Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 14:16

General

  • Target

    New_Project_1 (5).exe

  • Size

    486KB

  • MD5

    330f592f3a03c5e2c2ed4593d227f1a8

  • SHA1

    55957a8e8d405569c655923dd9414c4ec6c45a0d

  • SHA256

    0f10ed177734b40d0ca45eed258f8c3ca585323e32db8f3cab7387b61de0e679

  • SHA512

    497f9308a49eb1e9451675f447c5774cbaf267dd77b69e1ab494609feca17a20224ac707e54abcb090ee90e1e8187e9fa681c200bcec97ac1bc36b0ce38d15c2

  • SSDEEP

    12288:cWjF6EjvVYEaZ1hJcSx3ThB6xL3s7H4sn4/OxJrinEXL/sT:p68aZ1hlxlay5HdCuL

Malware Config

Extracted

Family

xworm

C2

reference-elliott.gl.at.ply.gg:37420

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Signatures

  • Detect Umbral payload 3 IoCs
  • Detect Xworm Payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New_Project_1 (5).exe
    "C:\Users\Admin\AppData\Local\Temp\New_Project_1 (5).exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3132
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3920
      • C:\Users\Admin\AppData\Local\Temp\yqtmwz.exe
        "C:\Users\Admin\AppData\Local\Temp\yqtmwz.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1671.tmp\1672.tmp\1673.bat C:\Users\Admin\AppData\Local\Temp\yqtmwz.exe"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3372
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"
            5⤵
            • Enumerates connected drives
            • Modifies registry class
            PID:3080
      • C:\Users\Admin\AppData\Local\Temp\dpkrmq.exe
        "C:\Users\Admin\AppData\Local\Temp\dpkrmq.exe"
        3⤵
        • Executes dropped EXE
        PID:2404
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        3⤵
        • Views/modifies file attributes
        PID:4752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4044
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3644
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4280
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:3180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4916
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:4872
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2344
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:4380
      • C:\Users\Admin\svchost.exe
        C:\Users\Admin\svchost.exe
        1⤵
        • Executes dropped EXE
        PID:3936
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x150 0x304
        1⤵
          PID:2756
        • C:\Users\Admin\svchost.exe
          C:\Users\Admin\svchost.exe
          1⤵
          • Executes dropped EXE
          PID:3860
        • C:\Users\Admin\svchost.exe
          C:\Users\Admin\svchost.exe
          1⤵
          • Executes dropped EXE
          PID:1472

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          6d42b6da621e8df5674e26b799c8e2aa

          SHA1

          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

          SHA256

          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

          SHA512

          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          948B

          MD5

          c65738617888921a153bd9b1ef516ee7

          SHA1

          5245e71ea3c181d76320c857b639272ac9e079b1

          SHA256

          4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

          SHA512

          2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          d3235ed022a42ec4338123ab87144afa

          SHA1

          5058608bc0deb720a585a2304a8f7cf63a50a315

          SHA256

          10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

          SHA512

          236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          ef20a3bf9e9f2b5a96161d0df5a08fd9

          SHA1

          cd499632b1e8d158383e835c6551b6fa358df08c

          SHA256

          a89b69d78aef6361573f75767caf9128b7912a48de67b85606fdb1e15f036cf9

          SHA512

          b7893b80acdc3d6002664d4d9509351b44f009ec355f0578f6b5a605ff82becf221843a74e42dea12dbc58c92c995db3870aee583978effbda8a58d7c3e9d62c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          852f019aa3823e1c90335ba698f31412

          SHA1

          a94ebb8e47316a5fec092ab897ec34299a82d200

          SHA256

          b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0

          SHA512

          ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          64B

          MD5

          843236648c17e7b11d720f5613760d8a

          SHA1

          3817030c1334fee32e1c0e6ad08e9cc1392fbedb

          SHA256

          309c24cd0ff95d7ceb33d58b206fe5d1d31fedadaa36d6e71e2afd444184ea0d

          SHA512

          e2dbc0bba9dada38be74f7a1d4d4aac5ee60eaa78114643f02883973adfc45b7555cf580d70b541c8ee1626242c2ee61469577c0a17f13d0cd0303d402a8b3aa

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          96ff1ee586a153b4e7ce8661cabc0442

          SHA1

          140d4ff1840cb40601489f3826954386af612136

          SHA256

          0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

          SHA512

          3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

        • C:\Users\Admin\AppData\Local\Temp\1.exe

          Filesize

          88KB

          MD5

          4e4ffd6981f1d7df1e06e02c7a52e86a

          SHA1

          970d227a122a826f587fb49c694a422ec6aff1e0

          SHA256

          353010e5cbdfb234aadfcb40b517b51b24bbac81b64d794d5d8f8b1cd0cd6031

          SHA512

          1f75401fe015416453119bb92ea46c71412f342fe4bf1170bc2655a1c4f1fb4344bdff64df8dfd54f8203b30445225a70f12790432d3b59693e96de2fa5750ec

        • C:\Users\Admin\AppData\Local\Temp\1671.tmp\1672.tmp\1673.bat

          Filesize

          27B

          MD5

          c7da66cab92e95daf435dc74fa5ca35a

          SHA1

          924f2b0ebac4eac12c78b298697400a1b338a4c5

          SHA256

          4ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92

          SHA512

          28737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787

        • C:\Users\Admin\AppData\Local\Temp\2.exe

          Filesize

          230KB

          MD5

          8068d967a754039c953d677ed75caa65

          SHA1

          c6ca62d0e3f84f4018546cdf40b14ac80b06af95

          SHA256

          b2811334ba1ec945f7f2f1b1976e72dd634a4cf8b5679ceb4c90816d5b646b11

          SHA512

          8f8f9b0c50f3178daa1df6ce16755c7a0de24872a344fe6b93d1a9b11cfad2faa1ed5ad58c6ac9904b889188d8efaba2d51e4240e7a813fffe6878ec8970954c

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agqmqt5c.vvh.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\dpkrmq.exe

          Filesize

          4.7MB

          MD5

          1d7ec5c0d6ee4de23463e0d80d9b7b79

          SHA1

          743d3856c750e7a2a3254ba6e69d15b8146697ad

          SHA256

          05569c64af3c01d4094782cfedf3d167288167c13ba25c1562235396dcb15cf7

          SHA512

          3137d4c5f53490792dcc4d4d9baef38e5a2a4ee6fbfdeb3dd57039e8ce3f5de3f7dabb728f17e478287fb9b34717ed108228ace7be180f0b226f61ba10f24a0d

        • C:\Users\Admin\AppData\Local\Temp\yqtmwz.exe

          Filesize

          237KB

          MD5

          6520885628fe337b8665099479cc1d4d

          SHA1

          09741f5c74b3525c31004c5bd19b0ecab835186d

          SHA256

          13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4

          SHA512

          235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c

        • C:\Users\Admin\AppData\Roaming\6.VBS

          Filesize

          115B

          MD5

          9e242f8f35222db7713bf96248c7434c

          SHA1

          a66a0c27eca4aa325bc3dc8d907837180bcbd1b3

          SHA256

          5d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731

          SHA512

          4c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56

        • C:\Users\Admin\AppData\Roaming\piz.mp3

          Filesize

          198KB

          MD5

          71cf668f8ebbceda772022165b460ce3

          SHA1

          99febb0f4f9f388a4f9aeedd1530b50e0790500c

          SHA256

          321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033

          SHA512

          bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63

        • memory/2404-309-0x0000023071F90000-0x0000023072139000-memory.dmp

          Filesize

          1.7MB

        • memory/2404-308-0x0000023071F90000-0x0000023072139000-memory.dmp

          Filesize

          1.7MB

        • memory/2404-306-0x000002306F470000-0x000002306F92A000-memory.dmp

          Filesize

          4.7MB

        • memory/3852-270-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

        • memory/3852-292-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

        • memory/3992-0-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/4044-124-0x0000025226F80000-0x0000025226FA2000-memory.dmp

          Filesize

          136KB

        • memory/4592-151-0x000001E666560000-0x000001E6665B0000-memory.dmp

          Filesize

          320KB

        • memory/4592-190-0x000001E67EFC0000-0x000001E67EFD2000-memory.dmp

          Filesize

          72KB

        • memory/4592-152-0x000001E67EF80000-0x000001E67EF9E000-memory.dmp

          Filesize

          120KB

        • memory/4592-189-0x000001E67EF70000-0x000001E67EF7A000-memory.dmp

          Filesize

          40KB

        • memory/4592-150-0x000001E67EEE0000-0x000001E67EF56000-memory.dmp

          Filesize

          472KB

        • memory/4592-258-0x00007FFBF4440000-0x00007FFBF4F01000-memory.dmp

          Filesize

          10.8MB

        • memory/4592-123-0x00007FFBF4440000-0x00007FFBF4F01000-memory.dmp

          Filesize

          10.8MB

        • memory/4592-122-0x000001E664790000-0x000001E6647D0000-memory.dmp

          Filesize

          256KB

        • memory/4956-261-0x00007FFBF4440000-0x00007FFBF4F01000-memory.dmp

          Filesize

          10.8MB

        • memory/4956-187-0x00007FFBF4440000-0x00007FFBF4F01000-memory.dmp

          Filesize

          10.8MB

        • memory/4956-260-0x00007FFBF4443000-0x00007FFBF4445000-memory.dmp

          Filesize

          8KB

        • memory/4956-118-0x0000000000390000-0x00000000003AC000-memory.dmp

          Filesize

          112KB

        • memory/4956-62-0x00007FFBF4443000-0x00007FFBF4445000-memory.dmp

          Filesize

          8KB