laplas | 5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
Size

308KB
MD5

1083b85531ffb02d7d2b851ea64d869c
SHA1

c414ff31e27e4bbe384bc370bd593403d55fdc51
SHA256

5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b
SHA512

aa579ca0c21757fabe347ccb6e96ef6371deb6b083484e85dd3f24cddf79bdbfe560422379ef65015a660a0e8775f92216b010767849dc1e4fda64c10c9055a9
SSDEEP

6144:O28oqhvbwcp0xkM9C31zkGrtdEBntV9JST/0PhpQGO008b:sZhvR48lzJpdEdtVHSDQh6gb

Score

10^/10

laplas vidar e749025c61b2caca10aa829a9e1a65a1 clipper discovery persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

.NET Reactor proctector 29 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0006000000022fd3-230.dat	net_reactor
behavioral1/files/0x0006000000022fd3-236.dat	net_reactor
behavioral1/files/0x0006000000022fd3-237.dat	net_reactor
behavioral1/memory/4280-255-0x0000000000990000-0x000000000100A000-memory.dmp	net_reactor
behavioral1/memory/4280-261-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-262-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-264-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-266-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-268-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-270-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-272-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-274-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-276-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-278-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-280-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-282-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-284-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-286-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-288-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-290-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-292-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-294-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-296-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-298-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/memory/4280-300-0x0000000005AA0000-0x0000000005B28000-memory.dmp	net_reactor
behavioral1/files/0x0006000000022fd3-1729.dat	net_reactor
behavioral1/files/0x0008000000022fe9-1744.dat	net_reactor
behavioral1/files/0x0008000000022fe9-1745.dat	net_reactor
behavioral1/files/0x0008000000022fe9-3214.dat	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	37022891711608558661.exe

Executes dropped EXE 5 IoCs

pid	Process
4280	37022891711608558661.exe
2140	20238767311131851730.exe
4928	37022891711608558661.exe
2980	svcservice.exe
4604	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022fe2-249.dat	upx
behavioral1/files/0x0006000000022fe2-251.dat	upx
behavioral1/files/0x0006000000022fe2-252.dat	upx
behavioral1/memory/2140-253-0x0000000000810000-0x0000000001673000-memory.dmp	upx
behavioral1/memory/2140-254-0x0000000000810000-0x0000000001673000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	37022891711608558661.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 4928	4280	37022891711608558661.exe	101
PID 2980 set thread context of 4604	2980	svcservice.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3716	1488	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
464	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	37022891711608558661.exe
Token: SeDebugPrivilege	2980	svcservice.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4280	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	89
PID 1488 wrote to memory of 4280	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	89
PID 1488 wrote to memory of 4280	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	89
PID 1488 wrote to memory of 2140	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	92
PID 1488 wrote to memory of 2140	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	92
PID 2140 wrote to memory of 4568	2140	20238767311131851730.exe	93
PID 2140 wrote to memory of 4568	2140	20238767311131851730.exe	93
PID 4568 wrote to memory of 2236	4568	cmd.exe	95
PID 4568 wrote to memory of 2236	4568	cmd.exe	95
PID 1488 wrote to memory of 1200	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	96
PID 1488 wrote to memory of 1200	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	96
PID 1488 wrote to memory of 1200	1488	5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe	96
PID 1200 wrote to memory of 464	1200	cmd.exe	98
PID 1200 wrote to memory of 464	1200	cmd.exe	98
PID 1200 wrote to memory of 464	1200	cmd.exe	98
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4280 wrote to memory of 4928	4280	37022891711608558661.exe	101
PID 4928 wrote to memory of 2980	4928	37022891711608558661.exe	102
PID 4928 wrote to memory of 2980	4928	37022891711608558661.exe	102
PID 4928 wrote to memory of 2980	4928	37022891711608558661.exe	102
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103
PID 2980 wrote to memory of 4604	2980	svcservice.exe	103

C:\Users\Admin\AppData\Local\Temp\5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe
"C:\Users\Admin\AppData\Local\Temp\5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488
- C:\ProgramData\37022891711608558661.exe
  "C:\ProgramData\37022891711608558661.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\ProgramData\37022891711608558661.exe
    "C:\ProgramData\37022891711608558661.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
        
        "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
        5⤵
        Executes dropped EXE
        
        PID:4604
- C:\ProgramData\20238767311131851730.exe
  "C:\ProgramData\20238767311131851730.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\20238767311131851730.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5cab66a2c2c7d12b98adc4330a095eef4f4204968d82e7a2c6efc70df79ac45b.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2104
  2⤵
  - Program crash
  PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1488 -ip 1488
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\20238767311131851730.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\20238767311131851730.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\20238767311131851730.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\37022891711608558661.exe

Filesize
6.5MB

MD5
16df503a8f0da68ea293647521a0f3b2

SHA1
ff6a8f795d86f891ce030eb7c11ef11e4e6fd363

SHA256
20f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789

SHA512
3821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f

Download Submit
C:\ProgramData\37022891711608558661.exe

Filesize
6.5MB

MD5
16df503a8f0da68ea293647521a0f3b2

SHA1
ff6a8f795d86f891ce030eb7c11ef11e4e6fd363

SHA256
20f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789

SHA512
3821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f

Download Submit
C:\ProgramData\37022891711608558661.exe

Filesize
6.5MB

MD5
16df503a8f0da68ea293647521a0f3b2

SHA1
ff6a8f795d86f891ce030eb7c11ef11e4e6fd363

SHA256
20f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789

SHA512
3821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f

Download Submit
C:\ProgramData\37022891711608558661.exe

Filesize
6.5MB

MD5
16df503a8f0da68ea293647521a0f3b2

SHA1
ff6a8f795d86f891ce030eb7c11ef11e4e6fd363

SHA256
20f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789

SHA512
3821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
385.9MB

MD5
332e140e7e669329d8da810122638047

SHA1
d7a4d2bcc66103460a81cb63362def72d0f92709

SHA256
8ef165b3a6d3d7c3ac4d053e6ea4058ab875f03af52105bb832f9f0353289396

SHA512
4477f53c4b3464b85d973b6a99a11e01eac486065c276180ca34fc69948ee6ca3a36a6848744f3cf87aeb81e30a4e556b9113309a3c1fade415b21cb3241e4d0

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
383.6MB

MD5
920c204f458d2f762358027b76e1aaa9

SHA1
a1d6275597bc60d30090e07bdae4e8a11d17e3c9

SHA256
c9e621ba2c346d0e2ed96fc5bded3790251f0106464b7926633931163adb0639

SHA512
c66313bc108e66c0b0910667a5bdba683b956c7590715ca0c2314dc87873147f744f60ad577c79521f5e1994cdc46d72ad59e3ce3c0ac03e657d6910ed387478

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
130.6MB

MD5
50f6962c943bf0cbadf8e44c991ac242

SHA1
8c1252025fd346094395ddce24d0cc478e2f5eb4

SHA256
a8c697e128ff9048ccf3b9df0c7f3253142e0f411cde3ddc0e82dc5dc73a1b52

SHA512
21abab954860aa7469444c096e97c55373689a3e77002324c4efee6ef338feb6ec1ab46d5df489db1831702250ed60725561c53fe838e970ff55bc8b1bba0de8

Download Submit
memory/1488-145-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1488-256-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1488-224-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1488-137-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1488-134-0x00000000021F0000-0x0000000002247000-memory.dmp

Filesize
348KB

Download
memory/2140-254-0x0000000000810000-0x0000000001673000-memory.dmp

Filesize
14.4MB

Download
memory/2140-253-0x0000000000810000-0x0000000001673000-memory.dmp

Filesize
14.4MB

Download
memory/2980-1843-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2980-1845-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4280-274-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-294-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-268-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-270-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-272-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-264-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-276-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-278-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-280-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-282-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-284-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-286-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-288-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-290-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-292-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-266-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-296-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-298-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-300-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-1377-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/4280-1727-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4280-262-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-255-0x0000000000990000-0x000000000100A000-memory.dmp

Filesize
6.5MB

Download
memory/4280-258-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/4280-261-0x0000000005AA0000-0x0000000005B28000-memory.dmp

Filesize
544KB

Download
memory/4280-260-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/4280-259-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4604-3220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-1746-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-1734-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-1733-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download