laplas | 566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0

Analysis

max time kernel
75s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
Size

370KB
MD5

33a11e1f87d7d41a25615d8c698e37c9
SHA1

a42ee5ced689651d1dc9e529d49c127fdc017bf5
SHA256

566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0
SHA512

16504f6afa575007e7c8bf5e09dab32542a2cda422ea9e640b1c3cdf410d5b7df2ea50fba40e4a0031b63043aa29d6e46085c99580468d6a090a97a85d7d4eb3
SSDEEP

6144:1q6RF03brX+MMl9JifAaWmzoNMXgdZL1bkFk4Ao7LeetAH2KCVxqOi:1q6L03HXbMdiffLzouXmV1IFT7ietMCg

Score

10^/10

laplas vidar 78489afd9d9a4747beb445e5fb5b9c96 clipper discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

3.6

Botnet

78489afd9d9a4747beb445e5fb5b9c96

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
78489afd9d9a4747beb445e5fb5b9c96
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

laplas

http://89.23.97.128

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	99525974699995182399.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	99525974699995182399.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	99525974699995182399.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe

Executes dropped EXE 2 IoCs

pid	Process
3780	99525974699995182399.exe
5092	88379435228428588782.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002317f-254.dat	upx
behavioral2/files/0x000600000002317f-257.dat	upx
behavioral2/files/0x000600000002317f-256.dat	upx
behavioral2/memory/5092-258-0x0000000000C50000-0x0000000001AB3000-memory.dmp	upx
behavioral2/memory/5092-259-0x0000000000C50000-0x0000000001AB3000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	99525974699995182399.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99525974699995182399.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3780	99525974699995182399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	2028	WerFault.exe	83

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2400	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	74	Go-http-client/1.1

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3780	2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe	91
PID 2028 wrote to memory of 3780	2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe	91
PID 2028 wrote to memory of 5092	2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe	94
PID 2028 wrote to memory of 5092	2028	566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe	94

C:\Users\Admin\AppData\Local\Temp\566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe
"C:\Users\Admin\AppData\Local\Temp\566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\ProgramData\99525974699995182399.exe
  "C:\ProgramData\99525974699995182399.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3780
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    PID:1276
- C:\ProgramData\88379435228428588782.exe
  "C:\ProgramData\88379435228428588782.exe"
  2⤵
  - Executes dropped EXE
  PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\88379435228428588782.exe
    3⤵
    PID:3700
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\566d72a844a8845eeaaa9bb3a42af3a642097fed1f0ce5cca95f04ce2bc3acd0.exe" & exit
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 2328
  2⤵
  - Program crash
  PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2028 -ip 2028
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\88379435228428588782.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\88379435228428588782.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\88379435228428588782.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\99525974699995182399.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\99525974699995182399.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\99525974699995182399.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
52.9MB

MD5
7fbb395a1a4b5fe8c12b1d481b15ca89

SHA1
99cda4e99e612b2d11e37ae040954a1fb814b278

SHA256
caa07269a8ff91593847862b8f25eb80acfdb0d0c38901ad9fd5c2edb91734aa

SHA512
5d1595258cbd2effa77a2a08f962b8616aff394291214e2b4b9f80560036794eb0d7201969b6341191f25cba9ffe346e7365b85e99cc942eab56f88de58c2f6f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
52.2MB

MD5
b4b105d08498784fffd94160232c246a

SHA1
9a2ed040a5ea8e01c19b869bf64cd0f68c03ff93

SHA256
36704b606ce948a69f8d5fbf0b8724df76207db5768dc6cd91ed12af04b0489f

SHA512
96e86a4a902dc1fa314c4c9230922d8b14b934c580d783a4b147e0ad1d3e14203d73359bc014c83aae9e20b74fd2791834e16f5a659485816e1f354333bfbf6a

Download Submit
memory/1276-277-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-275-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-282-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-281-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-280-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-278-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-271-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-276-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-283-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-270-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-269-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-268-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-273-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-267-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-272-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-265-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/1276-264-0x0000000000090000-0x00000000008F8000-memory.dmp

Filesize
8.4MB

Download
memory/2028-135-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2028-266-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2028-148-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2028-134-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

Filesize
372KB

Download
memory/2028-220-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2028-227-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3780-240-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-262-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-249-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-246-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-244-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-243-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-242-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-241-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/3780-239-0x0000000000560000-0x0000000000DC8000-memory.dmp

Filesize
8.4MB

Download
memory/5092-259-0x0000000000C50000-0x0000000001AB3000-memory.dmp

Filesize
14.4MB

Download
memory/5092-258-0x0000000000C50000-0x0000000001AB3000-memory.dmp

Filesize
14.4MB

Download