qulab | 7921c12179578321423314c5458842e5f057609027c7b0a7fb4c072295ad8d6b

Resubmissions

25/02/2025, 02:57

250225-dfwbgszjs4 10

25/02/2025, 02:35

250225-c3cl8axpw8 10

Analysis

max time kernel
130s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Private_Cheat by pc_Ret v8.exe
Size

2.8MB
MD5

9f031ba9a4e474e8a87e16e49bf61bc4
SHA1

37f4299fb8888fd7bc477e659e50adac41c3f4f1
SHA256

7921c12179578321423314c5458842e5f057609027c7b0a7fb4c072295ad8d6b
SHA512

95218bbf2f905d791e7aca7d659eaca073f132e6380a2b0a4c152785653618cb919b5e3d0455c57094e99f414283b459c2280703785ace3a929a6c03235d1e5a
SSDEEP

49152:ah+ZkldoPK8YaMWS1/D+MRMOtjR/zTqny/f5ft1xSKHYS:z2cPK821/iMRhjR/zXR1jT

Score

10^/10

qulab agilenet defense_evasion discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 25.02.2025, 02:57:42 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: XECUDNCD - Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 256 - csrss.exe / PID: 336 - wininit.exe / PID: 384 - csrss.exe / PID: 396 - winlogon.exe / PID: 432 - services.exe / PID: 476 - lsass.exe / PID: 492 - lsm.exe / PID: 500 - svchost.exe / PID: 600 - svchost.exe / PID: 676 - svchost.exe / PID: 756 - svchost.exe / PID: 796 - svchost.exe / PID: 832 - audiodg.exe / PID: 908 - svchost.exe / PID: 956 - svchost.exe / PID: 1016 - spoolsv.exe / PID: 692 - svchost.exe / PID: 992 - taskhost.exe / PID: 1292 - dwm.exe / PID: 1360 - explorer.exe / PID: 1388 - OSPPSVC.EXE / PID: 1136 - WmiPrvSE.exe / PID: 1488 - dllhost.exe / PID: 1028 - svchost.exe / PID: 2556 - sppsvc.exe / PID: 2364 - Baldr (11).exe / PID: 1968 - Wpc.exe / PID: 2772

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab
Qulab family
qulab

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
328	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000195d6-55.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
1968	Baldr (11).exe
2612	Build.exe
2772	Wpc.exe
2296	Wpc.module.exe
1108	Wpc.exe
288	Wpc.exe

Loads dropped DLL 11 IoCs

pid	Process
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2508	Private_Cheat by pc_Ret v8.exe
2772	Wpc.exe
2772	Wpc.exe
2772	Wpc.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1968-39-0x00000000001E0000-0x0000000000226000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipapi.co
10	ipapi.co

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000186c6-26.dat	autoit_exe
behavioral1/memory/2612-45-0x00000000009B0000-0x0000000000B87000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	Wpc.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	Wpc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000195d6-55.dat	upx
behavioral1/memory/2772-59-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
behavioral1/files/0x000700000001960c-100.dat	upx
behavioral1/memory/2296-105-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2296-109-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baldr (11).exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Private_Cheat by pc_Ret v8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.module.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	Build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\winmgmts:\localhost\	Wpc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	Wpc.exe
1968	Baldr (11).exe
1968	Baldr (11).exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Baldr (11).exe
Token: SeRestorePrivilege	2296	Wpc.module.exe
Token: 35	2296	Wpc.module.exe
Token: SeSecurityPrivilege	2296	Wpc.module.exe
Token: SeSecurityPrivilege	2296	Wpc.module.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1968	2508	Private_Cheat by pc_Ret v8.exe	30
PID 2508 wrote to memory of 1968	2508	Private_Cheat by pc_Ret v8.exe	30
PID 2508 wrote to memory of 1968	2508	Private_Cheat by pc_Ret v8.exe	30
PID 2508 wrote to memory of 1968	2508	Private_Cheat by pc_Ret v8.exe	30
PID 2508 wrote to memory of 2612	2508	Private_Cheat by pc_Ret v8.exe	31
PID 2508 wrote to memory of 2612	2508	Private_Cheat by pc_Ret v8.exe	31
PID 2508 wrote to memory of 2612	2508	Private_Cheat by pc_Ret v8.exe	31
PID 2508 wrote to memory of 2612	2508	Private_Cheat by pc_Ret v8.exe	31
PID 2612 wrote to memory of 2772	2612	Build.exe	32
PID 2612 wrote to memory of 2772	2612	Build.exe	32
PID 2612 wrote to memory of 2772	2612	Build.exe	32
PID 2612 wrote to memory of 2772	2612	Build.exe	32
PID 2772 wrote to memory of 2296	2772	Wpc.exe	34
PID 2772 wrote to memory of 2296	2772	Wpc.exe	34
PID 2772 wrote to memory of 2296	2772	Wpc.exe	34
PID 2772 wrote to memory of 2296	2772	Wpc.exe	34
PID 1384 wrote to memory of 1108	1384	taskeng.exe	40
PID 1384 wrote to memory of 1108	1384	taskeng.exe	40
PID 1384 wrote to memory of 1108	1384	taskeng.exe	40
PID 1384 wrote to memory of 1108	1384	taskeng.exe	40
PID 1384 wrote to memory of 288	1384	taskeng.exe	41
PID 1384 wrote to memory of 288	1384	taskeng.exe	41
PID 1384 wrote to memory of 288	1384	taskeng.exe	41
PID 1384 wrote to memory of 288	1384	taskeng.exe	41
PID 2772 wrote to memory of 328	2772	Wpc.exe	42
PID 2772 wrote to memory of 328	2772	Wpc.exe	42
PID 2772 wrote to memory of 328	2772	Wpc.exe	42
PID 2772 wrote to memory of 328	2772	Wpc.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
328	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe
"C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe
  "C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe
  "C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
    C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\ENU_687FE9743E45358E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\*"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:328

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1800

C:\Windows\system32\taskeng.exe
taskeng.exe {646E2AD0-DD4A-4F5B-A93E-55086E1F11C9} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
  C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
  C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Information.txt

Filesize
3KB

MD5
7710d553e44f5b9ec06b3854106ac57d

SHA1
988fc89ccd4237ad2361334d3f499fb79e8b8ed0

SHA256
78e0488ad171d671f178eb85afecc0360dd289179e79f6cdb1bcf92007a89647

SHA512
c0883ab0307b532ce1d19a432405fe145ed329c489b390229acf168441b0a99445e9f712bb447f39011c1d9e5cffbb01efe82e522b7b6809ac62de8eeb9a6269

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Screen.jpg

Filesize
49KB

MD5
cddf0f071ec467ebab80f9eb03159c74

SHA1
46157f661111fb091386910c4f470064dba78d2a

SHA256
917d4be7ccb15a681100dfa7439ff9235f741aeb2bd1cdcfb961ca53b13a5450

SHA512
ce5335085a0b5d4e25819eae78d7053cd7de92b957df444cd9d689cdcf6813d276b4e1a4520e20e613fc3f3575ff789bdb9d3d0977a15abcf720ac437e4e2a07

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe.6

Filesize
218KB

MD5
e82f9401a1e258f204020186f9a714ec

SHA1
9493e1ecaf8d24dc41df6811b96b459fe046dbdc

SHA256
76eb583552ef509e5c1c2cac4abc8442c0bbd59ce5c78a46c0f3da18158d542e

SHA512
f3514debb1e1f1a5dea4565e236105adbdbe05cbe509e8335ad4f1558b4beffbfbf0c519bcb4530760f5a3c39743ff1935818949c140bb694803a8ad15beddaf

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.sqlite3.module.dll.6

Filesize
359KB

MD5
434da06978e9724ffa6d90b93ef62c75

SHA1
d469ed20d82e8dec3140aec8d52b4d56d975dedc

SHA256
6350e9044f2ac74d8d51793a8b446b944081e533bf2915faf9bc14aaa0c55795

SHA512
391404b4678f296d74d2bc81ae89bb4c423199adc509e69cd573717313ac3078e0f09a90e1dd4e618001608ae5b5aa0f10ae7855d98866179dc05cebfc50053c

Download Submit
\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe

Filesize
321KB

MD5
d24276ac40d35830f2b62afae1eb92a4

SHA1
eef691098d9635be8aa8739a3830aae5be889ef7

SHA256
3675e60b99fbbf818883e12da047223ef7490f08fd52df40867785e4586186e7

SHA512
ede7e171d73d64c20681362420f1662a8871bc6dffec806ced6800e3147f2f2d452be68ef738eebe71fce34d24f6549174cb930c1c7368266d416fd40d8db5aa

Download Submit
\Users\Admin\AppData\Roaming\Z1004308289\Build.exe

Filesize
1.8MB

MD5
e30988e3026df37370cac7ce85faec85

SHA1
7e2f2cecb759372b6e381afbcda9dffc3e475ad9

SHA256
37bc62e63d2cccc8c326ba42dfbc24d0ed2a2ec967eb4b24c1dce9dedbda5d08

SHA512
ae21cee091a3bb2109552508a2f03c46c9c6ea63a2b33c794fce9b6ee3ceae185e9a06ccf6d11894696b231935c5c3c5dfea9aec370b1b4282a5bce58fde1c7b

Download Submit
\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe

Filesize
218KB

MD5
9c5b4e4fcae7eb410f09c9e46ffb4a6d

SHA1
9d233bbe69676b1064f1deafba8e70a9acc00773

SHA256
0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

SHA512
59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

Download Submit
\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
memory/1968-41-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-42-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-40-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/1968-39-0x00000000001E0000-0x0000000000226000-memory.dmp

Filesize
280KB

Download
memory/1968-24-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/1968-111-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-105-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2296-109-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2612-45-0x00000000009B0000-0x0000000000B87000-memory.dmp

Filesize
1.8MB

Download
memory/2772-59-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/2772-103-0x0000000004410000-0x000000000449E000-memory.dmp

Filesize
568KB

Download
memory/2772-112-0x0000000004410000-0x000000000449E000-memory.dmp

Filesize
568KB

Download