meduza | 8cb97053bcb6290b548c2cdc654c2dd7929ec5bdf26156f6f86cc83357251c2b

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse.exe
Size

638.8MB
MD5

61de96e5353b086d0adbec1f6f6805a4
SHA1

f8a632f64158d65d88767f40568a1a2f5ac6408f
SHA256

b4672fe1f8bf47ec762901fdf935c4bec3055786551307b89ac8f57156d96336
SHA512

6e158f558ffd71506d1e3cb057d6d8f40e75d293b3d2b4f8fda057b47739b4bcc3619bd3458dadafed84baebe050e387a1a4f9207eeba5398a6b91f2ad15c4d6
SSDEEP

98304:i57+KoPUraOzCqYKOpL0qSB7reHbQLsEFTV2WQo1nqUf:Q7oP1OzCqw0fB7iKsEJo/Uq

Score

10^/10

meduza xmrig evasion execution miner persistence stealer upx

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/3040-12-0x0000000001C50000-0x0000000001D8E000-memory.dmp	family_meduza
behavioral1/memory/3040-24-0x0000000001C50000-0x0000000001D8E000-memory.dmp	family_meduza

Meduza family
meduza
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1724-59-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-58-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-57-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-56-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-54-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-53-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-60-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-61-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1724-62-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
2080	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	venomderek.exe

Executes dropped EXE 4 IoCs

pid	Process
3040	venomderek.exe
2764	lokigod.exe
476	Process not Found
2148	vzppfnnlsyit.exe

Loads dropped DLL 7 IoCs

pid	Process
2032	Synapse.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2032	Synapse.exe
2032	Synapse.exe
476	Process not Found

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1816	powercfg.exe
1260	powercfg.exe
2568	powercfg.exe
1316	powercfg.exe
1984	powercfg.exe
1620	powercfg.exe
1640	powercfg.exe
1528	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	vzppfnnlsyit.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lokigod.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 set thread context of 1724	2148	vzppfnnlsyit.exe	90

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-59-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-58-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-54-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-52-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-46-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-53-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-60-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-61-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1724-62-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2076	sc.exe
2932	sc.exe
2484	sc.exe
1812	sc.exe
2700	sc.exe
2992	sc.exe
2244	sc.exe
2696	sc.exe
1576	sc.exe
2860	sc.exe
1740	sc.exe
2996	sc.exe
708	sc.exe
1484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30ffe9a06346db01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	lokigod.exe
2500	powershell.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2764	lokigod.exe
2148	vzppfnnlsyit.exe
2080	powershell.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
2148	vzppfnnlsyit.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	Synapse.exe
Token: SeDebugPrivilege	3040	venomderek.exe
Token: SeImpersonatePrivilege	3040	venomderek.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	1620	powercfg.exe
Token: SeShutdownPrivilege	1528	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	2568	powercfg.exe
Token: SeLockMemoryPrivilege	1724	svchost.exe
Token: SeShutdownPrivilege	1984	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3040	2032	Synapse.exe	31
PID 2032 wrote to memory of 3040	2032	Synapse.exe	31
PID 2032 wrote to memory of 3040	2032	Synapse.exe	31
PID 3040 wrote to memory of 2892	3040	venomderek.exe	32
PID 3040 wrote to memory of 2892	3040	venomderek.exe	32
PID 3040 wrote to memory of 2892	3040	venomderek.exe	32
PID 2032 wrote to memory of 2764	2032	Synapse.exe	33
PID 2032 wrote to memory of 2764	2032	Synapse.exe	33
PID 2032 wrote to memory of 2764	2032	Synapse.exe	33
PID 928 wrote to memory of 1944	928	cmd.exe	42
PID 928 wrote to memory of 1944	928	cmd.exe	42
PID 928 wrote to memory of 1944	928	cmd.exe	42
PID 876 wrote to memory of 2004	876	cmd.exe	72
PID 876 wrote to memory of 2004	876	cmd.exe	72
PID 876 wrote to memory of 2004	876	cmd.exe	72
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 2036	2148	vzppfnnlsyit.exe	85
PID 2148 wrote to memory of 1724	2148	vzppfnnlsyit.exe	90
PID 2148 wrote to memory of 1724	2148	vzppfnnlsyit.exe	90
PID 2148 wrote to memory of 1724	2148	vzppfnnlsyit.exe	90
PID 2148 wrote to memory of 1724	2148	vzppfnnlsyit.exe	90
PID 2148 wrote to memory of 1724	2148	vzppfnnlsyit.exe	90

C:\Users\Admin\AppData\Local\Temp\Synapse.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\venomderek.exe
  "C:\Users\Admin\AppData\Local\Temp\venomderek.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3040 -s 616
    3⤵
    - Loads dropped DLL
    PID:2892
- C:\Users\Admin\AppData\Local\Temp\lokigod.exe
  "C:\Users\Admin\AppData\Local\Temp\lokigod.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1484
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2860
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2700
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LBFXRZGB"
    3⤵
    - Launches sc.exe
    PID:2992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LBFXRZGB"
    3⤵
    - Launches sc.exe
    PID:2244

C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2036
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lokigod.exe

Filesize
5.0MB

MD5
769ea3d0e0cf22eaa7526a89c0f438cf

SHA1
5221042ad60744e2bdcf8319ff00bdbfc253eb59

SHA256
b369c94a835882a2267ff0a7a4ebb9a91621c3f134f63010d491121a7827b448

SHA512
d50130430911f16f4d2f7e4d3552f51ceb74601eda13cfbc374c9327e11d7865bdfc49803b54cf7b595b89996db28d3173d7a22993e968fd9a1a080c6b434c9a

Download Submit
\Users\Admin\AppData\Local\Temp\venomderek.exe

Filesize
3.2MB

MD5
8c1a3371880670ae29eb22eec13df95e

SHA1
642e25d5a8a9e52ae970d3cc1f41388d4468259a

SHA256
39e4e2d97af7b2be0aa8806afbc4d4766bc057264f556733b392ffb766174dce

SHA512
8e7b06b4dbe4277390d504a628ada5ff65261408352c9ea66ebcec5f3afd7a7ed7cb2106cec632870d6a7945e96b44818585c21659dc4d6562d473b3e73367a1

Download Submit
memory/1724-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-61-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-62-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-60-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-53-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-46-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-52-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-54-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-55-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/1724-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-57-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-58-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1724-59-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2032-5-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2032-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-4-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2032-6-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-1-0x0000000000170000-0x0000000001170000-memory.dmp

Filesize
16.0MB

Download
memory/2032-25-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-44-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2036-41-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2036-39-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2036-42-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2036-47-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2036-40-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2080-37-0x0000000019F70000-0x000000001A252000-memory.dmp

Filesize
2.9MB

Download
memory/2080-38-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2500-30-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2500-31-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/3040-24-0x0000000001C50000-0x0000000001D8E000-memory.dmp

Filesize
1.2MB

Download
memory/3040-12-0x0000000001C50000-0x0000000001D8E000-memory.dmp

Filesize
1.2MB

Download