umbral | b9395c6223dd34cdd95dd5c298eb609a806b12f2f2bcf9b0932b47ab564ee591

Analysis

max time kernel
1566s
max time network
1574s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanCrack.rar
Size

183KB
MD5

d3ad8d4ecbadea0a2ba6a92e91ed2d2b
SHA1

977368283f90605be222c310d6880fab8478ad7a
SHA256

b9395c6223dd34cdd95dd5c298eb609a806b12f2f2bcf9b0932b47ab564ee591
SHA512

1bd24793905cfd2bad5c2640e1b2f99bc4e7424cb7f6c17a42f69ec3bc04e1aed667d70d94ea4b1b616d3742023742dac60c3714f421402aeecba75ad09e3ba1
SSDEEP

3072:ngYU/sh31YoZfxYguGUb+MTezWxURWy0i9WQcM2ojNZbO/9GM69LOAalm2tJM:gWzuvG++geKQWyZ9okLO/956djalvM

Score

10^/10

umbral xworm rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1218605453374914620/OdDYjKWd2x_sgrT_0JmzryiFvoGTz03pvb7F84neOCAte6YtS3TcUiq7-D1K38B9s0T8

Extracted

Family

xworm

18.ip.gl.ply.gg:54823

Attributes

Install_directory
%Temp%
install_file
svhost.exe

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x002e0000000161a3-39.dat	family_umbral
behavioral1/memory/1112-51-0x0000000001330000-0x0000000001370000-memory.dmp	family_umbral
behavioral1/memory/1112-54-0x0000000000A30000-0x0000000000AB0000-memory.dmp	family_umbral
behavioral1/memory/1112-93-0x0000000000A30000-0x0000000000AB0000-memory.dmp	family_umbral

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x002e000000016285-48.dat	family_xworm
behavioral1/memory/2468-50-0x0000000000380000-0x0000000000396000-memory.dmp	family_xworm
behavioral1/memory/1112-54-0x0000000000A30000-0x0000000000AB0000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	start.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	start.exe

Executes dropped EXE 3 IoCs

pid	Process
2868	start.exe
1112	NursultanStart.exe
2468	start.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	start.exe
2868	start.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2464	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3012	wmic.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2980	7zFM.exe
676	powershell.exe
1600	powershell.exe
2188	powershell.exe
1040	powershell.exe
940	powershell.exe
2980	7zFM.exe
2980	7zFM.exe
2980	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2980	7zFM.exe
Token: 35	2980	7zFM.exe
Token: SeSecurityPrivilege	2980	7zFM.exe
Token: SeDebugPrivilege	2468	start.exe
Token: SeDebugPrivilege	1112	NursultanStart.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeIncreaseQuotaPrivilege	1220	wmic.exe
Token: SeSecurityPrivilege	1220	wmic.exe
Token: SeTakeOwnershipPrivilege	1220	wmic.exe
Token: SeLoadDriverPrivilege	1220	wmic.exe
Token: SeSystemProfilePrivilege	1220	wmic.exe
Token: SeSystemtimePrivilege	1220	wmic.exe
Token: SeProfSingleProcessPrivilege	1220	wmic.exe
Token: SeIncBasePriorityPrivilege	1220	wmic.exe
Token: SeCreatePagefilePrivilege	1220	wmic.exe
Token: SeBackupPrivilege	1220	wmic.exe
Token: SeRestorePrivilege	1220	wmic.exe
Token: SeShutdownPrivilege	1220	wmic.exe
Token: SeDebugPrivilege	1220	wmic.exe
Token: SeSystemEnvironmentPrivilege	1220	wmic.exe
Token: SeRemoteShutdownPrivilege	1220	wmic.exe
Token: SeUndockPrivilege	1220	wmic.exe
Token: SeManageVolumePrivilege	1220	wmic.exe
Token: 33	1220	wmic.exe
Token: 34	1220	wmic.exe
Token: 35	1220	wmic.exe
Token: SeIncreaseQuotaPrivilege	1220	wmic.exe
Token: SeSecurityPrivilege	1220	wmic.exe
Token: SeTakeOwnershipPrivilege	1220	wmic.exe
Token: SeLoadDriverPrivilege	1220	wmic.exe
Token: SeSystemProfilePrivilege	1220	wmic.exe
Token: SeSystemtimePrivilege	1220	wmic.exe
Token: SeProfSingleProcessPrivilege	1220	wmic.exe
Token: SeIncBasePriorityPrivilege	1220	wmic.exe
Token: SeCreatePagefilePrivilege	1220	wmic.exe
Token: SeBackupPrivilege	1220	wmic.exe
Token: SeRestorePrivilege	1220	wmic.exe
Token: SeShutdownPrivilege	1220	wmic.exe
Token: SeDebugPrivilege	1220	wmic.exe
Token: SeSystemEnvironmentPrivilege	1220	wmic.exe
Token: SeRemoteShutdownPrivilege	1220	wmic.exe
Token: SeUndockPrivilege	1220	wmic.exe
Token: SeManageVolumePrivilege	1220	wmic.exe
Token: 33	1220	wmic.exe
Token: 34	1220	wmic.exe
Token: 35	1220	wmic.exe
Token: SeIncreaseQuotaPrivilege	1084	wmic.exe
Token: SeSecurityPrivilege	1084	wmic.exe
Token: SeTakeOwnershipPrivilege	1084	wmic.exe
Token: SeLoadDriverPrivilege	1084	wmic.exe
Token: SeSystemProfilePrivilege	1084	wmic.exe
Token: SeSystemtimePrivilege	1084	wmic.exe
Token: SeProfSingleProcessPrivilege	1084	wmic.exe
Token: SeIncBasePriorityPrivilege	1084	wmic.exe
Token: SeCreatePagefilePrivilege	1084	wmic.exe
Token: SeBackupPrivilege	1084	wmic.exe
Token: SeRestorePrivilege	1084	wmic.exe
Token: SeShutdownPrivilege	1084	wmic.exe
Token: SeDebugPrivilege	1084	wmic.exe
Token: SeSystemEnvironmentPrivilege	1084	wmic.exe
Token: SeRemoteShutdownPrivilege	1084	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2980	7zFM.exe
2980	7zFM.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2980	2056	cmd.exe	29
PID 2056 wrote to memory of 2980	2056	cmd.exe	29
PID 2056 wrote to memory of 2980	2056	cmd.exe	29
PID 2980 wrote to memory of 2868	2980	7zFM.exe	30
PID 2980 wrote to memory of 2868	2980	7zFM.exe	30
PID 2980 wrote to memory of 2868	2980	7zFM.exe	30
PID 2980 wrote to memory of 2868	2980	7zFM.exe	30
PID 2868 wrote to memory of 1112	2868	start.exe	31
PID 2868 wrote to memory of 1112	2868	start.exe	31
PID 2868 wrote to memory of 1112	2868	start.exe	31
PID 2868 wrote to memory of 1112	2868	start.exe	31
PID 2868 wrote to memory of 2468	2868	start.exe	32
PID 2868 wrote to memory of 2468	2868	start.exe	32
PID 2868 wrote to memory of 2468	2868	start.exe	32
PID 2868 wrote to memory of 2468	2868	start.exe	32
PID 1112 wrote to memory of 676	1112	NursultanStart.exe	33
PID 1112 wrote to memory of 676	1112	NursultanStart.exe	33
PID 1112 wrote to memory of 676	1112	NursultanStart.exe	33
PID 1112 wrote to memory of 1600	1112	NursultanStart.exe	35
PID 1112 wrote to memory of 1600	1112	NursultanStart.exe	35
PID 1112 wrote to memory of 1600	1112	NursultanStart.exe	35
PID 1112 wrote to memory of 2188	1112	NursultanStart.exe	38
PID 1112 wrote to memory of 2188	1112	NursultanStart.exe	38
PID 1112 wrote to memory of 2188	1112	NursultanStart.exe	38
PID 1112 wrote to memory of 1040	1112	NursultanStart.exe	40
PID 1112 wrote to memory of 1040	1112	NursultanStart.exe	40
PID 1112 wrote to memory of 1040	1112	NursultanStart.exe	40
PID 1112 wrote to memory of 1220	1112	NursultanStart.exe	44
PID 1112 wrote to memory of 1220	1112	NursultanStart.exe	44
PID 1112 wrote to memory of 1220	1112	NursultanStart.exe	44
PID 1112 wrote to memory of 1084	1112	NursultanStart.exe	46
PID 1112 wrote to memory of 1084	1112	NursultanStart.exe	46
PID 1112 wrote to memory of 1084	1112	NursultanStart.exe	46
PID 1112 wrote to memory of 900	1112	NursultanStart.exe	48
PID 1112 wrote to memory of 900	1112	NursultanStart.exe	48
PID 1112 wrote to memory of 900	1112	NursultanStart.exe	48
PID 1112 wrote to memory of 940	1112	NursultanStart.exe	50
PID 1112 wrote to memory of 940	1112	NursultanStart.exe	50
PID 1112 wrote to memory of 940	1112	NursultanStart.exe	50
PID 1112 wrote to memory of 3012	1112	NursultanStart.exe	52
PID 1112 wrote to memory of 3012	1112	NursultanStart.exe	52
PID 1112 wrote to memory of 3012	1112	NursultanStart.exe	52
PID 2468 wrote to memory of 2436	2468	start.exe	55
PID 2468 wrote to memory of 2436	2468	start.exe	55
PID 2468 wrote to memory of 2436	2468	start.exe	55
PID 2436 wrote to memory of 2464	2436	cmd.exe	57
PID 2436 wrote to memory of 2464	2436	cmd.exe	57
PID 2436 wrote to memory of 2464	2436	cmd.exe	57

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NursultanCrack.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NursultanCrack.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\7zO4AB1DD56\start.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4AB1DD56\start.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3478.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4AB1DD56\start.exe

Filesize
192KB

MD5
066f7f594bf6f254748bc19562dd1bc3

SHA1
313883f4a7fbfc3c60b153492aeefb927c5d5694

SHA256
9398c6385a5246fe4b86b0f247ddb8a93a9c326389dabef1b96bd65af09b360e

SHA512
04f0c82938dee7a790876ab39282c36eda0c6de11a337d93f728c07be6ff5997605c6a9bba886b94091c313795ee19bf96d65ca9ac1e1d62eeab7acd33b6afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
63KB

MD5
a48eb52779ecedfcf1c709a232e655cf

SHA1
ebe1bf5f87ee23bf74ec52c5bcf134782821c46d

SHA256
fecf2e4db113236435acf34c716776d40a447254b344f59ed3c2f99e755b2708

SHA512
b37bfb9f7eb15063e452cc7ccf9ed2291f09b985fecba6f983b2cd69736b6fe6bd02074d99f838f8e2ce826b8ee9e810fc7f171e0ac486e4f7ff0f37903ab47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3478.tmp.bat

Filesize
157B

MD5
82016685977f100bb0ee8d6d2da3ded2

SHA1
4c9143d353ced38f0abfbb2cc9c97a33880ae131

SHA256
be6106361a73c8cbb9b4f82bb2700099be899f9000eb774fd960be7f3073ea88

SHA512
3349587b5186108bd2ac03a3feb68d5c083b4c2df7ace62f031d419662f2e6c308ef18f534d27b8b1e9a1fd7b3d8cd113ffef2999c0264bf285ef6eed2b9e3a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c6bbbab5b402dab5f2d68651fed75e9c

SHA1
201121d00ccc73eccd249ce13a6426bebef2ff38

SHA256
cc9080166f5626669084e7b0d3151e9263546503b197c8e4d05d9d84004489c8

SHA512
3dd87b28eb4b838638310f08d3f2f0f5307d2938f269b10ba1299a04b9279fd49294470e9d3d0c5558f63bd8036710ac2b419720f0d6bc3b46f73d13e3abd881

Download Submit
\Users\Admin\AppData\Local\Temp\NursultanStart.exe

Filesize
229KB

MD5
a635e377a579296af70e52f439465078

SHA1
68aff1bf9a48c1d8f326f9ee1d95a795c1b35c35

SHA256
11ca4440ffccc6e94fa1536d27eeafdceea8782202a56f3989b19f845d7864ac

SHA512
cef30f2e3385399c9659acb6938a68a46401b977cb84c1137cc18dd37009c61a91eeb473a65552bb5585af69ecfadd878db0a0f6bd24584153d9796a3e46db39

Download Submit
memory/676-66-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/676-63-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/676-68-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/676-60-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/676-61-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/676-59-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/676-62-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/676-64-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/676-65-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/940-136-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/940-137-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/940-134-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/940-135-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/940-138-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/940-133-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/1040-113-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/1040-121-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1040-120-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1040-117-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1040-116-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1040-115-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1040-114-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1040-112-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1040-111-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1112-54-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/1112-82-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-51-0x0000000001330000-0x0000000001370000-memory.dmp

Filesize
256KB

Download
memory/1112-93-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/1112-142-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-52-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-75-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1600-84-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1600-78-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1600-76-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1600-83-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1600-85-0x000007FEED390000-0x000007FEEDD2D000-memory.dmp

Filesize
9.6MB

Download
memory/1600-77-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1600-74-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/1600-80-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1600-79-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2188-101-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2188-105-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-104-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2188-100-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-99-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2188-98-0x000007FEEDD30000-0x000007FEEE6CD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-92-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2468-118-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2468-81-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2468-67-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2468-53-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2468-50-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2468-156-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download