latentbot | 5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
Size

2.2MB
MD5

06997ceb77cdac46e7aa0a2b3118d934
SHA1

0a2e22ca70689713ad5e8ff815961c3f0ff0ca10
SHA256

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7
SHA512

856535375dc131b26abe76b208be28b3eeff228fa915a160fee66c87170a5acdb38105023f1b05763bded22080b9763085949abe05d6b072b7f35adca45801a1
SSDEEP

49152:ovLjxFr5Fqvwv9ptGBHHzWEIYhZDsxiWuoEVW0GTRCi:oXzFY4oVHJI6wxiWuonTb

Score

10^/10

latentbot xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

knafamangobaron.zapto.org:7772

Mutex

WoIbp5XytzY0fGCF

Attributes

Install_directory
%AppData%
install_file
services.exe
telegram
https://api.telegram.org/bot5602298119:AAHsNAsC7Crzr-9zE1g6BP6nNtexJHWMyVM/sendMessage?chat_id=1154383031

aes.plain

Extracted

Family

latentbot

knafamangobaron.zapto.org

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2744-4916-0x0000000000400000-0x000000000042A000-memory.dmp	family_xworm

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe
1984	powershell.exe
2920	powershell.exe
2448	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.lnk	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.lnk	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Executes dropped EXE 4 IoCs

pid	Process
2884	services.exe
3440	services.exe
3644	services.exe
3096	services.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 2884 set thread context of 3440	2884	services.exe	44
PID 3644 set thread context of 3096	3644	services.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
804	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1140	powershell.exe
1984	powershell.exe
2920	powershell.exe
2448	powershell.exe
2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
Token: SeDebugPrivilege	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
Token: SeDebugPrivilege	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
Token: SeDebugPrivilege	2884	services.exe
Token: SeDebugPrivilege	2884	services.exe
Token: SeDebugPrivilege	3440	services.exe
Token: SeDebugPrivilege	3644	services.exe
Token: SeDebugPrivilege	3644	services.exe
Token: SeDebugPrivilege	3096	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 3020 wrote to memory of 2744	3020	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	28
PID 2744 wrote to memory of 1140	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	32
PID 2744 wrote to memory of 1140	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	32
PID 2744 wrote to memory of 1140	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	32
PID 2744 wrote to memory of 1140	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	32
PID 2744 wrote to memory of 1984	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	34
PID 2744 wrote to memory of 1984	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	34
PID 2744 wrote to memory of 1984	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	34
PID 2744 wrote to memory of 1984	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	34
PID 2744 wrote to memory of 2920	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	36
PID 2744 wrote to memory of 2920	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	36
PID 2744 wrote to memory of 2920	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	36
PID 2744 wrote to memory of 2920	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	36
PID 2744 wrote to memory of 2448	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	38
PID 2744 wrote to memory of 2448	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	38
PID 2744 wrote to memory of 2448	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	38
PID 2744 wrote to memory of 2448	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	38
PID 2744 wrote to memory of 804	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	40
PID 2744 wrote to memory of 804	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	40
PID 2744 wrote to memory of 804	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	40
PID 2744 wrote to memory of 804	2744	5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe	40
PID 1432 wrote to memory of 2884	1432	taskeng.exe	43
PID 1432 wrote to memory of 2884	1432	taskeng.exe	43
PID 1432 wrote to memory of 2884	1432	taskeng.exe	43
PID 1432 wrote to memory of 2884	1432	taskeng.exe	43
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 2884 wrote to memory of 3440	2884	services.exe	44
PID 1432 wrote to memory of 3644	1432	taskeng.exe	45
PID 1432 wrote to memory of 3644	1432	taskeng.exe	45
PID 1432 wrote to memory of 3644	1432	taskeng.exe	45
PID 1432 wrote to memory of 3644	1432	taskeng.exe	45
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46
PID 3644 wrote to memory of 3096	3644	services.exe	46

C:\Users\Admin\AppData\Local\Temp\5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
"C:\Users\Admin\AppData\Local\Temp\5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe
  "C:\Users\Admin\AppData\Local\Temp\5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "services" /tr "C:\Users\Admin\AppData\Roaming\services.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:804

C:\Windows\system32\taskeng.exe
taskeng.exe {F957ABCE-E052-4782-BE47-D762E26A62BA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Roaming\services.exe
  C:\Users\Admin\AppData\Roaming\services.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Roaming\services.exe
    "C:\Users\Admin\AppData\Roaming\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- C:\Users\Admin\AppData\Roaming\services.exe
  C:\Users\Admin\AppData\Roaming\services.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Roaming\services.exe
    "C:\Users\Admin\AppData\Roaming\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8c645383aa5e552257b6f86e9cef2cfd

SHA1
0bc65abcc6b9cd6a78c2ffa7bff0571db7397152

SHA256
bd936af21f065ea6fec8563b688fde7fb9f8fa17f47007b1c6d7adf2f5d86918

SHA512
dd147863276cfdf235bc2c33d5f913fc911dceb0f5df3f95cf73c30147641e581220785430364f76515f34621fa4addd7fec8f0553f6111a590dc07f14968699

Download Submit
\Users\Admin\AppData\Roaming\services.exe

Filesize
2.2MB

MD5
06997ceb77cdac46e7aa0a2b3118d934

SHA1
0a2e22ca70689713ad5e8ff815961c3f0ff0ca10

SHA256
5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7

SHA512
856535375dc131b26abe76b208be28b3eeff228fa915a160fee66c87170a5acdb38105023f1b05763bded22080b9763085949abe05d6b072b7f35adca45801a1

Download Submit
memory/2744-4915-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-4916-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2744-4917-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-9830-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-9829-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-4942-0x0000000000EE0000-0x000000000110E000-memory.dmp

Filesize
2.2MB

Download
memory/3020-54-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-34-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-5-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-6-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-28-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-26-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-8-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-38-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-40-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-24-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-36-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-46-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-48-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-52-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-56-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-68-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-66-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-62-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-60-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-58-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-3-0x0000000004EB0000-0x00000000050D4000-memory.dmp

Filesize
2.1MB

Download
memory/3020-50-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-44-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-4-0x00000000060D0000-0x00000000062F4000-memory.dmp

Filesize
2.1MB

Download
memory/3020-32-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-30-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-22-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-20-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-18-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-16-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-14-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-12-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-10-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-42-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-64-0x00000000060D0000-0x00000000062EE000-memory.dmp

Filesize
2.1MB

Download
memory/3020-4891-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-4893-0x0000000002230000-0x000000000227C000-memory.dmp

Filesize
304KB

Download
memory/3020-4892-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/3020-4894-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3020-4895-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-2-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-1-0x0000000000870000-0x0000000000A9E000-memory.dmp

Filesize
2.2MB

Download
memory/3020-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3020-4896-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-4897-0x00000000043D0000-0x0000000004424000-memory.dmp

Filesize
336KB

Download
memory/3020-4898-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-4914-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3644-9846-0x00000000010A0000-0x00000000012CE000-memory.dmp

Filesize
2.2MB

Download