gurcu | e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

10-04-2024 02:17

10-04-2024 02:17

13-05-2023 22:56

Analysis

max time kernel
597s
max time network
602s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qsteemp.exe
Size

165KB
MD5

90cd3202af31b431dcc5e47cf3b8c0d7
SHA1

747f68fb8f122241059c219eeeeadac61e8215be
SHA256

e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
SHA512

b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481
SSDEEP

3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 22 IoCs

pid	Process
1728	qsteemp.exe
772	tor.exe
3964	qsteemp.exe
4728	tor.exe
2988	qsteemp.exe
3988	tor.exe
1720	qsteemp.exe
4492	tor.exe
4872	qsteemp.exe
1488	tor.exe
3856	qsteemp.exe
1392	tor.exe
3688	qsteemp.exe
2492	tor.exe
4076	qsteemp.exe
4672	tor.exe
2884	qsteemp.exe
4580	tor.exe
2984	qsteemp.exe
248	tor.exe
4000	qsteemp.exe
2492	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
788	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4604	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	qsteemp.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	qsteemp.exe
Token: SeDebugPrivilege	3964	qsteemp.exe
Token: SeDebugPrivilege	2988	qsteemp.exe
Token: SeDebugPrivilege	1720	qsteemp.exe
Token: SeDebugPrivilege	4872	qsteemp.exe
Token: SeDebugPrivilege	3856	qsteemp.exe
Token: SeDebugPrivilege	3688	qsteemp.exe
Token: SeDebugPrivilege	4076	qsteemp.exe
Token: SeDebugPrivilege	2884	qsteemp.exe
Token: SeDebugPrivilege	2984	qsteemp.exe
Token: SeDebugPrivilege	4000	qsteemp.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1564	3144	qsteemp.exe	79
PID 3144 wrote to memory of 1564	3144	qsteemp.exe	79
PID 1564 wrote to memory of 704	1564	cmd.exe	81
PID 1564 wrote to memory of 704	1564	cmd.exe	81
PID 1564 wrote to memory of 4604	1564	cmd.exe	82
PID 1564 wrote to memory of 4604	1564	cmd.exe	82
PID 1564 wrote to memory of 788	1564	cmd.exe	83
PID 1564 wrote to memory of 788	1564	cmd.exe	83
PID 1564 wrote to memory of 1728	1564	cmd.exe	84
PID 1564 wrote to memory of 1728	1564	cmd.exe	84
PID 1728 wrote to memory of 768	1728	qsteemp.exe	85
PID 1728 wrote to memory of 768	1728	qsteemp.exe	85
PID 1728 wrote to memory of 772	1728	qsteemp.exe	87
PID 1728 wrote to memory of 772	1728	qsteemp.exe	87
PID 3964 wrote to memory of 4728	3964	qsteemp.exe	90
PID 3964 wrote to memory of 4728	3964	qsteemp.exe	90
PID 2988 wrote to memory of 3988	2988	qsteemp.exe	96
PID 2988 wrote to memory of 3988	2988	qsteemp.exe	96
PID 1720 wrote to memory of 4492	1720	qsteemp.exe	101
PID 1720 wrote to memory of 4492	1720	qsteemp.exe	101
PID 4872 wrote to memory of 1488	4872	qsteemp.exe	106
PID 4872 wrote to memory of 1488	4872	qsteemp.exe	106
PID 3856 wrote to memory of 1392	3856	qsteemp.exe	111
PID 3856 wrote to memory of 1392	3856	qsteemp.exe	111
PID 3688 wrote to memory of 2492	3688	qsteemp.exe	116
PID 3688 wrote to memory of 2492	3688	qsteemp.exe	116
PID 4076 wrote to memory of 4672	4076	qsteemp.exe	121
PID 4076 wrote to memory of 4672	4076	qsteemp.exe	121
PID 2884 wrote to memory of 4580	2884	qsteemp.exe	126
PID 2884 wrote to memory of 4580	2884	qsteemp.exe	126
PID 2984 wrote to memory of 248	2984	qsteemp.exe	131
PID 2984 wrote to memory of 248	2984	qsteemp.exe	131
PID 4000 wrote to memory of 2492	4000	qsteemp.exe	136
PID 4000 wrote to memory of 2492	4000	qsteemp.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
"C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:704
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4604
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:788
- - C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp829D.tmp" -C "C:\Users\Admin\AppData\Local\6kfrvwd31o"
      4⤵
      PID:768
  - - C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
      "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:772

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4728

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3988

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4492

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1488

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1392

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2492

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4672

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4580

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:248

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdesc-consensus

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdescs.new

Filesize
15.4MB

MD5
0acec7668b2a3d34d985122ca103efb5

SHA1
b2173d27529dcd31432cfd7d4389b57fce33e868

SHA256
a6a03178717ea4b445ff58cb108d6098107047fc9d9724622351cb41bda9a6fb

SHA512
e19b2a8bd474072b532434e1cbbe40438a1e29759d8d1c99f3c8e4f292fe002a5006d531f036a31a05b5bcea4049dec854e17559e2939686e483328c6e80499e

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\host\hostname

Filesize
64B

MD5
0b089118107ef41f9ed3d0c98a62eb02

SHA1
51e13363bca27a41557417b39ac1ac1ae5cdc792

SHA256
b0563eb1ec47485274ab69686c0278f2c0526ddd0b39af74412ec4d534f40cca

SHA512
c9482923d9b910ef566d9557119db28fccaf4f0cd83cca5a0631d0d6cc2720119ec7b1cb83747496d1a54b3d855ce583eaf554af63895729cee8d994bae57f6d

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

Filesize
4B

MD5
54e8912427a8d007ece906c577fdca60

SHA1
582b2f2037a08468f6eec8b90d25171c5475a4bb

SHA256
068cdb9d2f72bda16c5934741a093a9dbb698a816d56521feca9e5b67dbdbc40

SHA512
d42b0afb4d53938c6e9949adfff8697b90d97938682b726a26493bf6715524ef2fad768ef62d712dae310926655db8edcced11842d20459a0a3696fb9e1dbd3e

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt

Filesize
218B

MD5
4d45b23c8ec5ff2b02734adc0a2c8d17

SHA1
ee4b1456af4dba81a4db056428b1ad319b0f0a9e

SHA256
ac9a149089394f3818c7fdd1d99fde50b05dd68122ef2ec27f7e646858f18d32

SHA512
467aa312e099e4e6af585b9d0250db41a52e8c69a172c992c84a3fb5ced92a026f224e6341004d2c68b4f6e73174e2d82274a688046276589709be527174f313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

Filesize
1KB

MD5
081b644082c51f2ff0f00087877003b5

SHA1
2eeb0a8a592e5327873f5a6704031c1ff6d0bd31

SHA256
cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac

SHA512
95621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

Filesize
165KB

MD5
90cd3202af31b431dcc5e47cf3b8c0d7

SHA1
747f68fb8f122241059c219eeeeadac61e8215be

SHA256
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

SHA512
b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp829D.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/1720-101-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/1720-99-0x000001F559B60000-0x000001F559B70000-memory.dmp

Filesize
64KB

Download
memory/1720-98-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/1728-12-0x000002479D320000-0x000002479D330000-memory.dmp

Filesize
64KB

Download
memory/1728-11-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/1728-55-0x000002479D320000-0x000002479D330000-memory.dmp

Filesize
64KB

Download
memory/1728-54-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2884-146-0x0000014C42F10000-0x0000014C42F20000-memory.dmp

Filesize
64KB

Download
memory/2884-148-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2884-145-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2984-154-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2984-156-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2988-90-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/2988-92-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3144-0-0x000002543DD00000-0x000002543DD30000-memory.dmp

Filesize
192KB

Download
memory/3144-1-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3144-2-0x000002543FA30000-0x000002543FA40000-memory.dmp

Filesize
64KB

Download
memory/3144-6-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3688-127-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3688-124-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3688-125-0x00000244EA740000-0x00000244EA750000-memory.dmp

Filesize
64KB

Download
memory/3856-114-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3856-112-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3964-53-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/3964-44-0x000001A0B7360000-0x000001A0B7370000-memory.dmp

Filesize
64KB

Download
memory/3964-43-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4000-168-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4000-166-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4076-139-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4076-137-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4872-107-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download
memory/4872-108-0x000001E0716B0000-0x000001E0716C0000-memory.dmp

Filesize
64KB

Download
memory/4872-110-0x00007FF900150000-0x00007FF900C12000-memory.dmp

Filesize
10.8MB

Download