umbral | 3329ef336752b999469c5e2b3437432b20bd02b71e8a4f5f0a5609006e298a5f

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b7b37864afd5d1781a566f8aafc390N.exe
Size

3.1MB
MD5

21b7b37864afd5d1781a566f8aafc390
SHA1

99e11b58458f94e10d835c17a77076fa5adc9654
SHA256

3329ef336752b999469c5e2b3437432b20bd02b71e8a4f5f0a5609006e298a5f
SHA512

4c080e125c6ec11d550a3f679f2f31e90b8bb691d716d339e032d6967966fdd79d99936fe69e83752808d7b442a8c36b431f235f1a53fa643ba7b4bc05a08e7a
SSDEEP

49152:3wh6L+oabpsbpDeaUxVjjwYwdGhNjw+qazDlchix/7gnp2+Cn3fO9XQW2GV:X+oEOuT4YwqZwfhix/ELCm9XPXV

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/3124-8-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4520	powershell.exe
3504	powershell.exe
2444	powershell.exe
4272	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3680 set thread context of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4628	cmd.exe
1412	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3948	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3680	21b7b37864afd5d1781a566f8aafc390N.exe
3680	21b7b37864afd5d1781a566f8aafc390N.exe
3124	RegAsm.exe
4520	powershell.exe
4520	powershell.exe
3504	powershell.exe
3504	powershell.exe
2444	powershell.exe
2444	powershell.exe
180	powershell.exe
180	powershell.exe
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	21b7b37864afd5d1781a566f8aafc390N.exe
Token: SeDebugPrivilege	3124	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	4628	wmic.exe
Token: SeSecurityPrivilege	4628	wmic.exe
Token: SeTakeOwnershipPrivilege	4628	wmic.exe
Token: SeLoadDriverPrivilege	4628	wmic.exe
Token: SeSystemProfilePrivilege	4628	wmic.exe
Token: SeSystemtimePrivilege	4628	wmic.exe
Token: SeProfSingleProcessPrivilege	4628	wmic.exe
Token: SeIncBasePriorityPrivilege	4628	wmic.exe
Token: SeCreatePagefilePrivilege	4628	wmic.exe
Token: SeBackupPrivilege	4628	wmic.exe
Token: SeRestorePrivilege	4628	wmic.exe
Token: SeShutdownPrivilege	4628	wmic.exe
Token: SeDebugPrivilege	4628	wmic.exe
Token: SeSystemEnvironmentPrivilege	4628	wmic.exe
Token: SeRemoteShutdownPrivilege	4628	wmic.exe
Token: SeUndockPrivilege	4628	wmic.exe
Token: SeManageVolumePrivilege	4628	wmic.exe
Token: 33	4628	wmic.exe
Token: 34	4628	wmic.exe
Token: 35	4628	wmic.exe
Token: 36	4628	wmic.exe
Token: SeIncreaseQuotaPrivilege	4628	wmic.exe
Token: SeSecurityPrivilege	4628	wmic.exe
Token: SeTakeOwnershipPrivilege	4628	wmic.exe
Token: SeLoadDriverPrivilege	4628	wmic.exe
Token: SeSystemProfilePrivilege	4628	wmic.exe
Token: SeSystemtimePrivilege	4628	wmic.exe
Token: SeProfSingleProcessPrivilege	4628	wmic.exe
Token: SeIncBasePriorityPrivilege	4628	wmic.exe
Token: SeCreatePagefilePrivilege	4628	wmic.exe
Token: SeBackupPrivilege	4628	wmic.exe
Token: SeRestorePrivilege	4628	wmic.exe
Token: SeShutdownPrivilege	4628	wmic.exe
Token: SeDebugPrivilege	4628	wmic.exe
Token: SeSystemEnvironmentPrivilege	4628	wmic.exe
Token: SeRemoteShutdownPrivilege	4628	wmic.exe
Token: SeUndockPrivilege	4628	wmic.exe
Token: SeManageVolumePrivilege	4628	wmic.exe
Token: 33	4628	wmic.exe
Token: 34	4628	wmic.exe
Token: 35	4628	wmic.exe
Token: 36	4628	wmic.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 1388	3680	21b7b37864afd5d1781a566f8aafc390N.exe	83
PID 3680 wrote to memory of 1388	3680	21b7b37864afd5d1781a566f8aafc390N.exe	83
PID 3680 wrote to memory of 1388	3680	21b7b37864afd5d1781a566f8aafc390N.exe	83
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3680 wrote to memory of 3124	3680	21b7b37864afd5d1781a566f8aafc390N.exe	84
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	87
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	87
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	87
PID 3124 wrote to memory of 608	3124	RegAsm.exe	91
PID 3124 wrote to memory of 608	3124	RegAsm.exe	91
PID 3124 wrote to memory of 608	3124	RegAsm.exe	91
PID 3124 wrote to memory of 4520	3124	RegAsm.exe	93
PID 3124 wrote to memory of 4520	3124	RegAsm.exe	93
PID 3124 wrote to memory of 4520	3124	RegAsm.exe	93
PID 3124 wrote to memory of 3504	3124	RegAsm.exe	95
PID 3124 wrote to memory of 3504	3124	RegAsm.exe	95
PID 3124 wrote to memory of 3504	3124	RegAsm.exe	95
PID 3124 wrote to memory of 2444	3124	RegAsm.exe	97
PID 3124 wrote to memory of 2444	3124	RegAsm.exe	97
PID 3124 wrote to memory of 2444	3124	RegAsm.exe	97
PID 3124 wrote to memory of 180	3124	RegAsm.exe	99
PID 3124 wrote to memory of 180	3124	RegAsm.exe	99
PID 3124 wrote to memory of 180	3124	RegAsm.exe	99
PID 3124 wrote to memory of 1568	3124	RegAsm.exe	101
PID 3124 wrote to memory of 1568	3124	RegAsm.exe	101
PID 3124 wrote to memory of 1568	3124	RegAsm.exe	101
PID 3124 wrote to memory of 4840	3124	RegAsm.exe	103
PID 3124 wrote to memory of 4840	3124	RegAsm.exe	103
PID 3124 wrote to memory of 4840	3124	RegAsm.exe	103
PID 3124 wrote to memory of 728	3124	RegAsm.exe	105
PID 3124 wrote to memory of 728	3124	RegAsm.exe	105
PID 3124 wrote to memory of 728	3124	RegAsm.exe	105
PID 3124 wrote to memory of 4272	3124	RegAsm.exe	107
PID 3124 wrote to memory of 4272	3124	RegAsm.exe	107
PID 3124 wrote to memory of 4272	3124	RegAsm.exe	107
PID 3124 wrote to memory of 3948	3124	RegAsm.exe	109
PID 3124 wrote to memory of 3948	3124	RegAsm.exe	109
PID 3124 wrote to memory of 3948	3124	RegAsm.exe	109
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	111
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	111
PID 3124 wrote to memory of 4628	3124	RegAsm.exe	111
PID 4628 wrote to memory of 1412	4628	cmd.exe	113
PID 4628 wrote to memory of 1412	4628	cmd.exe	113
PID 4628 wrote to memory of 1412	4628	cmd.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\21b7b37864afd5d1781a566f8aafc390N.exe
"C:\Users\Admin\AppData\Local\Temp\21b7b37864afd5d1781a566f8aafc390N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\SysWOW64\attrib.exe
    "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4272
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - System Location Discovery: System Language Discovery
    - Detects videocard installed
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" && pause
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
774b7443160a0853143be71e499e7f49

SHA1
9493b9aa0956ca18973197fc097fe2e223057618

SHA256
e6a921464598801eac5a653252cfec0d5db43c2ea99df32b47301e3374376681

SHA512
5643ca5a118655b72e0a47e36ebf7662a039c02e42e42eff57a9772589bc24ff994679bb9588edbeef6cd07fc0c8c82917517d1899839f50699310183e275294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
cf68f2d48d918f5f20331b99f245b0ad

SHA1
05275c1e6289c5594303caa6f69be58377264b7a

SHA256
543f34b905407961bff91a87a1fe205bf27ceeb41620f54b2a807f9b85fb9c96

SHA512
640ebb190925a41a1e0dab57abcaf9670e71d4d07a3ec2df4d60e9862bf9b861387098188e7f533569f4863d4c9cf6037af6b01f76f6e576e8a807b65dd77b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5c1902289f86cbb2913b1d58a696d0bf

SHA1
50710db8f6b08c635a09f58a7ad3d4d7db1018a9

SHA256
018a0ede223b285b6578345df833daded6a63591b977d4c4443b861ad8f5a902

SHA512
3392a034d96a4e6ba72648dfb04110a164bfa9c8fb13c79a1c21387d8cec6ab471f805bf9b9e7e60d087a2c113862f99001cf32fd755d06aa8785251c0ad82c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7151ccdc53a6fc72bd7a59218db2f328

SHA1
91db62ecf8ac5fd988a0a8a77e28f56a1e406b19

SHA256
f66dc86e37672f44027379e2460abc84c102200ad22ba8f0be86abb184af56f5

SHA512
16bc74de068e8f3918f0429e62c48850f73d894db122d69b2f4712685e981328ff7a9d4c289bb7272a3ffc8f0a0f770c8cdea641afc4508bc71080358337ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_saixde0d.joa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/180-109-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/2444-98-0x0000000006030000-0x0000000006052000-memory.dmp

Filesize
136KB

Download
memory/2444-97-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/2444-87-0x00000000054C0000-0x0000000005814000-memory.dmp

Filesize
3.3MB

Download
memory/3124-71-0x0000000006C50000-0x0000000006CC6000-memory.dmp

Filesize
472KB

Download
memory/3124-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-13-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/3124-14-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-134-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-10-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3124-72-0x0000000006E20000-0x0000000006E70000-memory.dmp

Filesize
320KB

Download
memory/3124-73-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/3124-114-0x0000000007E80000-0x0000000007E92000-memory.dmp

Filesize
72KB

Download
memory/3124-113-0x0000000007130000-0x000000000713A000-memory.dmp

Filesize
40KB

Download
memory/3124-12-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/3504-62-0x00000000053E0000-0x0000000005734000-memory.dmp

Filesize
3.3MB

Download
memory/3680-1-0x0000020044C20000-0x0000020044EBC000-memory.dmp

Filesize
2.6MB

Download
memory/3680-3-0x00007FFDF3A60000-0x00007FFDF4521000-memory.dmp

Filesize
10.8MB

Download
memory/3680-4-0x00007FFDF3A60000-0x00007FFDF4521000-memory.dmp

Filesize
10.8MB

Download
memory/3680-5-0x00007FFDF3A60000-0x00007FFDF4521000-memory.dmp

Filesize
10.8MB

Download
memory/3680-6-0x0000020044530000-0x00000200445B6000-memory.dmp

Filesize
536KB

Download
memory/3680-2-0x000002002BBC0000-0x000002002BC1E000-memory.dmp

Filesize
376KB

Download
memory/3680-11-0x00007FFDF3A60000-0x00007FFDF4521000-memory.dmp

Filesize
10.8MB

Download
memory/3680-0-0x00007FFDF3A63000-0x00007FFDF3A65000-memory.dmp

Filesize
8KB

Download
memory/3680-7-0x00007FFDF3A60000-0x00007FFDF4521000-memory.dmp

Filesize
10.8MB

Download
memory/4272-122-0x0000000005FA0000-0x00000000062F4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-128-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/4520-30-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4520-52-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/4520-53-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/4520-51-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/4520-50-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/4520-49-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/4520-48-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/4520-47-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/4520-46-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/4520-45-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/4520-44-0x00000000079B0000-0x0000000007A53000-memory.dmp

Filesize
652KB

Download
memory/4520-43-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/4520-33-0x000000006FC00000-0x000000006FC4C000-memory.dmp

Filesize
304KB

Download
memory/4520-32-0x0000000006D60000-0x0000000006D92000-memory.dmp

Filesize
200KB

Download
memory/4520-31-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/4520-29-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/4520-18-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4520-24-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4520-17-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/4520-16-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4520-15-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download