Overview

overview

10

Static

static

3

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

f_000004.js

windows7-x64

1

f_000004.js

windows10-2004-x64

1

f_00001c.js

windows7-x64

1

f_00001c.js

windows10-2004-x64

1

CatrinePer...9_0.js

windows7-x64

1

CatrinePer...9_0.js

windows10-2004-x64

1

CatrinePer...0_0.js

windows7-x64

1

CatrinePer...0_0.js

windows10-2004-x64

1

CatrinePer...Ex.dll

windows7-x64

1

CatrinePer...Ex.dll

windows10-2004-x64

1

CatrinePer...PC.dll

windows7-x64

1

CatrinePer...PC.dll

windows10-2004-x64

1

CatrinePer...ro.dll

windows7-x64

1

CatrinePer...ro.dll

windows10-2004-x64

1

CatrinePer...re.dll

windows7-x64

1

CatrinePer...re.dll

windows10-2004-x64

1

CatrinePer...ms.dll

windows7-x64

1

CatrinePer...ms.dll

windows10-2004-x64

1

CatrinePer...pf.dll

windows7-x64

1

CatrinePer...pf.dll

windows10-2004-x64

1

CatrinePer...rs.dll

windows7-x64

1

CatrinePer...rs.dll

windows10-2004-x64

1

CatrinePer...on.dll

windows7-x64

1

CatrinePer...on.dll

windows10-2004-x64

1

Revo_Unins...o5.ps1

windows7-x64

1

Revo_Unins...o5.ps1

windows10-2004-x64

1

Revo_Unins...up.exe

windows7-x64

7

Revo_Unins...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    209s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CatrinePerm/CatrinePerm.exe

  • Size

    811KB

  • MD5

    5aabc1aaec4fe6297da47c8d327ddd29

  • SHA1

    ddfb19d827747f4ed4e59d4f2975f7017568e974

  • SHA256

    45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8

  • SHA512

    290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6

  • SSDEEP

    12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

78.69.106.17:8000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Winrar.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe
    "C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
      "C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
      2⤵
      • Executes dropped EXE
      PID:4552
    • C:\Users\Admin\AppData\Roaming\winrar.exe
      "C:\Users\Admin\AppData\Roaming\winrar.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2512
  • C:\ProgramData\Winrar.exe
    C:\ProgramData\Winrar.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3428
  • C:\ProgramData\Winrar.exe
    C:\ProgramData\Winrar.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4292
  • C:\ProgramData\Winrar.exe
    C:\ProgramData\Winrar.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    440cb38dbee06645cc8b74d51f6e5f71

    SHA1

    d7e61da91dc4502e9ae83281b88c1e48584edb7c

    SHA256

    8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

    SHA512

    3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winrar.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d8cb3e9459807e35f02130fad3f9860d

    SHA1

    5af7f32cb8a30e850892b15e9164030a041f4bd6

    SHA256

    2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

    SHA512

    045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    15dde0683cd1ca19785d7262f554ba93

    SHA1

    d039c577e438546d10ac64837b05da480d06bf69

    SHA256

    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

    SHA512

    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ba169f4dcbbf147fe78ef0061a95e83b

    SHA1

    92a571a6eef49fff666e0f62a3545bcd1cdcda67

    SHA256

    5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

    SHA512

    8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    8084668a155acd715e33a95409af239b

    SHA1

    a6e674ed1b20a1fd71f6fea064a6920e2728bfef

    SHA256

    1e21d1dae32408fbe6772e627caecd4a129f36fac22ed51e064de4c179185da4

    SHA512

    015081005c3b6134589f09216dc518532df84ca3af540c3fc65e5e39e909376d1e56ef2f28e1ca7d5b11a84291ed0cf7f384d337bde1180be2c0c857160f3dc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    86ea83990d79e03c0d853ffbca0c690e

    SHA1

    a863dd4116b045a4848c8c7bd9c7a7c6d6fe5a1d

    SHA256

    a5634bb2f586c00d0edae894b1b60580318de79afab575d37979545912687098

    SHA512

    d3ff1ff07ee2704307e1c930c64af43e31dbe795bc5da953fde7af5b1a75a85774641e13f7d5bf0dcfaf6abd7fa147fa284482fea9447f8acec1ad5d7440affe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    fd9152fd0fab56908fe168af91a08303

    SHA1

    e4e64d449aaae4e5cda388fc492ff8ee0878af24

    SHA256

    a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

    SHA512

    c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    797854a243216a8151b7bf335394c53f

    SHA1

    e9963ea0aece462daae4a6ff2f9525268c7ff1c4

    SHA256

    49c312b5bb740271b4fb126505bd4a806bda1afd7bc848d9023ef266a9d2c9b8

    SHA512

    90e2ab3a579c387d4bd239a487994fc743fe358419b561ef2ae1cdedbedce534aa4806bdec4b97e0ef5439134014adaa9549560d3af58f7ce542564d0069d8ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9bc110200117a3752313ca2acaf8a9e1

    SHA1

    fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

    SHA256

    c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

    SHA512

    1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    98baf5117c4fcec1692067d200c58ab3

    SHA1

    5b33a57b72141e7508b615e17fb621612cb8e390

    SHA256

    30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

    SHA512

    344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmymk34q.igp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
    Filesize

    139KB

    MD5

    10605ec186aacb6a4b3dde419cb0b5e5

    SHA1

    9c41040a4c238dec28c4f47bfb0a28a3cd4bf19d

    SHA256

    ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead

    SHA512

    1d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk
    Filesize

    665B

    MD5

    f673d249c61de98ef354257036355eb6

    SHA1

    c4865edfc4a24ae2ff7cd0b028872a4433c56431

    SHA256

    ed044a0f8a4280d8e647588f3eb95ddb4fc3ce8fc12f8c7a71df0d1e4f798471

    SHA512

    605aba98685be7e7e529826c3934e25a2543481bf0858f297f33f2c99fe5c24aae07e923943cfefb79bb44c8694f44f8acdb91e080fceac6b1927efa57f3279b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\winrar.exe
    Filesize

    251KB

    MD5

    e10be4048c01cbdb578d684b1137cbd9

    SHA1

    e1848070b2840559524572f735f4df8e8fd2205d

    SHA256

    ae3e0d672c98c2c7afa877acd2e35b5867ae289eae42c28a909b3f5702108ea8

    SHA512

    22ef316c6989248c70e45611ccc9532e0ac687b6889657f9ad48627594fa4b10de6ad38132a9901ab96e1b832273f74a82181c949fd12fd0c8ac1b7de02488d5

    Download Submit

  • memory/984-123-0x0000017DB3820000-0x0000017DB3830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/984-135-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/984-122-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-169-0x000000001B620000-0x000000001B630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1044-171-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-106-0x000000001B620000-0x000000001B630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1044-105-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-168-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1164-46-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1164-58-0x0000016BBE4D0000-0x0000016BBE4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-60-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1164-56-0x0000016BBE4D0000-0x0000016BBE4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1240-103-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1240-94-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1240-95-0x000000001B680000-0x000000001B690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1240-27-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1240-25-0x0000000000A20000-0x0000000000A64000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1240-28-0x000000001B680000-0x000000001B690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1448-187-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1448-175-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1872-121-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1872-107-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1872-114-0x000002F08AF10000-0x000002F08AF20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1872-113-0x000002F08AF10000-0x000002F08AF20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2056-202-0x0000023CC4F90000-0x0000023CC4FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2056-203-0x0000023CC4F90000-0x0000023CC4FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2056-204-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2056-216-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2940-86-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2940-89-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2940-87-0x00000215B5E10000-0x00000215B5E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3084-44-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3084-40-0x000002899F5B0000-0x000002899F5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3084-41-0x000002899F5B0000-0x000002899F5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3084-39-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3084-35-0x000002899F500000-0x000002899F522000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3140-173-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3140-174-0x000000001B010000-0x000000001B020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3140-230-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3200-201-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3200-189-0x0000018F73E80000-0x0000018F73E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3200-188-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-98-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-100-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4132-141-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4132-147-0x0000024E7A3D0000-0x0000024E7A3E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4132-146-0x0000024E7A3D0000-0x0000024E7A3E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4132-150-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4544-151-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4544-158-0x000002186F600000-0x000002186F610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4544-152-0x000002186F600000-0x000002186F610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4544-165-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4644-61-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4644-63-0x00000137EC6F0000-0x00000137EC700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-62-0x00000137EC6F0000-0x00000137EC700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4644-75-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-26-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-0-0x00000000002D0000-0x000000000033A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/4948-2-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5088-227-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5088-228-0x0000019F73710000-0x0000019F73720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-229-0x0000019F73710000-0x0000019F73720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-231-0x0000019F73710000-0x0000019F73720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-233-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

    Filesize

    10.8MB

    Download