Resubmissions

13-07-2024 23:41

240713-3pr3vstcrb 10

Analysis

  • max time kernel
    84s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 23:41

General

  • Target

    Discord Tool v.7.7.exe

  • Size

    65KB

  • MD5

    5ff4a7e0fefe94b3bbf86f2137577ff2

  • SHA1

    67d9e82ef85881813228e902fd7880e0ceba20b9

  • SHA256

    a562d44e4bf6ec4f8a15c420bc3343f56011b2b454862869e01471075cba1a7e

  • SHA512

    05edf0d3bc2da186f6a159ef6e5c6f0456fc0979e188c8e8cb62799e0c663515dd9d4aaf631ac8f7830934a618e6eca5fd94e0e1d39d14ee9fbf68e97e8319a4

  • SSDEEP

    768:kRwwGkRrFpObTMFIiVZTKb9hFrTbpkLZ9WBf6Owg5+OWhXBZ5/HA:kRxGW5kbTqgTbpm9g6jk+OWRxHA

Malware Config

Extracted

Family

xworm

C2

original-preston.gl.at.ply.gg:51307

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord Tool v.7.7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4436
    • C:\Users\Admin\AppData\Local\Temp\mwjbna.exe
      "C:\Users\Admin\AppData\Local\Temp\mwjbna.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\mwjbna.exe"
        3⤵
        • Views/modifies file attributes
        PID:4252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mwjbna.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3512
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2432
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4736
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:4772
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\mwjbna.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:452
        • C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe
          "C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe"
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:1888
            • C:\Windows\SYSTEM32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe"
              3⤵
              • Views/modifies file attributes
              PID:2132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3104
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:5072
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              3⤵
                PID:2064
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" computersystem get totalphysicalmemory
                3⤵
                  PID:4168
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic.exe" csproduct get uuid
                  3⤵
                    PID:2920
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1652
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic" path win32_VideoController get name
                    3⤵
                    • Detects videocard installed
                    PID:4856
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe" && pause
                    3⤵
                      PID:1368
                      • C:\Windows\system32\PING.EXE
                        ping localhost
                        4⤵
                        • Runs ping.exe
                        PID:4140
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd"
                    2⤵
                      PID:4136
                      • C:\Windows\system32\netsh.exe
                        netsh wlan show profiles
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:3832
                  • C:\Users\Admin\AppData\Roaming\XClient.exe
                    C:\Users\Admin\AppData\Roaming\XClient.exe
                    1⤵
                    • Executes dropped EXE
                    PID:2820

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    750e4be22a6fdadd7778a388198a9ee3

                    SHA1

                    8feb2054d8a3767833dd972535df54f0c3ab6648

                    SHA256

                    26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

                    SHA512

                    b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    948B

                    MD5

                    ba42012e626d8c04b25c5e8bcb49d58e

                    SHA1

                    4f542888067e87d2d4dd8ced7bc901abd60f819b

                    SHA256

                    0a3c73d3b3afc81747d415241a047a1cadd117a0536606b89e57ecf8836e40ff

                    SHA512

                    6678e24f430379c3c2ec0385fc02d0db9a65720072b57e4b36f23be65c82b4d3da2692e1bf0d575bdd59d5673fa1b64ab99d1881367af632bb89121b1981fe11

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    1KB

                    MD5

                    6345996dd8d19b416cbb0644e896864a

                    SHA1

                    70b553a603fdee1e2300b4b9855a6d691da6d201

                    SHA256

                    84c7485a1486ac110f581d143f84708c8b6bf5cffaf04d4c870001e107ce007a

                    SHA512

                    2b349aed2b54ca9d212036a8a97b16d5b5bae4e42daf9a4b142685382d44af438bc72e725c586318854096dd744372240dd24e526580b432afc055b3b74c1cd0

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    1KB

                    MD5

                    45ad40f012b09e141955482368549640

                    SHA1

                    3f9cd15875c1e397c3b2b5592805577ae88a96cb

                    SHA256

                    ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

                    SHA512

                    3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    64B

                    MD5

                    b68ab4ca7e39baffff644d4820c98f0c

                    SHA1

                    25aee3c71f29c4520c9a89a13ce47864b75ced4e

                    SHA256

                    974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676

                    SHA512

                    5c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    96ff1ee586a153b4e7ce8661cabc0442

                    SHA1

                    140d4ff1840cb40601489f3826954386af612136

                    SHA256

                    0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

                    SHA512

                    3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    948B

                    MD5

                    c65738617888921a153bd9b1ef516ee7

                    SHA1

                    5245e71ea3c181d76320c857b639272ac9e079b1

                    SHA256

                    4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

                    SHA512

                    2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    1KB

                    MD5

                    227556da5e65f6819f477756808c17e4

                    SHA1

                    6ffce766e881ca2a60180bb25f4981b183f78279

                    SHA256

                    101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

                    SHA512

                    d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    b8b57459858c5ea0c76b88922d7a0b37

                    SHA1

                    9a102b358e31fc79315e24603947558c119afad3

                    SHA256

                    2d005bc789565b275d0587ba2ecc42b2eadd81d80aa77aff4e3432a2e3e70dc6

                    SHA512

                    ffc443124f35a267f7ed85d0444040da0cadcbb3ceb1293f3186f34bda75bbd778e6dc9806903aed46b053178108714dcc4dec4cce3229bb7d5808b37fb6cc54

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    ef72c47dbfaae0b9b0d09f22ad4afe20

                    SHA1

                    5357f66ba69b89440b99d4273b74221670129338

                    SHA256

                    692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

                    SHA512

                    7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    98baf5117c4fcec1692067d200c58ab3

                    SHA1

                    5b33a57b72141e7508b615e17fb621612cb8e390

                    SHA256

                    30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                    SHA512

                    344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    9948df3a61230068601b6cf5f5ae6195

                    SHA1

                    b6cd3118ae6ae8a0c7c2707700616a32619888a1

                    SHA256

                    8eb4591930c695e7e8dc6e938d14419ef957b54241bb376635a999ac744b9db8

                    SHA512

                    af80d545ed24cece281b033961905ad139a1cc0e8082ca5a114c58e0cad18bed5a4f881400436d6b5eafcff3d9e37d4c16bcc41771ab9f20613a7805bedf8f4c

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgyp3cxf.tsf.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\mwjbna.exe

                    Filesize

                    254KB

                    MD5

                    b840d3fa729c3e32debff348311c5e74

                    SHA1

                    a3c857ebffc0e31d4983dc488849088a5515f1f4

                    SHA256

                    bf06c2b8760d163e7de3c4443101c7598056fc0ab552ac1638cca5466dfd3a8c

                    SHA512

                    6e6592a39ed14d29dd1c5562e919cb01b8683e3bcc80053c9157417b00140fbfe488dd1676d673ccc8d09491e5ff55ee1357a3dce2cfee8bab94e909d1217d74

                  • C:\Users\Admin\AppData\Roaming\XClient.exe

                    Filesize

                    65KB

                    MD5

                    5ff4a7e0fefe94b3bbf86f2137577ff2

                    SHA1

                    67d9e82ef85881813228e902fd7880e0ceba20b9

                    SHA256

                    a562d44e4bf6ec4f8a15c420bc3343f56011b2b454862869e01471075cba1a7e

                    SHA512

                    05edf0d3bc2da186f6a159ef6e5c6f0456fc0979e188c8e8cb62799e0c663515dd9d4aaf631ac8f7830934a618e6eca5fd94e0e1d39d14ee9fbf68e97e8319a4

                  • C:\Windows\System32\drivers\etc\hosts

                    Filesize

                    2KB

                    MD5

                    4028457913f9d08b06137643fe3e01bc

                    SHA1

                    a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                    SHA256

                    289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                    SHA512

                    c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                  • memory/536-133-0x0000016ACDE30000-0x0000016ACDE3A000-memory.dmp

                    Filesize

                    40KB

                  • memory/536-70-0x0000016AB3540000-0x0000016AB3586000-memory.dmp

                    Filesize

                    280KB

                  • memory/536-95-0x0000016ACDD90000-0x0000016ACDE06000-memory.dmp

                    Filesize

                    472KB

                  • memory/536-96-0x0000016ACDD40000-0x0000016ACDD90000-memory.dmp

                    Filesize

                    320KB

                  • memory/536-97-0x0000016ACDD10000-0x0000016ACDD2E000-memory.dmp

                    Filesize

                    120KB

                  • memory/536-153-0x0000016ACDA00000-0x0000016ACDB02000-memory.dmp

                    Filesize

                    1.0MB

                  • memory/536-134-0x0000016ACDE60000-0x0000016ACDE72000-memory.dmp

                    Filesize

                    72KB

                  • memory/1152-15-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1152-13-0x000002D2F3B90000-0x000002D2F3BB2000-memory.dmp

                    Filesize

                    136KB

                  • memory/1152-18-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1152-14-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1152-8-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4576-241-0x000002729A3E0000-0x000002729A4E2000-memory.dmp

                    Filesize

                    1.0MB

                  • memory/4720-0-0x00007FFD41B93000-0x00007FFD41B95000-memory.dmp

                    Filesize

                    8KB

                  • memory/4720-57-0x00007FFD41B93000-0x00007FFD41B95000-memory.dmp

                    Filesize

                    8KB

                  • memory/4720-1-0x0000000000E80000-0x0000000000E96000-memory.dmp

                    Filesize

                    88KB

                  • memory/4720-58-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4720-2-0x00007FFD41B90000-0x00007FFD42651000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4720-246-0x000000001E7D0000-0x000000001EB20000-memory.dmp

                    Filesize

                    3.3MB

                  • memory/4720-247-0x000000001C840000-0x000000001C84A000-memory.dmp

                    Filesize

                    40KB

                  • memory/4720-248-0x000000001C890000-0x000000001C8A2000-memory.dmp

                    Filesize

                    72KB