umbral | f13ef71b6d5e9a6872adb20673aa42a6d7cc6ab305bd20bc8fed059a6597f29f

Analysis

max time kernel
193s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
01-03-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a513e62b9e97d52553248d22e37f25f.exe
Size

215KB
MD5

022cd619c82b6c15b502afbfeec6debf
SHA1

cbb40b18c6ee74346efab7ac2a1e69100b6c3e00
SHA256

f13ef71b6d5e9a6872adb20673aa42a6d7cc6ab305bd20bc8fed059a6597f29f
SHA512

01f997451d33002d8502209afd816b7b6e5a3bc964230da351d70c11e0f144390cdf276b850f13815f414f92370bf6cfd89231eb4b9b1a75b4a8b8bb7f307758
SSDEEP

6144:oDAi86jCtMC5q+gXctZ8eGJ8rhNb8Imc:o0T6DCPxeJMx8+

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000001ac14-18.dat	family_umbral
behavioral3/memory/4624-24-0x0000022F0FE10000-0x0000022F0FE5E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000600000001ac16-27.dat	family_xworm
behavioral3/memory/200-29-0x0000000000740000-0x0000000000766000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Executes dropped EXE 3 IoCs

pid	Process
5028	explorer.exe
4624	controllloader.exe
200	systemload.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\.NET\\explorer.exe"	5a513e62b9e97d52553248d22e37f25f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
9	ip-api.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\.NET\explorer.exe	5a513e62b9e97d52553248d22e37f25f.exe
File created	C:\Windows\.NET\controllloader.exe	explorer.exe
File created	C:\Windows\.NET\start.cmd	explorer.exe
File created	C:\Windows\.NET\systemload.exe	explorer.exe
File created	C:\Windows\.NET\explorer.exe	5a513e62b9e97d52553248d22e37f25f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2112	wmic.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
4612	5a513e62b9e97d52553248d22e37f25f.exe
5088	powershell.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
5088	powershell.exe
5088	powershell.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
4140	powershell.exe
4140	powershell.exe
1868	powershell.exe
1868	powershell.exe
4140	powershell.exe
1868	powershell.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
200	systemload.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	5a513e62b9e97d52553248d22e37f25f.exe
Token: SeDebugPrivilege	5028	explorer.exe
Token: SeDebugPrivilege	4624	controllloader.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	200	systemload.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3012	powershell.exe
Token: SeSecurityPrivilege	3012	powershell.exe
Token: SeTakeOwnershipPrivilege	3012	powershell.exe
Token: SeLoadDriverPrivilege	3012	powershell.exe
Token: SeSystemProfilePrivilege	3012	powershell.exe
Token: SeSystemtimePrivilege	3012	powershell.exe
Token: SeProfSingleProcessPrivilege	3012	powershell.exe
Token: SeIncBasePriorityPrivilege	3012	powershell.exe
Token: SeCreatePagefilePrivilege	3012	powershell.exe
Token: SeBackupPrivilege	3012	powershell.exe
Token: SeRestorePrivilege	3012	powershell.exe
Token: SeShutdownPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeSystemEnvironmentPrivilege	3012	powershell.exe
Token: SeRemoteShutdownPrivilege	3012	powershell.exe
Token: SeUndockPrivilege	3012	powershell.exe
Token: SeManageVolumePrivilege	3012	powershell.exe
Token: 33	3012	powershell.exe
Token: 34	3012	powershell.exe
Token: 35	3012	powershell.exe
Token: 36	3012	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1644	powershell.exe
Token: SeSecurityPrivilege	1644	powershell.exe
Token: SeTakeOwnershipPrivilege	1644	powershell.exe
Token: SeLoadDriverPrivilege	1644	powershell.exe
Token: SeSystemProfilePrivilege	1644	powershell.exe
Token: SeSystemtimePrivilege	1644	powershell.exe
Token: SeProfSingleProcessPrivilege	1644	powershell.exe
Token: SeIncBasePriorityPrivilege	1644	powershell.exe
Token: SeCreatePagefilePrivilege	1644	powershell.exe
Token: SeBackupPrivilege	1644	powershell.exe
Token: SeRestorePrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeSystemEnvironmentPrivilege	1644	powershell.exe
Token: SeRemoteShutdownPrivilege	1644	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
200	systemload.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 5028	4612	5a513e62b9e97d52553248d22e37f25f.exe	74
PID 4612 wrote to memory of 5028	4612	5a513e62b9e97d52553248d22e37f25f.exe	74
PID 5028 wrote to memory of 4624	5028	explorer.exe	75
PID 5028 wrote to memory of 4624	5028	explorer.exe	75
PID 5028 wrote to memory of 4644	5028	explorer.exe	76
PID 5028 wrote to memory of 4644	5028	explorer.exe	76
PID 5028 wrote to memory of 200	5028	explorer.exe	78
PID 5028 wrote to memory of 200	5028	explorer.exe	78
PID 4644 wrote to memory of 5088	4644	cmd.exe	79
PID 4644 wrote to memory of 5088	4644	cmd.exe	79
PID 4624 wrote to memory of 3012	4624	controllloader.exe	80
PID 4624 wrote to memory of 3012	4624	controllloader.exe	80
PID 200 wrote to memory of 1644	200	systemload.exe	82
PID 200 wrote to memory of 1644	200	systemload.exe	82
PID 4624 wrote to memory of 4140	4624	controllloader.exe	85
PID 4624 wrote to memory of 4140	4624	controllloader.exe	85
PID 200 wrote to memory of 1868	200	systemload.exe	87
PID 200 wrote to memory of 1868	200	systemload.exe	87
PID 4624 wrote to memory of 3364	4624	controllloader.exe	89
PID 4624 wrote to memory of 3364	4624	controllloader.exe	89
PID 4624 wrote to memory of 3096	4624	controllloader.exe	91
PID 4624 wrote to memory of 3096	4624	controllloader.exe	91
PID 4624 wrote to memory of 4724	4624	controllloader.exe	93
PID 4624 wrote to memory of 4724	4624	controllloader.exe	93
PID 4624 wrote to memory of 4256	4624	controllloader.exe	95
PID 4624 wrote to memory of 4256	4624	controllloader.exe	95
PID 4624 wrote to memory of 5100	4624	controllloader.exe	97
PID 4624 wrote to memory of 5100	4624	controllloader.exe	97
PID 4624 wrote to memory of 3560	4624	controllloader.exe	99
PID 4624 wrote to memory of 3560	4624	controllloader.exe	99
PID 4624 wrote to memory of 2112	4624	controllloader.exe	101
PID 4624 wrote to memory of 2112	4624	controllloader.exe	101

C:\Users\Admin\AppData\Local\Temp\5a513e62b9e97d52553248d22e37f25f.exe
"C:\Users\Admin\AppData\Local\Temp\5a513e62b9e97d52553248d22e37f25f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\.NET\explorer.exe
  "C:\Windows\.NET\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\.NET\controllloader.exe
    "C:\Windows\.NET\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\.NET\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3096
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:4724
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4256
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3560
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\.NET\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\.NET\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\.NET\systemload.exe
    "C:\Windows\.NET\systemload.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\.NET\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8f261b1c5adc7623f88a3e23d47a0583

SHA1
f172a898340e07d089b5bb46826ebae9ba3ecaab

SHA256
9873533988ef0106c04d44d126df73405b63c6ed9f980b291a09f0ed8e5554ee

SHA512
e6c4c3afc0d96962ea94da3fba492953404475c37e1fa3b5c1254b96910749ef3dce263fc8607d2fc95e33d1c25a4b200474c52a4ab10bfc48f1612e3b55e0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9c4e0d4c901ea1b8650496ed58aed01

SHA1
320bb612b7b7b3d6a22b9d607b8b51a9d0aeb378

SHA256
67188eb107be471434df2ec1da7c7a0d729e552acff923a5ea216a623a747e92

SHA512
06ccf348a77cb7f0401059eba0a3c4160ffd848048545118601046a683a1fdc32096edbff6ef4700955cb5ba11932dc7663387e5384d81664cf2f047823e1805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9386778e28bdcacf968d717a625e97ad

SHA1
0cea93762d44c3d826a8620f68685f4157ad08b9

SHA256
9542784ebec2f783ad25c0c8ab12c4548093dfcf3ddd4ed31568166fd02c48c9

SHA512
a0398a855f2e68dfddac57e276b9ba1de391fb84654b5b35c2842bfa7b914c2044f889ba2531444fa59ba8e912b5fd5fdc7659eb0595ba53ac4b20ab571309a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d843aacbacd903c9ef5b66c674233297

SHA1
b98681493de7a0a31ad2cbd73c04de248c6ea490

SHA256
2eac7cf5a476687f371b2140b62081497b98a9b47d5a5c42c9a88d929b7cd211

SHA512
a2896190416857f6fc4251bab82ff48e64d6babe762eb7df5abda7496be0c2921b66a48b7ff29358a6ce147ecd045b681a0e98a7f5f9011837bafefcb6bfaca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9032a276d3e89e4ea27fe20ee8e5ccd

SHA1
5b0023a61cce892d9a62d8e1cf2212f0b96e8cb2

SHA256
d0a41ea66f182498bcd3f20cd95ad20ce9e36498fdbf5f3a3570bc71494fde81

SHA512
faf0252aa6e92eb3ae16b8266351f57aa03252e37b9c826f94ed52852f413973486dbf25ef24686acbcc3aaaafb056ab76bb2cd380d9e27d66f4aac0246c76e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9229a1c4cde0efd05b10ed78edb5c120

SHA1
fe39adc93541efc070316c6d358e40de8229ba2f

SHA256
8af6c2b59340c228c24e091dd78e9faad9ec7cc8d83f040f9569df6063f55a67

SHA512
1803b775842ea9b8e52587f416d7d64d7fc546bb8aaa82b400747b6aa0fa6cb20d9fa86f12d323322d248e8c76efaec529548ea3b60676768b35d49bbfe9d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4grzgl1h.gmc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\.NET\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Windows\.NET\explorer.exe

Filesize
245KB

MD5
6e582594dff7429cd41f7cd46fba7970

SHA1
d91416e8a80c3ba9db036218921a976bab5e651b

SHA256
0bb6471d08e761a6ba31f6b9bc54f1b039dc15dd17faa1e7c996baebd08eb33c

SHA512
64ed27a592c4f0aca400e4a61c571326882a24c044afe0303c2a090e5f5d38a7fa97ff9fbdf85b0a0a657e96991818692688c1179a38c2903c562fc2a179115b

Download Submit
C:\Windows\.NET\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Windows\.NET\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
memory/200-33-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/200-176-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/200-29-0x0000000000740000-0x0000000000766000-memory.dmp

Filesize
152KB

Download
memory/200-300-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

Filesize
64KB

Download
memory/1644-142-0x000001A94A0B0000-0x000001A94A0C0000-memory.dmp

Filesize
64KB

Download
memory/1644-179-0x000001A94A0B0000-0x000001A94A0C0000-memory.dmp

Filesize
64KB

Download
memory/1644-188-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-90-0x000001A94A0B0000-0x000001A94A0C0000-memory.dmp

Filesize
64KB

Download
memory/1644-87-0x000001A94A0B0000-0x000001A94A0C0000-memory.dmp

Filesize
64KB

Download
memory/1644-83-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/1868-202-0x000002414E9D0000-0x000002414E9E0000-memory.dmp

Filesize
64KB

Download
memory/1868-239-0x000002414E9D0000-0x000002414E9E0000-memory.dmp

Filesize
64KB

Download
memory/1868-201-0x000002414E9D0000-0x000002414E9E0000-memory.dmp

Filesize
64KB

Download
memory/1868-274-0x000002414E9D0000-0x000002414E9E0000-memory.dmp

Filesize
64KB

Download
memory/1868-197-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/1868-289-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-168-0x000001EFCAD80000-0x000001EFCAD90000-memory.dmp

Filesize
64KB

Download
memory/3012-46-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-76-0x000001EFCAD80000-0x000001EFCAD90000-memory.dmp

Filesize
64KB

Download
memory/3012-49-0x000001EFCAD80000-0x000001EFCAD90000-memory.dmp

Filesize
64KB

Download
memory/3012-187-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-48-0x000001EFCAD80000-0x000001EFCAD90000-memory.dmp

Filesize
64KB

Download
memory/3012-52-0x000001EFCAF70000-0x000001EFCAFE6000-memory.dmp

Filesize
472KB

Download
memory/3096-316-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3096-349-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3096-317-0x00000197D3A80000-0x00000197D3A90000-memory.dmp

Filesize
64KB

Download
memory/3096-346-0x00000197D3A80000-0x00000197D3A90000-memory.dmp

Filesize
64KB

Download
memory/3096-319-0x00000197D3A80000-0x00000197D3A90000-memory.dmp

Filesize
64KB

Download
memory/3096-345-0x00000197D3A80000-0x00000197D3A90000-memory.dmp

Filesize
64KB

Download
memory/3364-307-0x0000023333F10000-0x0000023333F20000-memory.dmp

Filesize
64KB

Download
memory/3364-272-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-280-0x0000023333F10000-0x0000023333F20000-memory.dmp

Filesize
64KB

Download
memory/3364-281-0x0000023333F10000-0x0000023333F20000-memory.dmp

Filesize
64KB

Download
memory/3364-312-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-308-0x0000023333F10000-0x0000023333F20000-memory.dmp

Filesize
64KB

Download
memory/4140-263-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4140-246-0x000001A15E640000-0x000001A15E650000-memory.dmp

Filesize
64KB

Download
memory/4140-191-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4140-198-0x000001A15E640000-0x000001A15E650000-memory.dmp

Filesize
64KB

Download
memory/4140-199-0x000001A15E640000-0x000001A15E650000-memory.dmp

Filesize
64KB

Download
memory/4612-12-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4612-2-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/4612-1-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4612-0-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/4624-31-0x0000022F2A370000-0x0000022F2A380000-memory.dmp

Filesize
64KB

Download
memory/4624-24-0x0000022F0FE10000-0x0000022F0FE5E000-memory.dmp

Filesize
312KB

Download
memory/4624-167-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4624-30-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/4624-267-0x0000022F2A4C0000-0x0000022F2A4DE000-memory.dmp

Filesize
120KB

Download
memory/4624-266-0x0000022F2A590000-0x0000022F2A5E0000-memory.dmp

Filesize
320KB

Download
memory/4624-351-0x0000022F2A490000-0x0000022F2A49A000-memory.dmp

Filesize
40KB

Download
memory/4624-169-0x0000022F2A370000-0x0000022F2A380000-memory.dmp

Filesize
64KB

Download
memory/5028-11-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/5028-32-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/5028-10-0x0000000000AD0000-0x0000000000B12000-memory.dmp

Filesize
264KB

Download
memory/5028-13-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/5088-42-0x0000014AB6380000-0x0000014AB6390000-memory.dmp

Filesize
64KB

Download
memory/5088-178-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download
memory/5088-177-0x0000014AB6380000-0x0000014AB6390000-memory.dmp

Filesize
64KB

Download
memory/5088-170-0x0000014AB6380000-0x0000014AB6390000-memory.dmp

Filesize
64KB

Download
memory/5088-97-0x0000014AB6380000-0x0000014AB6390000-memory.dmp

Filesize
64KB

Download
memory/5088-45-0x0000014AB6440000-0x0000014AB6462000-memory.dmp

Filesize
136KB

Download
memory/5088-40-0x0000014AB6380000-0x0000014AB6390000-memory.dmp

Filesize
64KB

Download
memory/5088-39-0x00007FFA909F0000-0x00007FFA913DC000-memory.dmp

Filesize
9.9MB

Download