umbral | 02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473

Analysis

max time kernel
125s
max time network
138s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe
Size

7.2MB
MD5

e458411c85a5aea36d6314e286bafdbf
SHA1

750f15ec6e86e74ef852f7f43395145dbd873b98
SHA256

02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473
SHA512

129083d7d8804ee46f8021895e162fdc0229ad5e75abeabb2b070036c1fc436f33a770d329f89c5d310b5e9ac1c91eace67e3782bda28fcc6fc800244dd07af2
SSDEEP

196608:tkpNA8RaKWfeYWBFrUpBfNNNAqvM4M+etNvdv:tkpNAGvHlSNhMH+oNV

Score

10^/10

umbral xworm credential_access discovery execution pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1276045605986107432/__jDxBNn4eIwDgfsF9Nvf_usMcbmRdQMO6KCi-9i1IoMGuWJto51uvjMtD8ys47YkqVM

Extracted

Family

xworm

10.9.92.54:80

Attributes

install_file
USB.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120fd-5.dat	family_umbral
behavioral1/memory/2528-7-0x0000000000FC0000-0x0000000001000000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015cf8-17.dat	family_xworm
behavioral1/memory/2736-19-0x00000000011F0000-0x0000000001208000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
868	powershell.exe
1872	powershell.exe
1756	powershell.exe
2040	powershell.exe
1880	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	lol.exe

Executes dropped EXE 5 IoCs

pid	Process
2528	lol.exe
2220	Genesis_Loader.exe
2736	obf.exe
2968	Main (1).exe
2776	Main (1).exe

Loads dropped DLL 2 IoCs

pid	Process
2220	Genesis_Loader.exe
2776	Main (1).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000015d6f-22.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2964	cmd.exe
2128	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1932	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1756	powershell.exe
1872	powershell.exe
1768	powershell.exe
2440	powershell.exe
2040	powershell.exe
1880	powershell.exe
868	powershell.exe
2736	obf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	lol.exe
Token: SeDebugPrivilege	2736	obf.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeIncreaseQuotaPrivilege	688	wmic.exe
Token: SeSecurityPrivilege	688	wmic.exe
Token: SeTakeOwnershipPrivilege	688	wmic.exe
Token: SeLoadDriverPrivilege	688	wmic.exe
Token: SeSystemProfilePrivilege	688	wmic.exe
Token: SeSystemtimePrivilege	688	wmic.exe
Token: SeProfSingleProcessPrivilege	688	wmic.exe
Token: SeIncBasePriorityPrivilege	688	wmic.exe
Token: SeCreatePagefilePrivilege	688	wmic.exe
Token: SeBackupPrivilege	688	wmic.exe
Token: SeRestorePrivilege	688	wmic.exe
Token: SeShutdownPrivilege	688	wmic.exe
Token: SeDebugPrivilege	688	wmic.exe
Token: SeSystemEnvironmentPrivilege	688	wmic.exe
Token: SeRemoteShutdownPrivilege	688	wmic.exe
Token: SeUndockPrivilege	688	wmic.exe
Token: SeManageVolumePrivilege	688	wmic.exe
Token: 33	688	wmic.exe
Token: 34	688	wmic.exe
Token: 35	688	wmic.exe
Token: SeIncreaseQuotaPrivilege	688	wmic.exe
Token: SeSecurityPrivilege	688	wmic.exe
Token: SeTakeOwnershipPrivilege	688	wmic.exe
Token: SeLoadDriverPrivilege	688	wmic.exe
Token: SeSystemProfilePrivilege	688	wmic.exe
Token: SeSystemtimePrivilege	688	wmic.exe
Token: SeProfSingleProcessPrivilege	688	wmic.exe
Token: SeIncBasePriorityPrivilege	688	wmic.exe
Token: SeCreatePagefilePrivilege	688	wmic.exe
Token: SeBackupPrivilege	688	wmic.exe
Token: SeRestorePrivilege	688	wmic.exe
Token: SeShutdownPrivilege	688	wmic.exe
Token: SeDebugPrivilege	688	wmic.exe
Token: SeSystemEnvironmentPrivilege	688	wmic.exe
Token: SeRemoteShutdownPrivilege	688	wmic.exe
Token: SeUndockPrivilege	688	wmic.exe
Token: SeManageVolumePrivilege	688	wmic.exe
Token: 33	688	wmic.exe
Token: 34	688	wmic.exe
Token: 35	688	wmic.exe
Token: SeIncreaseQuotaPrivilege	1692	wmic.exe
Token: SeSecurityPrivilege	1692	wmic.exe
Token: SeTakeOwnershipPrivilege	1692	wmic.exe
Token: SeLoadDriverPrivilege	1692	wmic.exe
Token: SeSystemProfilePrivilege	1692	wmic.exe
Token: SeSystemtimePrivilege	1692	wmic.exe
Token: SeProfSingleProcessPrivilege	1692	wmic.exe
Token: SeIncBasePriorityPrivilege	1692	wmic.exe
Token: SeCreatePagefilePrivilege	1692	wmic.exe
Token: SeBackupPrivilege	1692	wmic.exe
Token: SeRestorePrivilege	1692	wmic.exe
Token: SeShutdownPrivilege	1692	wmic.exe
Token: SeDebugPrivilege	1692	wmic.exe
Token: SeSystemEnvironmentPrivilege	1692	wmic.exe
Token: SeRemoteShutdownPrivilege	1692	wmic.exe
Token: SeUndockPrivilege	1692	wmic.exe
Token: SeManageVolumePrivilege	1692	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	obf.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2528	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	30
PID 3024 wrote to memory of 2528	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	30
PID 3024 wrote to memory of 2528	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	30
PID 3024 wrote to memory of 2220	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	31
PID 3024 wrote to memory of 2220	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	31
PID 3024 wrote to memory of 2220	3024	02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe	31
PID 2220 wrote to memory of 2736	2220	Genesis_Loader.exe	32
PID 2220 wrote to memory of 2736	2220	Genesis_Loader.exe	32
PID 2220 wrote to memory of 2736	2220	Genesis_Loader.exe	32
PID 2220 wrote to memory of 2968	2220	Genesis_Loader.exe	33
PID 2220 wrote to memory of 2968	2220	Genesis_Loader.exe	33
PID 2220 wrote to memory of 2968	2220	Genesis_Loader.exe	33
PID 2968 wrote to memory of 2776	2968	Main (1).exe	35
PID 2968 wrote to memory of 2776	2968	Main (1).exe	35
PID 2968 wrote to memory of 2776	2968	Main (1).exe	35
PID 2528 wrote to memory of 1684	2528	lol.exe	38
PID 2528 wrote to memory of 1684	2528	lol.exe	38
PID 2528 wrote to memory of 1684	2528	lol.exe	38
PID 2528 wrote to memory of 1756	2528	lol.exe	40
PID 2528 wrote to memory of 1756	2528	lol.exe	40
PID 2528 wrote to memory of 1756	2528	lol.exe	40
PID 2528 wrote to memory of 1872	2528	lol.exe	42
PID 2528 wrote to memory of 1872	2528	lol.exe	42
PID 2528 wrote to memory of 1872	2528	lol.exe	42
PID 2528 wrote to memory of 1768	2528	lol.exe	44
PID 2528 wrote to memory of 1768	2528	lol.exe	44
PID 2528 wrote to memory of 1768	2528	lol.exe	44
PID 2528 wrote to memory of 2440	2528	lol.exe	46
PID 2528 wrote to memory of 2440	2528	lol.exe	46
PID 2528 wrote to memory of 2440	2528	lol.exe	46
PID 2736 wrote to memory of 2040	2736	obf.exe	48
PID 2736 wrote to memory of 2040	2736	obf.exe	48
PID 2736 wrote to memory of 2040	2736	obf.exe	48
PID 2528 wrote to memory of 688	2528	lol.exe	50
PID 2528 wrote to memory of 688	2528	lol.exe	50
PID 2528 wrote to memory of 688	2528	lol.exe	50
PID 2528 wrote to memory of 1692	2528	lol.exe	52
PID 2528 wrote to memory of 1692	2528	lol.exe	52
PID 2528 wrote to memory of 1692	2528	lol.exe	52
PID 2736 wrote to memory of 1880	2736	obf.exe	54
PID 2736 wrote to memory of 1880	2736	obf.exe	54
PID 2736 wrote to memory of 1880	2736	obf.exe	54
PID 2528 wrote to memory of 2420	2528	lol.exe	56
PID 2528 wrote to memory of 2420	2528	lol.exe	56
PID 2528 wrote to memory of 2420	2528	lol.exe	56
PID 2528 wrote to memory of 868	2528	lol.exe	58
PID 2528 wrote to memory of 868	2528	lol.exe	58
PID 2528 wrote to memory of 868	2528	lol.exe	58
PID 2528 wrote to memory of 1932	2528	lol.exe	60
PID 2528 wrote to memory of 1932	2528	lol.exe	60
PID 2528 wrote to memory of 1932	2528	lol.exe	60
PID 2528 wrote to memory of 2964	2528	lol.exe	62
PID 2528 wrote to memory of 2964	2528	lol.exe	62
PID 2528 wrote to memory of 2964	2528	lol.exe	62

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe
"C:\Users\Admin\AppData\Local\Temp\02be84308541ec4d7614933e6a4985c8fdc7213ab873e7ca5c0aabfe5356e473.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\lol.exe
  "C:\Users\Admin\AppData\Roaming\lol.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\lol.exe"
    3⤵
    - Views/modifies file attributes
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\lol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:868
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1932
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\lol.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2964
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2128
- C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe
  "C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\obf.exe
    "C:\Users\Admin\AppData\Roaming\obf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\obf.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'obf.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1880
- - C:\Users\Admin\AppData\Roaming\Main (1).exe
    "C:\Users\Admin\AppData\Roaming\Main (1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Roaming\Main (1).exe
      "C:\Users\Admin\AppData\Roaming\Main (1).exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Genesis_Loader.exe

Filesize
7.0MB

MD5
899a7de8d656ccb777f62ae16ee99ae9

SHA1
40ee23565d7d3d51f1abca51d1721c684f3955c2

SHA256
210a96f684b7cea559d755f27933d623beb50be519ace32a851bb9ac3ee8e44a

SHA512
b7bcb936d028cd6f61e074a57bbb7f2a62c1e974afa55c16f88a45b1a0c6cad1fd19f28cb63dfcb6d1cf1a107e6d6a33def79a1099023f2fde012963a087e3e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e0c2e9aa1ee439c479dae45250abe78

SHA1
a622197add7d9dd8ca9de07e9e380566daca05ed

SHA256
bf7c5757fd28b7b58cd4c146bcd0ffb9898b0fa9b73eace0999bec4e71a88794

SHA512
53759ddc69421b72f2adadfd4cb370610bf4811482499bfc79a324353f8d6c19d7f4ff8cd5ebed24c2117de4917502139be1c3a4e92069a72428334ea0e0643b

Download Submit
C:\Users\Admin\AppData\Roaming\lol.exe

Filesize
229KB

MD5
ea031754ac9fe28dbc0c5915cb638e44

SHA1
14b2c7b94aefdfc911e26fc5deb6eb8b6d7c0aed

SHA256
cfb7119e9b1eea0c3f511fb51952399c3f10edb91e12030e49a30172b0510e7e

SHA512
39a0790b3bae0862b1ba87bd6d1165694ba09cfa5104935e00ebaa13924699b2efba92ee6e744d3d820a9c05f80fa41fa1649498dce8f430835e8c6e813c25bb

Download Submit
C:\Users\Admin\AppData\Roaming\obf.exe

Filesize
72KB

MD5
5c2b1ec1c68b749d6a276addd31460d7

SHA1
0a370422c2c29aed0d16e8012545e21197d21821

SHA256
b486197aa0e45a64681e66d42a3041461f5a665d24010f36d7d78dfeec828d4b

SHA512
b7a2fdc569a8f423a9b9001ccb0e7376355b2e9b8bc6380805fe2ebd196371e11a0dd1a67ea2d01541b0495d4bfa692dcecb6911963fd1b0ce5831223d5a3595

Download Submit
\Users\Admin\AppData\Roaming\Main (1).exe

Filesize
6.9MB

MD5
376a81c9dbc8637ff9d12b382c7b5649

SHA1
52dc9915ce4f05054c7130c061683edd7b97978c

SHA256
94374b24ffd5dd3422890e362c8cd49c785b536d6148698b00cbcbcccc2eac75

SHA512
ce270e7dc43697bf98798f66f7c5a8724b75bee58cacf3a183f73d70785976425b8b518776060267f181fe1b7bfa4f36e1d47a7be81f9ee916f997c310ff7c05

Download Submit
memory/1756-45-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1756-46-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1872-52-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1872-53-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2220-13-0x0000000001300000-0x0000000001A04000-memory.dmp

Filesize
7.0MB

Download
memory/2528-39-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-7-0x0000000000FC0000-0x0000000001000000-memory.dmp

Filesize
256KB

Download
memory/2528-105-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-19-0x00000000011F0000-0x0000000001208000-memory.dmp

Filesize
96KB

Download
memory/3024-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000000C20000-0x0000000001360000-memory.dmp

Filesize
7.2MB

Download