Overview

overview

10

Static

static

3

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    5.4MB

  • MD5

    916f7dea6831485387d70b0891455e65

  • SHA1

    176e995cc2584d7c9703b2beee0994dcc4be91d5

  • SHA256

    c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

  • SHA512

    ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4

  • SSDEEP

    98304:m52dhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:+sBtGVD+OoUq8+SZ1hAVpRRjw6Q

Score
10/10
umbralxwormdiscoveryevasionexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 21 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Users\Admin\AppData\Roaming\Server.exe
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3196
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2268
      • C:\Users\Admin\AppData\Roaming\conhost.exe
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:184
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1916
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4600
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4868
    • C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2944
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
      • C:\Users\Admin\AppData\Local\Temp\Maple.exe
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\Server.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4796
          • C:\Users\Admin\AppData\Roaming\Server.exe
            "C:\Users\Admin\AppData\Roaming\Server.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1644
          • C:\Users\Admin\AppData\Roaming\conhost.exe
            "C:\Users\Admin\AppData\Roaming\conhost.exe"
            5⤵
            • Executes dropped EXE
            PID:4368
        • C:\Users\Admin\AppData\Local\Temp\Maple.exe
          "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            5⤵
              PID:4172
          • C:\Users\Admin\AppData\Local\Temp\loader.exe
            "C:\Users\Admin\AppData\Local\Temp\loader.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Users\Admin\AppData\Local\Temp\Server.exe
              "C:\Users\Admin\AppData\Local\Temp\Server.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3120
            • C:\Users\Admin\AppData\Local\Temp\Maple.exe
              "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:908
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                6⤵
                  PID:1240
              • C:\Users\Admin\AppData\Local\Temp\loader.exe
                "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:4768
                • C:\Users\Admin\AppData\Local\Temp\Server.exe
                  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4448
                • C:\Users\Admin\AppData\Local\Temp\Maple.exe
                  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1788
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic.exe" csproduct get uuid
                    7⤵
                      PID:4700
                  • C:\Users\Admin\AppData\Local\Temp\loader.exe
                    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                    6⤵
                    • Checks computer location settings
                    PID:1212
                    • C:\Users\Admin\AppData\Local\Temp\Server.exe
                      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:372
                    • C:\Users\Admin\AppData\Local\Temp\Maple.exe
                      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:3436
                      • C:\Windows\System32\Wbem\wmic.exe
                        "wmic.exe" csproduct get uuid
                        8⤵
                          PID:1056
                      • C:\Users\Admin\AppData\Local\Temp\loader.exe
                        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                        7⤵
                        • Checks computer location settings
                        PID:3716
                        • C:\Users\Admin\AppData\Local\Temp\Server.exe
                          "C:\Users\Admin\AppData\Local\Temp\Server.exe"
                          8⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:5016
                        • C:\Users\Admin\AppData\Local\Temp\Maple.exe
                          "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
                          8⤵
                          • Executes dropped EXE
                          PID:764
                          • C:\Windows\System32\Wbem\wmic.exe
                            "wmic.exe" csproduct get uuid
                            9⤵
                              PID:4108
                          • C:\Users\Admin\AppData\Local\Temp\loader.exe
                            "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                            8⤵
                              PID:2328

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Impair Defenses

              1
              T1562

              Disable or Modify System Firewall

              1
              T1562.004

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Lateral Movement

              Collection

              Command and Control

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
                Filesize

                319B

                MD5

                91046f2e147049d3e53cd9bf9d4d95ed

                SHA1

                228e347d062840b2edcbd16904475aacad414c62

                SHA256

                ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

                SHA512

                071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Maple.exe.log
                Filesize

                1KB

                MD5

                8094b248fe3231e48995c2be32aeb08c

                SHA1

                2fe06e000ebec919bf982d033c5d1219c1f916b6

                SHA256

                136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

                SHA512

                bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log
                Filesize

                654B

                MD5

                2ff39f6c7249774be85fd60a8f9a245e

                SHA1

                684ff36b31aedc1e587c8496c02722c6698c1c4e

                SHA256

                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                SHA512

                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                6d3e9c29fe44e90aae6ed30ccf799ca8

                SHA1

                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                SHA256

                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                SHA512

                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                ac7b0095e07d3463d6337710571982ab

                SHA1

                70de7729c4d5566f2e0f698e1de0defc207b5156

                SHA256

                3f3d7a8f4f54e2260752500c9cdd2b1133d1cefec7a38e4b6de351503039f644

                SHA512

                2d41ddf3da4d0e7110658a508041360958266943edbe279540b4ada449c733e5e41990ed675e2a3d8a61223cf244095cd3eef3d918337cdcaa0f332230c95dbf

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                98baf5117c4fcec1692067d200c58ab3

                SHA1

                5b33a57b72141e7508b615e17fb621612cb8e390

                SHA256

                30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                SHA512

                344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Maple.exe
                Filesize

                227KB

                MD5

                550b445ad1a44d1f23f7155fae400db6

                SHA1

                cb006a53156285fdef3a0b33a4a08f534cd3bab7

                SHA256

                d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

                SHA512

                909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Server.exe
                Filesize

                71KB

                MD5

                f9b08bd21b40a938122b479095b7c70c

                SHA1

                eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

                SHA256

                c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

                SHA512

                fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5byiogn.hmr.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Server.exe
                Filesize

                23KB

                MD5

                32fe01ccb93b0233503d0aaaa451f7b2

                SHA1

                58e5a63142150e8fb175dbb4dedea2ce405d7db0

                SHA256

                6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

                SHA512

                76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\conhost.exe
                Filesize

                37KB

                MD5

                b37dd1a1f0507baf993471ae1b7a314c

                SHA1

                9aff9d71492ffff8d51f8e8d67f5770755899882

                SHA256

                e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

                SHA512

                ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

                Download Submit

              • memory/1004-52-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1004-27-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/1004-23-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1976-54-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1976-26-0x000001F564A80000-0x000001F564AC0000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1976-30-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3136-51-0x0000000000760000-0x0000000000770000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4692-87-0x0000028B211D0000-0x0000028B211F2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4796-0-0x00007FFD82123000-0x00007FFD82125000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4796-31-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4796-21-0x00007FFD82120000-0x00007FFD82BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4796-1-0x0000000000BB0000-0x0000000001110000-memory.dmp

                Filesize

                5.4MB

                Download