Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1790s
  • max time network
    1456s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-05-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    41KB

  • MD5

    cb09c9133f40c4903525fa5a7df4c405

  • SHA1

    e8496990338d09a6b73d4808e3aada0f50cf758a

  • SHA256

    ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22

  • SHA512

    be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f

  • SSDEEP

    768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/qaWffTar:5

Mutex

C6npgtaAk9A5snxm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/qaWffTar

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1880
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1984
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
      2⤵
        PID:1876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF8C7.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2068
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4164
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1012
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5080
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1332
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4620
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2600

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\IconCache.db
      Filesize

      12KB

      MD5

      841672b6ca3f7a0df8d18cb5969bd7ff

      SHA1

      460915306825ff38a5de9b5a8878f4e981f72526

      SHA256

      818043d0f226736f231266de307d8395579e9aa957e0d35d6a501dad016b3411

      SHA512

      3c9aa2100807c7a856de80fad2d535c6b491ae86eb6b24a26b85f0f27b5dd1b96dac59683257c212d74219660a7a685d03c2d12f5a77f3b3b8372046767da6c3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
      Filesize

      1016B

      MD5

      156e98c84de55573d27909b071f860ce

      SHA1

      25b140361e335eeb0de97fe427306a0c6118dd97

      SHA256

      9252cbb874ac3154cae45d1941be753fed37adf3ed8e0a0a373482b0c65030ac

      SHA512

      abd448fdf7e625525b4e7e50793fb3d1a03ad72f4e4bfd7acd9e1d1b32611f152838f11e4f70200f14853c44e35c8de71908f8c0274a57fbd00a59c2aa629748

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      de72a228bcabf1530b028259a45904a8

      SHA1

      8f584cd6b0e728a72e8fea86aeed8c308a80c95e

      SHA256

      3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411

      SHA512

      762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      91901fb6ac91a5ef3ab341c6be3eaeb7

      SHA1

      f07a06bd9d24fbdfdec074d837bd4b1e48d25ca0

      SHA256

      ab13c9ccbe0cac61dba0c72aed9c4e8662b1dc87bedc6b5766d6f409b12b3670

      SHA512

      b219c1c3d3109a29c2ebeee90a5d8318aa409330815b81353ff30548cc56451aa66323a8026eb079e3c0d7005ac742ba4699a17da64bedcbf96c2207c5885129

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start.bin
      Filesize

      4KB

      MD5

      faaa50429b7d59901009ae0b708faf71

      SHA1

      fe8dbf31d29f1952fe8fcfed6ae5cf8b0719909b

      SHA256

      3ac87505a9111f397133337b000b9e5bef4a12dfefb7cfb781d2bae3300defef

      SHA512

      a0093c76a5a1707563e1f7be1d608096f47e897d85fa987c5f49393aeccea3db4bcc22e1735f184d6c07b06adf6ad84d6cd09738ba2d462b719109b252ace029

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DGZPR200\microsoftwindows.client[1].xml
      Filesize

      96B

      MD5

      e91c649b747ce348af8944f8d8e412a4

      SHA1

      4b26339eaf22d27ce489a9cdf7b7011049d9d6e9

      SHA256

      df66bea910818c280caa31ad9fd05b29487071a3557cbad2d03dcd0e85027766

      SHA512

      8bfb3dc9a60f4232188e670514247114206406108a85feaf5739c33f2e113cf7300556aba199392bb88a3c3893b3feb514c2df437c574705df21f0187d06aaf2

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DGZPR200\microsoftwindows.client[1].xml
      Filesize

      4KB

      MD5

      b31f1e314426cecac173d20e3302960c

      SHA1

      7d1c0573550aa338cb14cf7083fdd2dca7b82b9c

      SHA256

      fce962eab0b4c3af5e5c61a0298c7dca394ecf0207faefe1b7974dc5d04482b4

      SHA512

      717a8d7e5ce2f297c7a60d8681d5406b6925fa6330d17a4c450044b13349f67028ef72d70209b2550da7b849d9c7d7c9dbd5ddf8daabb96a59430d97aa62f365

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E5FL4N2J\microsoftwindows.client[1].xml
      Filesize

      13B

      MD5

      c1ddea3ef6bbef3e7060a1a9ad89e4c5

      SHA1

      35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

      SHA256

      b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

      SHA512

      6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E5FL4N2J\microsoftwindows.client[1].xml
      Filesize

      97B

      MD5

      aa6cbd4229e58b8d2f2c77d9ffbb882b

      SHA1

      c609bbbf8dae1af66552bac0b946cc0d62596521

      SHA256

      3765a8cdb5f7a69899a0f41eb3a191e7c35de7471ad03223b63496ff60d8acba

      SHA512

      850eb4dbba06ad1fbe60f7e512f7d6047e89fa322cec6b8683a8aec466ae906b7d0966ab455fb3bb48b6fd5984c7f52343649905e050fd72b9a707e6306ed73f

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E5FL4N2J\microsoftwindows.client[1].xml
      Filesize

      4KB

      MD5

      a565c79f5f9e4e841f53cd1d28cb3cb1

      SHA1

      3687c5b0cc6f9c94f594e56ee9f7efc4c9f72e9b

      SHA256

      967dcccfdc0866a1ec13f343f5a9cbd3649cc1a34b8cf015ecc82459c27114c0

      SHA512

      2b9780c08d324140460fff8727f5cd986167a582a8b19f33b8decc1fffb19106d6e3a324f82695cba3883242219945b07fd8bc3113bd3d960c6243d5a39414e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
      Filesize

      313B

      MD5

      212f74bc52d26763f0b865ee9bccf108

      SHA1

      56f0ccb8b33eaef7504e57ed6540fb31abc4ee42

      SHA256

      338520563e4b3ad1e92081fb6745a6760fda4bf663c8a6ace68541019bda91bc

      SHA512

      5bfb6683bb5e174a05ca14c0ef17768ec50d2a5787619fbc551942a7675728c4591ce454ca84d78807faa46a146890fc1c2e89eab8f8a781a01fdbe341ab89bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
      Filesize

      404B

      MD5

      3919abfd5fc4c7a59ba1aa49a1503662

      SHA1

      7ad199d85b15acfd4cfbc258e8c2a8884f766806

      SHA256

      d2915c96949f9ac89d940d580d061ee9e4b8776195d1039e22a6ab83498fc1ec

      SHA512

      6345efc9ea20e6fd8bcfc150afa8434a3aaf8e3a56a376908898d04085eb19a916a3727cf4926e0ca83aab3929ae61a97abfe89c728f6563bbc8f5570e7fd962

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqducug2.aax.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpF8C7.tmp.bat
      Filesize

      159B

      MD5

      8b776dc494d53d579588ff8ea98875dc

      SHA1

      d2f9b43b7e5adc33d98508ca3b2f68eeb4605ec6

      SHA256

      6c6fa8ad593038f5c03b9484c5763bfaea940110bd1b34cd297db4f5350d1ac6

      SHA512

      5bce229555ba8a392c845bcbeb95cda77603d4304cc1c8be9fdcb35f177081532804fb597a6ddc88ea9413f1b511726f6819a68791669ac96ef6c27ccffa6b3d

      Download Submit
    • memory/2748-19-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2748-16-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2748-3-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2748-9-0x000001EE392C0000-0x000001EE392E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2748-13-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2748-14-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2748-15-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4620-385-0x000001BF30120000-0x000001BF30140000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4620-366-0x000001BF30280000-0x000001BF302A0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4620-384-0x000001BF30160000-0x000001BF30180000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4620-343-0x000001BF2F5C0000-0x000001BF2F5E0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4864-0-0x00007FFF466D3000-0x00007FFF466D5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4864-63-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4864-55-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4864-2-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4864-1-0x0000000000900000-0x0000000000910000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5080-254-0x00000268E2710000-0x00000268E2730000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-253-0x00000268E2710000-0x00000268E2730000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-218-0x00000268E26D0000-0x00000268E26F0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-140-0x00000268DF800000-0x00000268DF820000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-139-0x00000268DF5D0000-0x00000268DF5F0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-118-0x00000268DF9E0000-0x00000268DFAE0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/5080-103-0x00000268DEFA0000-0x00000268DEFC0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-99-0x00000268CED10000-0x00000268CEE10000-memory.dmp
      Filesize

      1024KB

      Download