stormkitty | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
Size

1.8MB
MD5

58f824a8f6a71da8e9a1acc97fc26d52
SHA1

b0e199e6f85626edebbecd13609a011cf953df69
SHA256

5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512

7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461
SSDEEP

49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV

Score

10^/10

stormkitty umbral xworm discovery evasion execution pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:8080

101.99.92.189:8080

Mutex

d5gQ6Zf7Tzih1Pi1

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1316854619615395900/Dn3bh1TbkCRewqpe_pn_K2IjK67e9nf96EdTjHeHaiQsm9N6qPmO7r5UKNDUemOXEcux

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2128-8-0x0000000000DE0000-0x0000000000DEE000-memory.dmp	disable_win_def

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d18-33.dat	family_umbral
behavioral1/memory/2008-34-0x0000000000A50000-0x0000000000A90000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2128-1-0x0000000001360000-0x00000000017D6000-memory.dmp	family_xworm
behavioral1/memory/2128-2-0x0000000001360000-0x00000000017D6000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2128-68-0x0000000009810000-0x0000000009930000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
1084	powershell.exe
1628	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bvhjzz.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Executes dropped EXE 3 IoCs

pid	Process
1212	ncbmpt.exe
1176	Process not Found
2008	bvhjzz.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
1176	Process not Found
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0004000000004ed7-21.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1912	cmd.exe
3060	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3012	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
2008	bvhjzz.exe
2412	powershell.exe
1084	powershell.exe
1628	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
Token: SeDebugPrivilege	2008	bvhjzz.exe
Token: SeIncreaseQuotaPrivilege	2968	wmic.exe
Token: SeSecurityPrivilege	2968	wmic.exe
Token: SeTakeOwnershipPrivilege	2968	wmic.exe
Token: SeLoadDriverPrivilege	2968	wmic.exe
Token: SeSystemProfilePrivilege	2968	wmic.exe
Token: SeSystemtimePrivilege	2968	wmic.exe
Token: SeProfSingleProcessPrivilege	2968	wmic.exe
Token: SeIncBasePriorityPrivilege	2968	wmic.exe
Token: SeCreatePagefilePrivilege	2968	wmic.exe
Token: SeBackupPrivilege	2968	wmic.exe
Token: SeRestorePrivilege	2968	wmic.exe
Token: SeShutdownPrivilege	2968	wmic.exe
Token: SeDebugPrivilege	2968	wmic.exe
Token: SeSystemEnvironmentPrivilege	2968	wmic.exe
Token: SeRemoteShutdownPrivilege	2968	wmic.exe
Token: SeUndockPrivilege	2968	wmic.exe
Token: SeManageVolumePrivilege	2968	wmic.exe
Token: 33	2968	wmic.exe
Token: 34	2968	wmic.exe
Token: 35	2968	wmic.exe
Token: SeIncreaseQuotaPrivilege	2968	wmic.exe
Token: SeSecurityPrivilege	2968	wmic.exe
Token: SeTakeOwnershipPrivilege	2968	wmic.exe
Token: SeLoadDriverPrivilege	2968	wmic.exe
Token: SeSystemProfilePrivilege	2968	wmic.exe
Token: SeSystemtimePrivilege	2968	wmic.exe
Token: SeProfSingleProcessPrivilege	2968	wmic.exe
Token: SeIncBasePriorityPrivilege	2968	wmic.exe
Token: SeCreatePagefilePrivilege	2968	wmic.exe
Token: SeBackupPrivilege	2968	wmic.exe
Token: SeRestorePrivilege	2968	wmic.exe
Token: SeShutdownPrivilege	2968	wmic.exe
Token: SeDebugPrivilege	2968	wmic.exe
Token: SeSystemEnvironmentPrivilege	2968	wmic.exe
Token: SeRemoteShutdownPrivilege	2968	wmic.exe
Token: SeUndockPrivilege	2968	wmic.exe
Token: SeManageVolumePrivilege	2968	wmic.exe
Token: 33	2968	wmic.exe
Token: 34	2968	wmic.exe
Token: 35	2968	wmic.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	wmic.exe
Token: SeSecurityPrivilege	1856	wmic.exe
Token: SeTakeOwnershipPrivilege	1856	wmic.exe
Token: SeLoadDriverPrivilege	1856	wmic.exe
Token: SeSystemProfilePrivilege	1856	wmic.exe
Token: SeSystemtimePrivilege	1856	wmic.exe
Token: SeProfSingleProcessPrivilege	1856	wmic.exe
Token: SeIncBasePriorityPrivilege	1856	wmic.exe
Token: SeCreatePagefilePrivilege	1856	wmic.exe
Token: SeBackupPrivilege	1856	wmic.exe
Token: SeRestorePrivilege	1856	wmic.exe
Token: SeShutdownPrivilege	1856	wmic.exe
Token: SeDebugPrivilege	1856	wmic.exe
Token: SeSystemEnvironmentPrivilege	1856	wmic.exe
Token: SeRemoteShutdownPrivilege	1856	wmic.exe
Token: SeUndockPrivilege	1856	wmic.exe
Token: SeManageVolumePrivilege	1856	wmic.exe
Token: 33	1856	wmic.exe
Token: 34	1856	wmic.exe
Token: 35	1856	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1212	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	32
PID 2128 wrote to memory of 1212	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	32
PID 2128 wrote to memory of 1212	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	32
PID 2128 wrote to memory of 1212	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	32
PID 2128 wrote to memory of 2008	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	33
PID 2128 wrote to memory of 2008	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	33
PID 2128 wrote to memory of 2008	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	33
PID 2128 wrote to memory of 2008	2128	5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe	33
PID 2008 wrote to memory of 2968	2008	bvhjzz.exe	34
PID 2008 wrote to memory of 2968	2008	bvhjzz.exe	34
PID 2008 wrote to memory of 2968	2008	bvhjzz.exe	34
PID 2008 wrote to memory of 2356	2008	bvhjzz.exe	36
PID 2008 wrote to memory of 2356	2008	bvhjzz.exe	36
PID 2008 wrote to memory of 2356	2008	bvhjzz.exe	36
PID 2008 wrote to memory of 2412	2008	bvhjzz.exe	38
PID 2008 wrote to memory of 2412	2008	bvhjzz.exe	38
PID 2008 wrote to memory of 2412	2008	bvhjzz.exe	38
PID 2008 wrote to memory of 1084	2008	bvhjzz.exe	40
PID 2008 wrote to memory of 1084	2008	bvhjzz.exe	40
PID 2008 wrote to memory of 1084	2008	bvhjzz.exe	40
PID 2008 wrote to memory of 1856	2008	bvhjzz.exe	42
PID 2008 wrote to memory of 1856	2008	bvhjzz.exe	42
PID 2008 wrote to memory of 1856	2008	bvhjzz.exe	42
PID 2008 wrote to memory of 1240	2008	bvhjzz.exe	44
PID 2008 wrote to memory of 1240	2008	bvhjzz.exe	44
PID 2008 wrote to memory of 1240	2008	bvhjzz.exe	44
PID 2008 wrote to memory of 2180	2008	bvhjzz.exe	46
PID 2008 wrote to memory of 2180	2008	bvhjzz.exe	46
PID 2008 wrote to memory of 2180	2008	bvhjzz.exe	46
PID 2008 wrote to memory of 1628	2008	bvhjzz.exe	48
PID 2008 wrote to memory of 1628	2008	bvhjzz.exe	48
PID 2008 wrote to memory of 1628	2008	bvhjzz.exe	48
PID 2008 wrote to memory of 3012	2008	bvhjzz.exe	50
PID 2008 wrote to memory of 3012	2008	bvhjzz.exe	50
PID 2008 wrote to memory of 3012	2008	bvhjzz.exe	50
PID 2008 wrote to memory of 1912	2008	bvhjzz.exe	52
PID 2008 wrote to memory of 1912	2008	bvhjzz.exe	52
PID 2008 wrote to memory of 1912	2008	bvhjzz.exe	52
PID 1912 wrote to memory of 3060	1912	cmd.exe	54
PID 1912 wrote to memory of 3060	1912	cmd.exe	54
PID 1912 wrote to memory of 3060	1912	cmd.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2356	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe
"C:\Users\Admin\AppData\Local\Temp\5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\ncbmpt.exe
  "C:\Users\Admin\AppData\Local\Temp\ncbmpt.exe"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe
  "C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe"
    3⤵
    - Views/modifies file attributes
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1240
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3012
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvhjzz.exe

Filesize
231KB

MD5
3ae3cf78d1b188ca228e6e0479acbced

SHA1
6aca115b369169f1992d08e5439d5a58b74b4e75

SHA256
99748fc0a0e244e2b6c1bbba4a2f8bf548011663d235a2a10b8c908a8128c18f

SHA512
3adfbbdfc2eee34bda5c16005a32381113c9d774fdb64ed1896ad736497ab0c4f5493802519c6031ad780e6a1d2e195ffd1b4c6822a89e4fafb2517b1eeff8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a60fefa05dbb0e37c1d1c1f7a39b7d9c

SHA1
179ab0a98cd5dc70f2dd7d5094f7eea377d1ab4a

SHA256
c3332c00449c0a2541c3bf8e8765c44c9195135333a404d5a429cbc44040639c

SHA512
690971bbf3f9a8315164c1dceb5f08b6e6743244988e11df223f66956d262e1c8b7d0e6d40e092ad0caf4a4217852e5b58053ca7e8ffa3ae41a69bd8c4215598

Download Submit
\Users\Admin\AppData\Local\Temp\ncbmpt.exe

Filesize
1.6MB

MD5
583d187384f6ffb863c6dceb99382413

SHA1
f8c93a13105eec96395e4cf0eb9b81d35fa85d5e

SHA256
1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322

SHA512
ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005

Download Submit
memory/2008-34-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2128-12-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2128-16-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/2128-11-0x0000000007220000-0x0000000007268000-memory.dmp

Filesize
288KB

Download
memory/2128-0-0x0000000001360000-0x00000000017D6000-memory.dmp

Filesize
4.5MB

Download
memory/2128-13-0x0000000008A50000-0x0000000008AF6000-memory.dmp

Filesize
664KB

Download
memory/2128-14-0x0000000002FA0000-0x0000000002FD4000-memory.dmp

Filesize
208KB

Download
memory/2128-15-0x0000000007E70000-0x0000000007EBA000-memory.dmp

Filesize
296KB

Download
memory/2128-10-0x0000000001070000-0x000000000108C000-memory.dmp

Filesize
112KB

Download
memory/2128-9-0x0000000009520000-0x0000000009802000-memory.dmp

Filesize
2.9MB

Download
memory/2128-8-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/2128-4-0x0000000001360000-0x00000000017D6000-memory.dmp

Filesize
4.5MB

Download
memory/2128-2-0x0000000001360000-0x00000000017D6000-memory.dmp

Filesize
4.5MB

Download
memory/2128-1-0x0000000001360000-0x00000000017D6000-memory.dmp

Filesize
4.5MB

Download
memory/2128-68-0x0000000009810000-0x0000000009930000-memory.dmp

Filesize
1.1MB

Download