Overview

overview

10

Static

static

3

fd88103233...0N.exe

windows7-x64

10

fd88103233...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd8810323361a1a2dce67cf6f972c670N.exe

  • Size

    822KB

  • MD5

    fd8810323361a1a2dce67cf6f972c670

  • SHA1

    771b220ddb991aea4084ea7d4c6b7974513f58ad

  • SHA256

    f854e61c5fe94b9cf0f5074174e7008fcf73f4bb8610b04c4a69d465c07a87f2

  • SHA512

    b78d295401953b90f41ddcde26d34678a585818d7f0c1fb98c6995625afad737ce06cb346f086c78de502db671288f44218d901f23b772f2d3026cd571a27323

  • SSDEEP

    12288:uf8gbof4mhRT1sngcKrhQdEiI2wKcj8eFpXnXfpKUFqkj3VyVlq8nK2iRB:C8gbGr2urcEivzeF5Xekj3P2

Score
10/10
44caliberumbralcredential_accessdiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd8810323361a1a2dce67cf6f972c670N.exe
    "C:\Users\Admin\AppData\Local\Temp\fd8810323361a1a2dce67cf6f972c670N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\NerestPC..exe
      "C:\Users\Admin\AppData\Local\Temp\NerestPC..exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" netsh advfirewall firewall add rule name="j|XQ!R#B!XDJ!<" dir=in action=allow program="C:\Windows\Microsoft Edge" enable=yes & exit
          4⤵
            PID:3576
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3596
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4996
        • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
          "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
          3⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5084
        • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
          "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3144
          • C:\Windows\SYSTEM32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
            4⤵
            • Views/modifies file attributes
            PID:5036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            4⤵
              PID:2600
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              4⤵
                PID:4184
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2996
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                4⤵
                • Detects videocard installed
                PID:4320
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Suspicious use of WriteProcessMemory
                PID:3972
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4356
          • C:\Users\Admin\AppData\Local\Temp\NerestPC.exe
            "C:\Users\Admin\AppData\Local\Temp\NerestPC.exe"
            2⤵
            • Executes dropped EXE
            PID:4216
        • C:\Windows\Microsoft Edge
          "C:\Windows\Microsoft Edge"
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\system32\cmd.exe
            "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2756
        • C:\Windows\Microsoft Edge
          "C:\Windows\Microsoft Edge"
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\system32\cmd.exe
            "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4376
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4960
        • C:\Windows\Microsoft Edge
          "C:\Windows\Microsoft Edge"
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3220
          • C:\Windows\system32\cmd.exe
            "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3912
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\Microsoft Edge" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2192

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        2
        T1552

        Credentials In Files

        2
        T1552.001

        Discovery

        Query Registry

        3
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          62623d22bd9e037191765d5083ce16a3

          SHA1

          4a07da6872672f715a4780513d95ed8ddeefd259

          SHA256

          95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

          SHA512

          9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          74a6b79d36b4aae8b027a218bc6e1af7

          SHA1

          0350e46c1df6934903c4820a00b0bc4721779e5f

          SHA256

          60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

          SHA512

          60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          548dd08570d121a65e82abb7171cae1c

          SHA1

          1a1b5084b3a78f3acd0d811cc79dbcac121217ab

          SHA256

          cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

          SHA512

          37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          2249c1abe17d85b5402fc00d82e7b6fe

          SHA1

          06752345c46ecf87880616799125d5895af00866

          SHA256

          b334f9aeb8b5c13d3ecbe299905b9f0418a5436e81eefc20479a99eff6a41289

          SHA512

          fb18fc5576badd291269025fee6a6d4ac4f50e9f5631df910dccf6370261f67029310f387aff9d84cfb6f44759b2848b4df469493d96707539990f28c45fef28

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
          Filesize

          274KB

          MD5

          b70c03532081c928f946e844c5d2172d

          SHA1

          7908b1d1e9ab5e222faa6c816dd861382aa4a5c5

          SHA256

          3cf9d10fb9434a9c83d0fb65401e65b11fa643264ff17b5a9d75022e5d41ae29

          SHA512

          81e4df48e246e3d842ddf8834bd96388f38e72ead2ae5f46a473dc9bbfe56621e5912f51a7dea1ba523b28144e11305ef29d48c61ca3525c80efc0a76a265ecb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
          Filesize

          602KB

          MD5

          c712f727a84f5b469e49dd51f79e34b5

          SHA1

          b95384023823b3a04ecc0d535880d49289949c1b

          SHA256

          8ab8e4a895567d0ff0553247dd299f27bbde248c6230374cad84315b5fe4d3a2

          SHA512

          6002f2980471d092e5512ca8a4a9b01e6bb7b8f7753ee9b359006c338e0069de088cf71b742c57e3643c92c72b00113025ccc1b4625ac8301d4eba86956de537

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\NerestPC..exe
          Filesize

          618KB

          MD5

          5986b28226b3fa20a0dbd4c1f6763d2e

          SHA1

          5a8201c46537eee5a5e9ed94f6decb901105a793

          SHA256

          1ed233837a6efd9552be0f7b83454dd114c4ee38899abaa8c03d04c74b66280a

          SHA512

          99037bc18cbb1f0a967673f5f184455ed0b839694879e25b464264d1bbe77c75b0fa9fc6d1463b82798c5f52360f78eef2ee1f20076a48fbb21e6d3b9788dd05

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\NerestPC.exe
          Filesize

          381KB

          MD5

          61b2cc02888da42c4332c812884d8667

          SHA1

          79fb9d18ef4e67579e606de955b495d5e5f93474

          SHA256

          85346da22eb47ca404caa7acc61adda05e4ecb92a99f7f9996e04aa845d94e67

          SHA512

          a1683d93927571fd24431ac06629228def0cc325a2f8434cb037755fc73ec88829083f2674e8e0cb9a86fdfc423b2bf645585a362e165e6979408d15e73c0fec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
          Filesize

          231KB

          MD5

          df69e1468a4656f2eec526de59a89a8b

          SHA1

          e65e192be57cd672b8ef19cd72ad89cbd3f8f60a

          SHA256

          4d3a9636e9d29f227b56d7bf140154384e1f426b69cf213ae46115e8d966aa92

          SHA512

          409dca3f4ce130034b3004726939a59f38939d46e09f04d6c8a77ea20e3ff931d1a7332f00c06c3e46d8c64796ac93299c2f5a6595777f3e05cf89bc0522449f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4h2hnt5.mlc.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\44\Process.txt
          Filesize

          730B

          MD5

          f89c1a19fafc792110a5ba060d461add

          SHA1

          393666b0797c9ed6c7b86f8fbe72a4d93edabbe9

          SHA256

          5da0cbee0caf9bacc3ddc18a4247efbe4a3c863490ff8c5ad705affd890f6ba9

          SHA512

          fa58dbfb2af02910e4b56bfc49ff00ae22abcef57942b361d9f8a779b98bbe0b94a9daa0dde7a293929e8736cda6d68c173981ae03d0f3b311750c534994b5c3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\44\Process.txt
          Filesize

          1KB

          MD5

          a221935827c9c7aa31fb2fac4ef6a0ab

          SHA1

          b12de39d949a0a0ab761b54135084f673b3fa8db

          SHA256

          a703365a5aea99f1ce1f6d3e08b2c7178790d4fcdb0ce46d84c8ea7bd6e10c98

          SHA512

          ecf25843991200ab2711b0d5d260808c8acdb8252b3aa6fbf0c91be10375c858879eb67247e90d86f7ab05a97f3e72cd906cdbceb1dbf2b5c9c057f285612b7b

          Download Submit

        • memory/1520-29-0x0000000000ED0000-0x0000000000F70000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1520-80-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1520-32-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2488-68-0x000002916E7D0000-0x000002916E810000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2488-270-0x0000029170EC0000-0x0000029170ECA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2488-271-0x0000029170EF0000-0x0000029170F02000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2488-217-0x0000029170F20000-0x0000029170F96000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2488-218-0x0000029170FA0000-0x0000029170FF0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2488-219-0x000002916ECC0000-0x000002916ECDE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4212-56-0x0000000000320000-0x00000000003B8000-memory.dmp

          Filesize

          608KB

          Download

        • memory/4216-31-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4216-27-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4216-25-0x00000000004B0000-0x0000000000516000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4328-189-0x00000286EA8C0000-0x00000286EA8E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4556-28-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4556-0-0x00007FF9837D3000-0x00007FF9837D5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4556-14-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4556-1-0x0000000000CE0000-0x0000000000DB4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/5084-65-0x000002259CD70000-0x000002259CDBA000-memory.dmp

          Filesize

          296KB

          Download