umbral | 2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc

Analysis

max time kernel
146s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/02/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files To Use.exe
Size

493KB
MD5

d110ec96448664160f10da4abd78152f
SHA1

128cdfec7390922d3c643717149f81f4af277cd1
SHA256

2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc
SHA512

e99ca079cb44b89e331693c975438f88efda629d7fd898535c511078ca82e07be3faa71bcf31e0657f428556990860f0879d76e23c89f4d9be91f8655cb0734f
SSDEEP

12288:PBdlwHRn+WlYV+9VeD09yIzj8ftZJIF+dHO:PBkVdlYATeDOyuj8VwFUHO

Score

10^/10

umbral xworm persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

fhfgthfghfg-34660.portmap.host:34660

Attributes

Install_directory
%Userprofile%
install_file
Runtime Broker.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1204944287041847307/aoa_S28cr8V4g11xswAZC9SdvRJS8ygczDK-GfItmMFXCcL2edroJI5lraSE-OISlf6d

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000163d4-36.dat	family_umbral
behavioral1/files/0x00070000000163d4-37.dat	family_umbral
behavioral1/memory/2568-38-0x00000000012B0000-0x00000000012F0000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016131-20.dat	family_xworm
behavioral1/memory/2808-39-0x0000000000BD0000-0x0000000000BE8000-memory.dmp	family_xworm
behavioral1/memory/1944-109-0x0000000000380000-0x0000000000398000-memory.dmp	family_xworm
behavioral1/memory/2428-114-0x0000000000A80000-0x0000000000A98000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
2660	idk.exe
2808	XClient.exe
2888	Umbral.exe
2568	Umbral.exe
1944	XClient.exe
2428	XClient.exe

Loads dropped DLL 6 IoCs

pid	Process
2016	Files To Use.exe
2016	Files To Use.exe
2016	Files To Use.exe
2016	Files To Use.exe
2016	Files To Use.exe
2016	Files To Use.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XClient.exe	idk.exe
File created	C:\Windows\Umbral.exe	Umbral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2772	powershell.exe
2724	powershell.exe
2416	powershell.exe
1296	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2808	XClient.exe
Token: SeDebugPrivilege	2568	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2808	XClient.exe
Token: SeDebugPrivilege	1944	XClient.exe
Token: SeDebugPrivilege	2428	XClient.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2660	2016	Files To Use.exe	28
PID 2016 wrote to memory of 2660	2016	Files To Use.exe	28
PID 2016 wrote to memory of 2660	2016	Files To Use.exe	28
PID 2016 wrote to memory of 2660	2016	Files To Use.exe	28
PID 2660 wrote to memory of 2772	2660	idk.exe	35
PID 2660 wrote to memory of 2772	2660	idk.exe	35
PID 2660 wrote to memory of 2772	2660	idk.exe	35
PID 2660 wrote to memory of 2772	2660	idk.exe	35
PID 2660 wrote to memory of 2808	2660	idk.exe	33
PID 2660 wrote to memory of 2808	2660	idk.exe	33
PID 2660 wrote to memory of 2808	2660	idk.exe	33
PID 2660 wrote to memory of 2808	2660	idk.exe	33
PID 2016 wrote to memory of 2888	2016	Files To Use.exe	32
PID 2016 wrote to memory of 2888	2016	Files To Use.exe	32
PID 2016 wrote to memory of 2888	2016	Files To Use.exe	32
PID 2016 wrote to memory of 2888	2016	Files To Use.exe	32
PID 2888 wrote to memory of 2724	2888	Umbral.exe	31
PID 2888 wrote to memory of 2724	2888	Umbral.exe	31
PID 2888 wrote to memory of 2724	2888	Umbral.exe	31
PID 2888 wrote to memory of 2724	2888	Umbral.exe	31
PID 2888 wrote to memory of 2568	2888	Umbral.exe	30
PID 2888 wrote to memory of 2568	2888	Umbral.exe	30
PID 2888 wrote to memory of 2568	2888	Umbral.exe	30
PID 2888 wrote to memory of 2568	2888	Umbral.exe	30
PID 2568 wrote to memory of 1640	2568	Umbral.exe	38
PID 2568 wrote to memory of 1640	2568	Umbral.exe	38
PID 2568 wrote to memory of 1640	2568	Umbral.exe	38
PID 2808 wrote to memory of 2416	2808	XClient.exe	40
PID 2808 wrote to memory of 2416	2808	XClient.exe	40
PID 2808 wrote to memory of 2416	2808	XClient.exe	40
PID 2808 wrote to memory of 1296	2808	XClient.exe	42
PID 2808 wrote to memory of 1296	2808	XClient.exe	42
PID 2808 wrote to memory of 1296	2808	XClient.exe	42
PID 2808 wrote to memory of 2736	2808	XClient.exe	44
PID 2808 wrote to memory of 2736	2808	XClient.exe	44
PID 2808 wrote to memory of 2736	2808	XClient.exe	44
PID 2808 wrote to memory of 696	2808	XClient.exe	46
PID 2808 wrote to memory of 696	2808	XClient.exe	46
PID 2808 wrote to memory of 696	2808	XClient.exe	46
PID 2944 wrote to memory of 1944	2944	taskeng.exe	48
PID 2944 wrote to memory of 1944	2944	taskeng.exe	48
PID 2944 wrote to memory of 1944	2944	taskeng.exe	48
PID 2944 wrote to memory of 2428	2944	taskeng.exe	51
PID 2944 wrote to memory of 2428	2944	taskeng.exe	51
PID 2944 wrote to memory of 2428	2944	taskeng.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Files To Use.exe
"C:\Users\Admin\AppData\Local\Temp\Files To Use.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\idk.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\idk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\XClient.exe
    "C:\Windows\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\XClient.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"
      4⤵
      Creates scheduled task(s)
      PID:696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdQBrACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2888

C:\Windows\Umbral.exe
"C:\Windows\Umbral.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAaAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AagB3ACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\taskeng.exe
taskeng.exe {37C4288D-38D2-4AD8-91C9-0F8B46A9859E} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\XClient.exe
  C:\Users\Admin\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Users\Admin\XClient.exe
  C:\Users\Admin\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
154KB

MD5
c0dcbe72b03d07c8dc99e98a1f7027f3

SHA1
e9f4d3490820dcc2a31211078418464f0522825c

SHA256
d603c0ae2621a2b019f81bc6b69562715dc3762410f54833a27bb8534ab11f17

SHA512
d3e9478f4c7cd7cd7c81cccb552c0d3219ffb496203b3d5ce155601be70671cb2f4095375fae73649db076f74dcb9459970ce087820d65c419996820743d6cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4dc63422e7e037dbf92fbc9acc29ae10

SHA1
0efa6479efbadc1e61cb14d56a85bee28ccaa294

SHA256
10b6051133ea8732b17498583c78b44440061d679f2858b0352b07e1a16f340d

SHA512
fc5260b53dec3374035085090609ec07c18b3fbcf56ab19d94f6d161460650988d4e1c0551b6ce956dcc4e895daa28df1b0b1199948d004d71bb3afa0687f811

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ebd0dac9a4649bcb3e1357d1db53358d

SHA1
80c5e5d294897a18222816eb2f04409e73e01b34

SHA256
ccc703ba010caed2b3a1bc1db548dc48b2107ae576db26b96605330d87aa9048

SHA512
4f992ba5fad6f195107b3d66c56b71614df773e5805c7eede61984bd95f9cc17a500f915606d658be87e398cb06c0b30a07ba89a250d76bc0072e39ef55309fa

Download Submit
C:\Windows\Umbral.exe

Filesize
232KB

MD5
2483d9350df5eedfbf7de1d5f5b5ed4f

SHA1
724476e281551b918aa913eef34b3cc78b3b0fba

SHA256
d9d1f6f62443d226c14762e891663a56d20257512a56b3b139d6b8b151333902

SHA512
decfaddad857c5b540bbce3b732eee4b2d14e05fca44bf06204d83cd59d5dc370e8186ac858ab6a2e9b6592fa0114e96f5fc939d33643bceb0e3042290cbc588

Download Submit
C:\Windows\Umbral.exe

Filesize
139KB

MD5
eeb1e0c9689813f31b9343718129d941

SHA1
db8a235940c1f19428fa189426a8101b09b71acd

SHA256
c74b72024ec217e1a9402d9cbe89cd70953822dde297222cfb5f053cd9569f97

SHA512
cccd9a67bf7a6f4bdb26ac54bd880c778dd74f503e4f340cb10fed5497c2fa3c0dd42c5374bd70d95ca6d5969bf11c2ada2c5b9aaafb632c9725120a1baa62bd

Download Submit
C:\Windows\XClient.exe

Filesize
74KB

MD5
a15a8f6157c41ab4fa9ee326f3d97f50

SHA1
e6b3b8c5545203d417028cf0bc3d6ac52019ab03

SHA256
90762c84491981a3732f8a7953148ad833a13bc029b641483476089ac0b4bd7f

SHA512
86b190956b936be0540e725bcfe3623ed00c63ea9ef5317e571e5b85681a830c3f42e4b9251840818cd66241471c5d3a40137d9d1da969495ee873d16207e2c6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
239KB

MD5
63a373c7a48ef4b85579d498388bacca

SHA1
c8b2f34ad29df1b4f7319ed62c718d9195cc2a1a

SHA256
bd4ace88c87bfae2a0be0943f2d7cbc7abe9f940fb426d07e46001d9f614d6d7

SHA512
a9be9b671a8305c0d63e2467643ce5dd0d65b34e834ea78155fdf80745e8da85c5587813176c1f559f9e180a46a595dfbf8de029e8f0ff3cad77fae95f461dcf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe

Filesize
223KB

MD5
c1178639cb668a9498b72092a75c5618

SHA1
81f97024e38c076b8dbd85ddedaa3759ac97edcd

SHA256
90c6335e8ed13fe22db2e3a8cc8b4697fb0df87d94d5d4deb437e78306a8318b

SHA512
708edd2d60cd11341e80365d326ff34748bd6fda9581ae65d24bf60340a8e4eef70befc0d5333057e2583c5cc6a26cdad646598309822dc8964cf9ddb8e927c7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\idk.exe

Filesize
79KB

MD5
824955d7d5e92b99feee38b38315e3d6

SHA1
2afc235f7c0efc4148ff1b374104d694559ea5f6

SHA256
7aa0041265c558f803a761a2a0acb80979751546520cd89586c1c069e79741eb

SHA512
dd5ad749e5fdc63ecbf6530926f37452129b79a61e1266d0a7e10c1d4b883f461c39f282e2815f1f078fa233acc132d797469caae85f73807db196f3f9c0a94e

Download Submit
memory/1296-81-0x000007FEECCD0000-0x000007FEED66D000-memory.dmp

Filesize
9.6MB

Download
memory/1296-85-0x000007FEECCD0000-0x000007FEED66D000-memory.dmp

Filesize
9.6MB

Download
memory/1296-82-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/1296-83-0x0000000002CA4000-0x0000000002CA7000-memory.dmp

Filesize
12KB

Download
memory/1296-84-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/1296-78-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1296-80-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/1296-79-0x000007FEECCD0000-0x000007FEED66D000-memory.dmp

Filesize
9.6MB

Download
memory/1296-77-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1944-110-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-109-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/1944-111-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-69-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2416-65-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2416-64-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2416-67-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2416-66-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-71-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-70-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2416-68-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-116-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2428-115-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2428-114-0x0000000000A80000-0x0000000000A98000-memory.dmp

Filesize
96KB

Download
memory/2568-59-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-55-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/2568-54-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-38-0x00000000012B0000-0x00000000012F0000-memory.dmp

Filesize
256KB

Download
memory/2724-56-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-49-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-53-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2724-52-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-92-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-94-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2736-93-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/2736-96-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2736-95-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-51-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-48-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-57-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-50-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/2808-105-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/2808-39-0x0000000000BD0000-0x0000000000BE8000-memory.dmp

Filesize
96KB

Download
memory/2808-47-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-91-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-58-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download