blackguard | 9897c692bdfe80626c96d8825834be9158979c2926f65b761e41cba607895d8b

Analysis

max time kernel
41s
max time network
40s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

betabuild2.exe
Size

8.0MB
MD5

f8e150ff0e3788bfc18558eafc94d921
SHA1

26e06740e70783caaf20fb4ef9bf6e7e57cea678
SHA256

9897c692bdfe80626c96d8825834be9158979c2926f65b761e41cba607895d8b
SHA512

52b11e5afe60d792b64136053aac00057ac3888e93f028a3fffecb3b8f0dda2ae4fe2b8c6a74e9972538d377a51907f13fe8e2ee08d2d6906952a4d892269ffc
SSDEEP

196608:O8t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5io9:xt3afccqmfLh7pfdF5iK

Score

10^/10

blackguard xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

5.39.43.50:5060

Attributes

Install_directory
%AppData%
install_file
svh0st.exe

Extracted

Family

blackguard

https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002a786-4.dat	family_xworm
behavioral2/memory/1612-16-0x0000000000E10000-0x0000000000E6E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svh0st.lnk	buildbeta1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svh0st.lnk	buildbeta1.exe

Executes dropped EXE 3 IoCs

pid	Process
1612	buildbeta1.exe
844	VegaStealer_v2.exe
1684	v2.exe

Loads dropped DLL 5 IoCs

pid	Process
1684	v2.exe
1684	v2.exe
1684	v2.exe
1684	v2.exe
1684	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Windows\CurrentVersion\Run\svh0st = "C:\\Users\\Admin\\AppData\\Roaming\\svh0st.exe"	buildbeta1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
1	ip-api.com
2	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1684	v2.exe
1684	v2.exe
1684	v2.exe
1684	v2.exe
4180	powershell.exe
4180	powershell.exe
552	powershell.exe
552	powershell.exe
932	powershell.exe
932	powershell.exe
4392	powershell.exe
4392	powershell.exe
1612	buildbeta1.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	buildbeta1.exe
Token: SeDebugPrivilege	1684	v2.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1612	buildbeta1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	buildbeta1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1612	2304	betabuild2.exe	76
PID 2304 wrote to memory of 1612	2304	betabuild2.exe	76
PID 2304 wrote to memory of 844	2304	betabuild2.exe	77
PID 2304 wrote to memory of 844	2304	betabuild2.exe	77
PID 2304 wrote to memory of 844	2304	betabuild2.exe	77
PID 844 wrote to memory of 1684	844	VegaStealer_v2.exe	78
PID 844 wrote to memory of 1684	844	VegaStealer_v2.exe	78
PID 844 wrote to memory of 1684	844	VegaStealer_v2.exe	78
PID 1612 wrote to memory of 4180	1612	buildbeta1.exe	81
PID 1612 wrote to memory of 4180	1612	buildbeta1.exe	81
PID 1612 wrote to memory of 552	1612	buildbeta1.exe	83
PID 1612 wrote to memory of 552	1612	buildbeta1.exe	83
PID 1612 wrote to memory of 932	1612	buildbeta1.exe	85
PID 1612 wrote to memory of 932	1612	buildbeta1.exe	85
PID 1612 wrote to memory of 4392	1612	buildbeta1.exe	87
PID 1612 wrote to memory of 4392	1612	buildbeta1.exe	87
PID 1612 wrote to memory of 1928	1612	buildbeta1.exe	89
PID 1612 wrote to memory of 1928	1612	buildbeta1.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\betabuild2.exe
"C:\Users\Admin\AppData\Local\Temp\betabuild2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe
  "C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'buildbeta1.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svh0st.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svh0st.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svh0st" /tr "C:\Users\Admin\AppData\Roaming\svh0st.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1928
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0a85f07903eaad4aace8865ff28679f

SHA1
caa147464cf2e31bf9b482c3ba3c5c71951566d1

SHA256
c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

SHA512
7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
258KB

MD5
970726547c5e277b7ef1d559e793a27f

SHA1
6f54b80f5cabd373ce59cca727aaf72036bd3122

SHA256
07582afd9408b8626a344a595f07337793844f95a84e77b8ea6ae79887c8fd6d

SHA512
c3511b40f465b494084a6bf1de3b1c33cb436bc1ac3db48f95cde55d53b0d2b06b25f22e7ca3b9deb03439b236982d1a7926d2e7745437a6ae36dae20094c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
482KB

MD5
f7dc2fd98c55503a50e635ceabf095f2

SHA1
ea00314d0877540121c05e1bf4de805e5e1f6ecf

SHA256
0cedf69dde42cf092eeee7e4332eca1346833bd9b9907607a4d15a36ca3ae8da

SHA512
685cde828d444009fdd38b5013e5448b9c5b45c85f017a2e7cd68d80769a7ff8063ce68eee0e5c0a651f8fe42f2b2b91e4dda21fa4d5e67fda86b3eb606f8240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
297KB

MD5
b1b000dcea393e271360858e71194e15

SHA1
9daac4d32addbcd2357ecf31b0909a9d3357e538

SHA256
4422606f8082f4b53d48acc0448626f296b1b42a2ea7ded00b6c836347dcbef7

SHA512
ec93859adf9569f286af839145fadef70da8a5048f28281079006b8768f2171935d74159486ff1e72f5e0c49bfbca49ea73e1a46624874a0c4efa40c852269a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
374KB

MD5
ae527479fc0469df376f1899aec1f25f

SHA1
c015a63f65ddb25082e61790e26920477f50e64b

SHA256
56a6d23db38464351af99d29aaed311e8da7965bd8955aca5e69abc903d0aef5

SHA512
9b1fe3b311720f3751313a90a1817eecbfcccda27362de4b6def02ac8a7d0b5055325fb278ed68805c9fffde01abdb3258fe9659090610b2962df32f25dc1bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
219KB

MD5
b4bb8901dca4dc7efae9c5645d8107c3

SHA1
c62bb4f1360629e9bb870c76bd091487bfe5b3f2

SHA256
cb919b3a25909e2cb16309f8ff8b1d5e27627c12fded5e19a9e68496f38b2402

SHA512
1637b3d547d845f92c9195e6a944c1590600fd8d0eb498cf502e74fe200a3e8d7390e48733abb980f9fd0802a3a7bee26e654de999d82e34da69a7c8d3e80e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
330KB

MD5
f78b127244a9a2fa69518ce821332775

SHA1
64dbbf5196e6e64fcbee8a9c18daac2c21856c62

SHA256
0c4124244092336f125c7853581ccaf1c97dd035c7e8208479d30421a5c1f65e

SHA512
521785b92d0884f2510406835ff8a5869d293c98f99b44ee18c3e5e17443c6b93ccd29451166b04140d2dfac0db7679d8ca4b2440611c91dda93a6714570b027

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
309KB

MD5
f0f87a1078a737e288e7e598904558a1

SHA1
9942896739686309956330d81137489ae0f78d1a

SHA256
1d9d5fbbdf950ed73dbd9594c2cb09d2869feda54ba4808d8a517d2659adc10e

SHA512
bd7e3517aee8ed4b36e2b667231bcdd42d241ff21fbac08db77d9d24f6eafd9c6a9f91ac939179d796f65e08310c2b16d2bc10e52f22784dead1fa68eabbfbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
307KB

MD5
a7e2e04396abfe01ef09bc8a8c923dd9

SHA1
89de5255a7819acf7460cea31e92d957fbf9de9c

SHA256
ef652c681b9798f88661582e2462d83d4978df7ede7e917176c11dbc50fd6c7a

SHA512
21d995448f65ff4f512c6beb1f535a2f57e23dc4f34f233638edf15d56e46199d7b4d6f3ed4ae5ebba35cd49c3154ccb86f68ed89daffe94bf4d718ed9b39545

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
1.6MB

MD5
45cefff64c72abce02a8ed26840f79d2

SHA1
4512f4921b79626117cfae5bec9152d2bdfb1b88

SHA256
a9231cf86289dbaf0451337591dd8a9711fee8e00bacaef9abfe92a3e3280e9f

SHA512
214ee2e673c3203c932ee5d2e0cff91eacd7cdc25b539cc728f0094f456b7ad344ff71ab1ee684cf6ff03b8f767a8753dc4a752dd3ba334cf22b2a3e79fefd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
659KB

MD5
07914b2556f468fea9fc6b1eeaf8ec41

SHA1
94ccf4be36757ea7797b30480b41179f05db40c8

SHA256
bcae8a6215e494a064feb1dcebe0fc9dede9d955ec619ccac6a056554b49ac38

SHA512
ff346b3ae6ab2d973095a0e424f7baba461a31b3e040cf6aa702164084ad79e8f455a1006a6b01d228c2231f87da6cb4ea36b67ef1f879379e082ec7c7ebd6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
512KB

MD5
069afa2e9d756b3114000a42767b3e85

SHA1
03f7e8f53fa913a5b63930da760317a36a185cc8

SHA256
a4a0576bf0a8d7686ed33cab014137db1d58441fbb17e12f3b49c84f4e28dcfc

SHA512
c5b670c62e7b8c0af7b784af5a35ecb732b573c0857660056239b166a63b5bdafa1ebc07ad8084153ede65b8f2936b00fa8f47a01ee499cea9ff87163a68fe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teag3fwu.ulm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe

Filesize
352KB

MD5
b1300bcdeca375350659b7fa99c4e749

SHA1
e50c02fc3b1b07ddee710249df9fe82638b6f09f

SHA256
3a86bbd49169996778958b388e135722e805a006d06c3aa51620f836c529dae4

SHA512
303954e8bad80281cbbeea862493bc0f99c341b0ed13a9664d1cb6df5d02fba89e17c9063baf41e0f0c28a6108265775d5daf20d6ad7702d5ff782314bcf819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
ae72225d88f8672576d1255d11c9196a

SHA1
dd8e0afdf35d8e00b981fef61387f984d5dea7fa

SHA256
ff70a6e222ae7a334414103070eb76f9de1304e5e0e9656828e0aaa56842e1e5

SHA512
f58e7fcd1e9b53755dca703cbf52d3e11f300eac1cf567e50633f2c21a52b40da2957d4649b91f624486ec41b0eb3b6c1fbae7a36f424e0c0725b8229864c140

Download Submit
C:\Users\Admin\AppData\Roaming\RVwVyVHNFBTLUJVLQIWH.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\RVwVyVHNFBTLUJVLQIWH.Admin\Process.txt

Filesize
1KB

MD5
3cb84e37288b23b22d0ff150646daf01

SHA1
78105bb649ca7e6c5031bfea06627a98132ce4ab

SHA256
e8f3164813d60b6b654c178c126fd4f028723ee996d7a202eb4b420f2ea5ee3b

SHA512
ed9c355857dc92c0d195dc0ce659fbdfe6b6fb209b2bce3f9c4e744058e4addd58127c4f5d0e2ef441b82277e98460b132302d08bc027d09202b50ce88918b31

Download Submit
memory/552-242-0x000001114C8D0000-0x000001114C8E0000-memory.dmp

Filesize
64KB

Download
memory/552-240-0x000001114C8D0000-0x000001114C8E0000-memory.dmp

Filesize
64KB

Download
memory/552-244-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/552-239-0x000001114C8D0000-0x000001114C8E0000-memory.dmp

Filesize
64KB

Download
memory/552-238-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/932-254-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/932-258-0x000002035FD80000-0x000002035FD90000-memory.dmp

Filesize
64KB

Download
memory/932-260-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/932-256-0x000002035FD80000-0x000002035FD90000-memory.dmp

Filesize
64KB

Download
memory/932-257-0x000002035FD80000-0x000002035FD90000-memory.dmp

Filesize
64KB

Download
memory/932-255-0x000002035FD80000-0x000002035FD90000-memory.dmp

Filesize
64KB

Download
memory/1612-16-0x0000000000E10000-0x0000000000E6E000-memory.dmp

Filesize
376KB

Download
memory/1612-273-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/1612-18-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/1612-207-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/1612-241-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/1684-109-0x0000000006A00000-0x0000000006A68000-memory.dmp

Filesize
416KB

Download
memory/1684-105-0x0000000006380000-0x00000000063A2000-memory.dmp

Filesize
136KB

Download
memory/1684-52-0x0000000000BA0000-0x0000000000BEA000-memory.dmp

Filesize
296KB

Download
memory/1684-53-0x0000000074710000-0x0000000074EC1000-memory.dmp

Filesize
7.7MB

Download
memory/1684-224-0x0000000074710000-0x0000000074EC1000-memory.dmp

Filesize
7.7MB

Download
memory/1684-208-0x0000000007E10000-0x0000000007E2E000-memory.dmp

Filesize
120KB

Download
memory/1684-54-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1684-56-0x0000000006070000-0x0000000006102000-memory.dmp

Filesize
584KB

Download
memory/1684-206-0x0000000008110000-0x0000000008186000-memory.dmp

Filesize
472KB

Download
memory/1684-205-0x0000000007E50000-0x0000000007EB6000-memory.dmp

Filesize
408KB

Download
memory/1684-126-0x0000000008640000-0x0000000008BE6000-memory.dmp

Filesize
5.6MB

Download
memory/1684-103-0x00000000063B0000-0x0000000006442000-memory.dmp

Filesize
584KB

Download
memory/1684-116-0x0000000006E50000-0x0000000006E8C000-memory.dmp

Filesize
240KB

Download
memory/1684-122-0x0000000007EC0000-0x0000000008082000-memory.dmp

Filesize
1.8MB

Download
memory/1684-117-0x0000000006DF0000-0x0000000006E11000-memory.dmp

Filesize
132KB

Download
memory/1684-104-0x0000000006010000-0x0000000006060000-memory.dmp

Filesize
320KB

Download
memory/1684-110-0x0000000006A70000-0x0000000006DC7000-memory.dmp

Filesize
3.3MB

Download
memory/1684-111-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/2304-20-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/4180-220-0x000001C4E2CE0000-0x000001C4E2CF0000-memory.dmp

Filesize
64KB

Download
memory/4180-209-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/4180-227-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/4180-219-0x000001C4E2CE0000-0x000001C4E2CF0000-memory.dmp

Filesize
64KB

Download
memory/4180-221-0x000001C4E2CE0000-0x000001C4E2CF0000-memory.dmp

Filesize
64KB

Download
memory/4180-210-0x000001C4FB350000-0x000001C4FB372000-memory.dmp

Filesize
136KB

Download
memory/4392-271-0x0000028F62D10000-0x0000028F62D20000-memory.dmp

Filesize
64KB

Download
memory/4392-276-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/4392-269-0x00007FFF19E50000-0x00007FFF1A912000-memory.dmp

Filesize
10.8MB

Download
memory/4392-274-0x0000028F62D10000-0x0000028F62D20000-memory.dmp

Filesize
64KB

Download
memory/4392-272-0x0000028F62D10000-0x0000028F62D20000-memory.dmp

Filesize
64KB

Download