Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1792s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    76KB

  • MD5

    86a9c77c563f954663d1a8925f33d1e3

  • SHA1

    6d46955ecdba3ad417009c4de60de1209f337614

  • SHA256

    1675e1b017c7a66dc12687ab7607617695eaa7a17465404284e9141812719ade

  • SHA512

    168336d58676b007ffa2f96d44d970fed49e5293b66a5955c7190f7843a80692b63c969b3b6c2b8b17bcdd7a9df7eff3cc5617ce57ec3da505376cdf7c460eca

  • SSDEEP

    1536:cwXF8sd1oeBrivxhCGOSMbCGKteMkWA66wMOUXNbd1q:cwXF8sdBpaIbzEkbwMOALq

Score
10/10
xwormexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:41896

20.ip.gl.ply.gg:41896
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 37 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3328
    • C:\Users\Admin\AppData\Local\Temp\gvpfqk.exe
      "C:\Users\Admin\AppData\Local\Temp\gvpfqk.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\56C6.tmp\56C7.tmp\56C8.bat C:\Users\Admin\AppData\Local\Temp\gvpfqk.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Users\Admin\AppData\Roaming\fuck.exe
          fuck.exe
          4⤵
          • Executes dropped EXE
          PID:2100
    • C:\Users\Admin\AppData\Local\Temp\gmlaah.exe
      "C:\Users\Admin\AppData\Local\Temp\gmlaah.exe"
      2⤵
      • Executes dropped EXE
      PID:2532
    • C:\Users\Admin\AppData\Local\Temp\awpfzu.exe
      "C:\Users\Admin\AppData\Local\Temp\awpfzu.exe"
      2⤵
      • Executes dropped EXE
      PID:4180
    • C:\Users\Admin\AppData\Local\Temp\twgpfa.exe
      "C:\Users\Admin\AppData\Local\Temp\twgpfa.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\huii.exe
        "C:\Users\Admin\AppData\Local\Temp\huii.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" xui2
          4⤵
          • Executes dropped EXE
          PID:3900
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1900
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2148
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2856
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3a0 0x304
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1316
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4964
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3952
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2484
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5088
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:384
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4036
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2960
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3044
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3360
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3364
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2020
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2316
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2788
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:908
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1540
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4320
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3968
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:412
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1952
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4888
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4348
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3520
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1528
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:320
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:232
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    83685d101174171875b4a603a6c2a35c

    SHA1

    37be24f7c4525e17fa18dbd004186be3a9209017

    SHA256

    0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

    SHA512

    005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ef72c47dbfaae0b9b0d09f22ad4afe20

    SHA1

    5357f66ba69b89440b99d4273b74221670129338

    SHA256

    692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

    SHA512

    7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\56C6.tmp\56C7.tmp\56C8.bat
    Filesize

    30B

    MD5

    227fc8cd0abedbd965d1adb2791cdecf

    SHA1

    84c2f07c90825df70231e25fbd64b4a4e13b8129

    SHA256

    6d74cdd4d8206f83551619d9bd811135e82437294ad33360be77a7f5127689c5

    SHA512

    4fbf58d7a363c2335f6116a94b8f2368772943b3c98600276458a2ce555469159c64274c727e8c5f7f3f2fe38c3883dba05e6867341dda5a64c6c6cf6473e587

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xui2.cur
    Filesize

    4KB

    MD5

    c1fd2feb9e2b56be00082dd06c2b9658

    SHA1

    6e9272d5d53272f901ebb75ea556e250d4fc54aa

    SHA256

    de7c8bd93cc576d719805835099ae0f2cb88d797fe71585e2f7eb56b67a8fb72

    SHA512

    7530ad40f0adc93d5166b2b4741ba66bc5792ca1882be658b86b290feaa3ccf08f15ef0d55cc40494c6f3fedb78ecc5dab2a5342e0bdc85a068a3a0ffdc6e79a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc2a2v4e.tx2.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\awpfzu.exe
    Filesize

    4.7MB

    MD5

    bb4a5266324a3dee6cb4b06d03f3f3e9

    SHA1

    9f08e998088faa8386928c4a4dcbca5214b4f422

    SHA256

    7dd0d8c33379f84e3e23d29340051465197735d7fc1e5debf9bf5a6b4f220484

    SHA512

    18fc7355ea1182096aac1786369e07b0828346dcb68405082089c2498fbaffce32563cb666600e6d50ea4c0810ffaa8bbbca014e4b5fd14a0c6100483885ad66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gmlaah.exe
    Filesize

    10.0MB

    MD5

    be9b8e7c29977c01f3122f1e5082f45d

    SHA1

    c53a253ac33ab33e94f3ad5e5200645b6391b779

    SHA256

    cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae

    SHA512

    91514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gvpfqk.exe
    Filesize

    48KB

    MD5

    e4c3f8e4608d6415a8c1dbea81a56e99

    SHA1

    e65b6dbe02e7cdd7770bead3b18c5597a4d921d3

    SHA256

    5844c659c4ad02e5a5e38ae75ada3211202df32887f6a498e70cb90facb21288

    SHA512

    73c5d7a3e3e81b4105d5465de1e8f5a0cca81f059baafa03f75e23aa51b1980f62a30deb85bee4748ca7fbb8189b01eb02c992756bda6f8f55ac6eef80522ff1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huii.exe
    Filesize

    313KB

    MD5

    c125391f5a989f964548e45decc7490e

    SHA1

    08906a336b65dbb61cfc0b95f11315f18a5301f8

    SHA256

    acc6fecd839b1de178b5d17525b3764fb7511e589ae04f6217666e869cacce91

    SHA512

    9a6b36c78b9016f662124f4761d4ad42965748259fba7f8fc59730d0fbd63b151ff34b650019645fe845659ea024e9a9f173c55427aced781b5e5a6938b8dd3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\twgpfa.exe
    Filesize

    323KB

    MD5

    c76b0867436829232609a7f6c786c37c

    SHA1

    06d88a277a77db9494feca72c31a35af3f83a4f8

    SHA256

    3c399e4c4826de5f378e1da9a9e54c29bf8d557aae01f53d307c4bf565d03194

    SHA512

    9047a8ac3a2795c73e5650ce37d0595798532579ca4013f2498e9641796d9814aba1d138812ee28135edd4b48843f58063c278511c4279ee3afbd422a683359d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fuck.exe
    Filesize

    5KB

    MD5

    17b935ed6066732a76bed69867702e4b

    SHA1

    23f28e3374f9d0e03d45843b28468aace138e71c

    SHA256

    e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

    SHA512

    774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    76KB

    MD5

    86a9c77c563f954663d1a8925f33d1e3

    SHA1

    6d46955ecdba3ad417009c4de60de1209f337614

    SHA256

    1675e1b017c7a66dc12687ab7607617695eaa7a17465404284e9141812719ade

    SHA512

    168336d58676b007ffa2f96d44d970fed49e5293b66a5955c7190f7843a80692b63c969b3b6c2b8b17bcdd7a9df7eff3cc5617ce57ec3da505376cdf7c460eca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\xui2.cur
    Filesize

    3KB

    MD5

    76ae0d99909ff5e882f659464b552af9

    SHA1

    2070613616dd9ca9fb8c60241e8c76ee903a9e6e

    SHA256

    fe85c8acb9f990d80096d6f6f77456b7ebdee159ef799193b3ec7ece02fd0ae1

    SHA512

    4726b5b5040480c5660ce6a4e93e9fe5539e3634085222155923ee0862e9b94966338989c9bb72d60e82c10dd17d72661af978127e764b7d484e55d7f42b385f

    Download Submit

  • memory/1988-15-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1988-17-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1988-8-0x0000024BED7F0000-0x0000024BED812000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1988-13-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1988-14-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2100-77-0x00000000008D0000-0x00000000008D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2532-97-0x00000217ABF90000-0x00000217AC98C000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/3096-127-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4180-110-0x0000017615940000-0x0000017615DF8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4512-1-0x00007FFB8FA03000-0x00007FFB8FA05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4512-55-0x00007FFB8FA03000-0x00007FFB8FA05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4512-56-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4512-2-0x00007FFB8FA00000-0x00007FFB904C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4512-0-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4780-81-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4780-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download