Overview

overview

10

Static

static

3

FunChecker.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    47s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-07-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FunChecker.exe

  • Size

    7.0MB

  • MD5

    84a2cb1d7bd73f291bc99188eb702114

  • SHA1

    93c2ebc09dfadf515fb6075f57f93aff693f2e16

  • SHA256

    1707093d8ee6f93cc5938d2c46eddb565c1ae217587ae43ab0c8ae6a3d2ccf8f

  • SHA512

    d33655c5c0cdaa062a5888e16ea91330c63f22d5475c94c16fcf7c2021820c051ea2a09fc6572a5a436ec0fb0f49a37c5c7e615e340999d4ade64c2231c077a2

  • SSDEEP

    196608:TBE2AD5NnNVtIwOUj+pq6bpMMbmvqxk3btIJ0jSQ9:TBE2ADnNVGwOUjwqspM2mvekt

Score
10/10
umbralevasionexecutionpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1263163627955818638/O6H0XtkfVMlzt1CR2LtuxnT8hf_eK3rxCg4Z8Ho7QTiBTbC3moAh35BYkmVLUE-l4NEA

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FunChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\FunChecker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FunChecker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4836
        • C:\Windows\System32\Conhost.exe
          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          4⤵
            PID:4404
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FunChecker.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4412
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FunChecker" /tr "C:\Users\Admin\AppData\Roaming\FunChecker.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4772
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Drops file in Drivers directory
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:820
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4404
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3616
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3884
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic.exe" os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3484
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1288
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:3232
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1936
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:5104
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1152

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      System Information Discovery

      5
      T1082

      Virtualization/Sandbox Evasion

      1
      T1497

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        db01a2c1c7e70b2b038edf8ad5ad9826

        SHA1

        540217c647a73bad8d8a79e3a0f3998b5abd199b

        SHA256

        413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

        SHA512

        c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        a193a1548523e2b1df0db3a55d7eef91

        SHA1

        aba48e6718b73e973c24c0227e85bd509fa79e9a

        SHA256

        a1a78a6f15fd374614750caef33f2b1f10005b1f270e422b8e36503374e197c5

        SHA512

        a19db77627bc46c4ec2b0d0d9a0b0f17830b6f5a26297df0a7b31943e1b4a832bd170c6d69988b66c011735fb8eedf55341ba23f592158b4019eb4ddc885478f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        55809db6d38f5f820c0cfab63cbc0b26

        SHA1

        056b715078630cbfa96d3bb0cc4c6b689b799a19

        SHA256

        296eda4e689665d9a761d0948d88b039b30edbbdd593fe51ebbfa09237021b8e

        SHA512

        56145ecf9edc9b74925b758f8ac15d59e69a30b91b342744bb63be0bb089557d035f63c6a63a059b66cb4425eb5e87c42ad1a4493a7b3c006611ee9821322ae8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        90edc4c11db6bcb2088bf62cbdf08807

        SHA1

        5631da5a87a0890c2ac748d86ebd63edf1f7db4f

        SHA256

        df9dced671f0723b5cfc339cd78aa754bdb983b365011bf1f8a5359cda4728af

        SHA512

        8d64c85321e1ffdfa837d9f9203f40fbe033b5b5b7c4faf00370fc378c078647352d845edbf031a80599bb46679ff0cf4c5c4a33efcffb626ee9419c1ae7e679

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        15KB

        MD5

        9d16a5f0fb7c9938c3419eb7cbe3377a

        SHA1

        90b075d2f9165742b4960f58607bb41a4ea244ef

        SHA256

        d8f1def526e15fda62131a33c0bd852836760316eab2085fe80f69930503da75

        SHA512

        16f8fd8de3c320953eb64a1c70f0cb406c097364a4729a1cffa31ff0fe13f53297662241ddfb4a024800a0656ef9916c71ecd14ce7800640eb63c415c32a2d4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        a9b219276339f1a6c8a7c0f11b31f27f

        SHA1

        03c977724d92331290a2f13636341d3fe0b6da67

        SHA256

        a093ff74626529d213a83e44b198957b169d2699cad8ad87d54a0334fb706cfb

        SHA512

        17af67c4ac030312f63dd845b9fae71fdb59b2278f53605aa11d3abb3db2fb3f9436bdb20c9076fc0cbbb8530f0ac216c94ab6a2029aa005e41a30fd44bb3364

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
        Filesize

        3.4MB

        MD5

        8496d6a30ba3fdb1cd908cbcb41ef84e

        SHA1

        986c94e5a502ef12b2cafab7cd21401436154e8f

        SHA256

        65d35c5e52deb2c59470f099dfb44b05b2121e6f550a31727d3fee8f5be067cc

        SHA512

        e28b7d3255f6639b6c1ef4ad6029ef64bcc6c0988e298465f9db2441aa30737b29bb6d3a0dc71f5e6f5835dd1553503e4b36b571c9ebfe28e4ea3398010f74d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvifvwth.wsr.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        3.6MB

        MD5

        c2f9feba8f68d6772ba7fc1536603a33

        SHA1

        e17c6f4fc8dcad67d0449c1f2f7d0863345d72c1

        SHA256

        005efd0dcf8e4b4726d5717f9a1dedf4977d1477fd92b4490a1f851c8ed5d59a

        SHA512

        8fa32ba1b80d94fcc28586cda1297dac4e444a0f20071bebc2644d3024551d2556f22bd549ca3f50f557a775a170df337953cc861be62f0ef248561c1615e968

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunChecker.lnk
        Filesize

        826B

        MD5

        7980574074434732d3c479f4295cd61c

        SHA1

        df10db87ddee03baa9b18779f8504eaa8e0704e1

        SHA256

        205c0a5e935702c53ec8637227beddc188929aafb4ea00b0704610fd2ccad7a6

        SHA512

        d94ae330c1e6e7e88aebdc87c04a779f9d60ac7b05ba7f5418c8cece512db73ab695337083b6880d1c8af2f86257e5ee7d27dc6e83bb1dd5361bb4aa113e6bd5

        Download Submit

      • memory/820-81-0x00000000097C0000-0x0000000009865000-memory.dmp

        Filesize

        660KB

        Download

      • memory/820-29-0x0000000007020000-0x0000000007056000-memory.dmp

        Filesize

        216KB

        Download

      • memory/820-37-0x0000000008050000-0x000000000806C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/820-71-0x000000006F0C0000-0x000000006F10B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/820-72-0x0000000009660000-0x000000000967E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/820-70-0x0000000009680000-0x00000000096B3000-memory.dmp

        Filesize

        204KB

        Download

      • memory/820-36-0x00000000080C0000-0x0000000008410000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/820-481-0x0000000009B30000-0x0000000009B38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/820-41-0x0000000008760000-0x00000000087D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/820-33-0x0000000007690000-0x0000000007CB8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/820-40-0x00000000084D0000-0x000000000851B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/820-34-0x0000000007D40000-0x0000000007D62000-memory.dmp

        Filesize

        136KB

        Download

      • memory/820-35-0x0000000007FC0000-0x0000000008026000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1844-560-0x000000006F0C0000-0x000000006F10B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2556-26-0x0000000005700000-0x0000000005BFE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2556-553-0x0000000006FD0000-0x0000000007020000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2556-1342-0x0000000000400000-0x0000000000D68000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/2556-930-0x00000000071F0000-0x0000000007202000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2556-928-0x00000000066A0000-0x00000000066AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2556-25-0x0000000002E10000-0x0000000002EA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2556-24-0x0000000000400000-0x0000000000D68000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/2556-21-0x0000000000400000-0x0000000000D68000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/2556-16-0x0000000000400000-0x0000000000D68000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/2556-557-0x0000000007190000-0x00000000071AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3088-1348-0x0000000074CC0000-0x0000000074E82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3088-1347-0x0000000074DB6000-0x0000000074DB7000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3088-20-0x0000000000400000-0x0000000000D22000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3088-17-0x0000000074CC0000-0x0000000074E82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3088-30-0x0000000005250000-0x00000000052B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3088-1346-0x0000000000400000-0x0000000000D22000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3088-22-0x0000000000400000-0x0000000000D22000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3088-12-0x0000000074CC0000-0x0000000074E82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3088-1351-0x0000000006D00000-0x0000000006D0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3088-8-0x0000000000400000-0x0000000000D22000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3088-11-0x0000000074DB6000-0x0000000074DB7000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3088-1350-0x0000000074CC0000-0x0000000074E82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3088-1337-0x0000000007020000-0x000000000702A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3088-23-0x00000000051A0000-0x000000000523C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3432-82-0x000000006F0C0000-0x000000006F10B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3432-87-0x0000000009020000-0x00000000090B4000-memory.dmp

        Filesize

        592KB

        Download

      • memory/3432-472-0x0000000008FC0000-0x0000000008FDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3472-0-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3472-32-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3472-1-0x0000000000100000-0x0000000000800000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/3472-3-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3616-794-0x0000000009810000-0x0000000009832000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3616-792-0x00000000097C0000-0x00000000097DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4412-1102-0x00000000090A0000-0x0000000009145000-memory.dmp

        Filesize

        660KB

        Download

      • memory/4412-1097-0x00000000701D0000-0x000000007021B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4412-1078-0x0000000007E10000-0x0000000007E5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4412-1076-0x0000000007690000-0x00000000079E0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4836-839-0x000000006F0C0000-0x000000006F10B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4836-807-0x00000000073D0000-0x0000000007720000-memory.dmp

        Filesize

        3.3MB

        Download