007438000-memory.dmp

Filesize
6.2MB

Download
memory/4988-129-0x00000000046B0000-0x00000000046E6000-memory.dmp

Filesize
216KB

Download