gurcu | 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

whitesnake.exe
Size

344KB
MD5

aec814bf30dd191b641feef457a718ce
SHA1

96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256

446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512

fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0
SSDEEP

6144:SXRrO+JguvyIs1DkhmgPZw6JXAL5+9bbYZQ4:ir/9m3cYZQ

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6202531839:AAHT41T-v1F7LRPMrYNhW3IEdF7Ab7I7uTM/sendMessage?chat_id=-1001903439899

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	whitesnake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	whitesnake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	whitesnake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	whitesnake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	whitesnake.exe

Executes dropped EXE 8 IoCs

pid	Process
4892	whitesnake.exe
1864	whitesnake.exe
4248	tor.exe
3912	tor.exe
3464	whitesnake.exe
3720	tor.exe
4740	whitesnake.exe
1516	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3556	1864	WerFault.exe	90
3788	3464	WerFault.exe	104
3320	4740	WerFault.exe	109

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4656	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3540	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4892	whitesnake.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	whitesnake.exe
Token: SeDebugPrivilege	4892	whitesnake.exe
Token: SeDebugPrivilege	1864	whitesnake.exe
Token: SeDebugPrivilege	3464	whitesnake.exe
Token: SeDebugPrivilege	4740	whitesnake.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3880	4448	whitesnake.exe	82
PID 4448 wrote to memory of 3880	4448	whitesnake.exe	82
PID 3880 wrote to memory of 4420	3880	cmd.exe	84
PID 3880 wrote to memory of 4420	3880	cmd.exe	84
PID 3880 wrote to memory of 3540	3880	cmd.exe	85
PID 3880 wrote to memory of 3540	3880	cmd.exe	85
PID 3880 wrote to memory of 4656	3880	cmd.exe	86
PID 3880 wrote to memory of 4656	3880	cmd.exe	86
PID 3880 wrote to memory of 4892	3880	cmd.exe	87
PID 3880 wrote to memory of 4892	3880	cmd.exe	87
PID 4892 wrote to memory of 3056	4892	whitesnake.exe	88
PID 4892 wrote to memory of 3056	4892	whitesnake.exe	88
PID 1864 wrote to memory of 4248	1864	whitesnake.exe	91
PID 1864 wrote to memory of 4248	1864	whitesnake.exe	91
PID 4892 wrote to memory of 3912	4892	whitesnake.exe	93
PID 4892 wrote to memory of 3912	4892	whitesnake.exe	93
PID 3464 wrote to memory of 3720	3464	whitesnake.exe	105
PID 3464 wrote to memory of 3720	3464	whitesnake.exe	105
PID 4740 wrote to memory of 1516	4740	whitesnake.exe	110
PID 4740 wrote to memory of 1516	4740	whitesnake.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	whitesnake.exe

C:\Users\Admin\AppData\Local\Temp\whitesnake.exe
"C:\Users\Admin\AppData\Local\Temp\whitesnake.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\whitesnake.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4420
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3540
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4656
- - C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
    "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7D91.tmp" -C "C:\Users\Admin\AppData\Local\8lxyt4fm8n"
      4⤵
      PID:3056
  - - C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
      "C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:3912

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1864
- C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
  "C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1864 -s 2856
  2⤵
  - Program crash
  PID:3556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1864 -ip 1864
1⤵
PID:3200

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
  "C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3464 -s 2032
  2⤵
  - Program crash
  PID:3788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3464 -ip 3464
1⤵
PID:4496

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
  "C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4740 -s 1956
  2⤵
  - Program crash
  PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 4740 -ip 4740
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8lxyt4fm8n\data\cached-microdesc-consensus.tmp

Filesize
2.2MB

MD5
62afa111550d866293bdce98af512bdd

SHA1
4e3e9aa9e83a85c0f65b3ad7266714ea77cbb29e

SHA256
b36daecbb46e063f62321cf5b666062a5085b21fbcedb5f237bea19627b7f782

SHA512
593f2a71121ccc3952034eae19b32f6f9644f5109d1c6573adc9c27bba60195df8bd610420d3d5d674faba0ab79cdb14ce5624a0bc5d59acefebc21ec9af5efd

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\data\cached-microdescs.new

Filesize
5.6MB

MD5
fa6ca6c94728013dd37b3954d48540cf

SHA1
95f7c4dadb967c6ebd5994cd0eb2917eaa4522ae

SHA256
15d7cb5e1a3d36d4d2e97f4502756face670bb2a1b84c84a7f89971ff836b274

SHA512
372d0b93b61420d6f40a7520c92b04009450740c24af2b49b1207f62ef16bebb740ed5ee1a30d230b75b8659b252e4be8fb79f8e30d304d737e04cb5fda20e3e

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\host\hostname

Filesize
64B

MD5
bb3c2eb0a36e0b538b1e52d39ffa691a

SHA1
b06ae180daf7f7e34628254e5302e6d2cbc428b8

SHA256
61607f44106fac76f7e9c33cbdbe0ddb50b5765af47a4ee4227239ce0dc1c917

SHA512
1c86db877f23587153ea48bb2a88b249f0a79cb4af5eb04f3dc6c2086010625e14467d79734a08896ec4de57f1a9e064678669082b6c237468d26e3e3d5263c4

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\port.dat

Filesize
4B

MD5
d3630410c51e60941a9001a46871070e

SHA1
5e9e35e4d3778985fa3ed033259d0b5b2e68c34c

SHA256
61d8c465a85f889fd0d3a1d9d243dfa3fd2ef0282bc59b36499ccc63d92c1b47

SHA512
3da4ac108489cfcc5ab675dde41ad611c653e835666239999833fe26f0ca3095dac6c74a2c8060203655174e5b081fff9213fb134a3a0dfe04b7d41c7d93c5a7

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt

Filesize
218B

MD5
3a83ec78b95b9599062a1b83ea39521e

SHA1
fe8d57da08b3579724f4d464ed4f4202c23e2b5d

SHA256
2e014afc9447f861aab58d65c2eb80acf5daefe62477b02836757726d299e624

SHA512
2a4685019917318e87e75ee98ed47de04f3a1d52350d4a40f7585a2a0575e0113b23f285a7be98d6408a9bc240eb56d6a5dac1da6cbcb9a1b6b16e2c634a335f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\whitesnake.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D91.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/1864-162-0x00000134C8430000-0x00000134C8440000-memory.dmp

Filesize
64KB

Download
memory/4448-133-0x00000186F4750000-0x00000186F47AC000-memory.dmp

Filesize
368KB

Download
memory/4448-136-0x00000186F4BA0000-0x00000186F4BB0000-memory.dmp

Filesize
64KB

Download
memory/4892-143-0x000002DDAE180000-0x000002DDAE190000-memory.dmp

Filesize
64KB

Download