Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    43KB

  • MD5

    7e71f66eb4bd975fa6894f7be63d9de7

  • SHA1

    a0b6a69adffde7a5209498ce1656f0d406da9204

  • SHA256

    89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1

  • SHA512

    5a776de6708ffa802700febe9a6a1cd95cd907f8d435c7ea28644c3c31565e373223b8db05ca142cb5bdc0d13745fba03099edbfc2fe7f9095232a997cdf6bf1

  • SSDEEP

    768:vSniTSIuNNk3MO56kjBbvSevz5zbbTf8EmZPcBH6clOQhAGb:oiT9n6k5zbHf8PZP8H6OOQC8

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

147.185.221.23:53631

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 14 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2808
    • C:\Windows\system32\CMD.EXE
      "CMD.EXE"
      2⤵
        PID:2900
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2392
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A6C1A026-A1FC-4140-BB36-DA20189E8B72} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        C:\Users\Admin\AppData\Roaming\XClient.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        C:\Users\Admin\AppData\Roaming\XClient.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SelectSend.mpeg2"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1720

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0ab33148c5b3344c6c9fa1b58b4ae21d

      SHA1

      887b7b85aa6de2cf25ca4efee618f40f8db36624

      SHA256

      a1865e9004c0c6d398d62e85bd00d60d42d257d6ab44b43a68072587b29a7d63

      SHA512

      6552bbef305b5f8f4dc79cb49178c90cba1ceb52500c505e2c59148b3ac47ef4d837c53bebe472e2f20147ddbc7448ec98f0a18e311bc6725ca7a102ad9fef03

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f28a0078ac374044a298e0a39dffdbd3

      SHA1

      b794caeb76c8c9754f1618a5cec2c6afad7f08ef

      SHA256

      a8effaf359e9b01579a98bc614852b6b62cb6b02fb9f2a733aeb66b147cd0afd

      SHA512

      e02c7a92f8e18d511e9ca7e6191b921f78ef48b8d4f916d99cbcebaac644d1e84ebf29349fc42eccc7f846763786d46c8b97097409877f2adb23b1e275de7e04

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      948ea080811640bf498401e41da09455

      SHA1

      5d6376efa30b46a5c24bc5b6a1d93a580ac6c335

      SHA256

      6e7921f2fe32aff678e4acdc7ac27ce54618cba01393401540341594f14e1cec

      SHA512

      c9d556175353dcbaf139dd728edfc461e913e934895bbd902ff100b3aedde1921cbe6aa0da5e82724707477f90d640d55b84e205f8597e3750b68448a121a149

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0a8ae443c282f1f824a9794d106717ca

      SHA1

      0a11913a0b274d35c3ffaf84da63f4c2a7584827

      SHA256

      31876880a0754a519725ff727f2cbc369fd29a1373dfbe50a6ab73ded19874db

      SHA512

      189d44824a55f16856fba3507ba16e267d6f01e372bc67763e38348fed0cbbf56588cbbe2f3ea36c6dd889f3677a3baf502752be7532f55244cfb71e41f62cd1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      59467f818c36ebde3be9925a873b98ea

      SHA1

      0fe0f3dfc377e79ed802b38606d85e22275c711c

      SHA256

      1e4869e73b8160f753b06940b451c9ea78eeebe7006bc7d04551b4a591c9fcfd

      SHA512

      c7c5310d1707360400092922b2b1850ae77ea543ef3822c94a9c414068fe922d1f22120d3a87a57426262fed3a6cb96f5178165533afee7008fa3daf1febcc42

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ffdec78f41dc3acfcf629578d059f073

      SHA1

      247c31c4c4c1098d9a0fc9b39673215781642ba7

      SHA256

      c3537c33543aea5a28b248baa4b961483b149b112f0e89d4ae67c1ef08ac621b

      SHA512

      9a87febd733657415dbc001d23e1ee2c4e8f49eee4ac5812dc354ec18928936ac75ee6ad5602ee7629c0e3e8d453312a8b839f051d4f25e640fe89598c684347

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bdb0535441c3820770f3146c77e51a21

      SHA1

      851fc6e9dc527769a574b93f740ae5e34aa48c60

      SHA256

      9533bbd689e659d6b8c739339076c119cbd06f6012a755e2e50fde8567eba35c

      SHA512

      ae161e59196b680781d4d3900410aede6e755b9b3cba3a603614a707aea39cbece649363f935c7b7f022dd2b0c3a9a3c1d31f24e7e4cb9ab8ba59d6db1d4ce93

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c0fb452a993c5da203c3c62709cb1503

      SHA1

      b6af59246ff6b61359bb31fcd8cc53d8290ab563

      SHA256

      d965fcca96c09371417c4d5dc21498a852d0f178986015538500bcaa983f8775

      SHA512

      61cf990278a46455c073074a6d077801af23ed142f34784d84c44ab21e3a7616ea8a3b9d160d5bd3b10ec4cae058eeca94b71edda8c45ecbd5a80b63e8b1689c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9ac07d63d192ef15b01ebc7fbefc4562

      SHA1

      dd8c2aba03c090b7a0c2326cd93eb8f9a88c7a4c

      SHA256

      9138a8f5377763c65704ac4e776d96df5b6979bf14fc6b7600fd2baa8fc838ba

      SHA512

      8a58a6c696095d7224c25fb529cd6d76f754d46501eb15787a83ebb92dd6b676f76a86a5a9011d118a6a12c4f9b194e8502e60152c2e508608e140ee381996dc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      58167c7e05403488ed7443ad8719f4c0

      SHA1

      3cd98d39b079694a283aad90111d72ff733b4160

      SHA256

      5c6bdaca6cc9d49b8e012249e4f0910be780434d3880b9081e85b63e311b524f

      SHA512

      b7a1f72d8d48ae8c59c8f73e25d3d57879b16c811648b8c325991f2ee2f69326150d930e352323ed405a566eaf284100c2218be869f6032c28a851f750b7d3d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c86ae77893d84ea141a867a412c1d69f

      SHA1

      5cebc90c4021c0b688c13eaa197772a407b1c1ea

      SHA256

      410dfbf03a4fbcf6eb493f55624b6c1c95c32ec807bc828c132c5b2b30d60ab4

      SHA512

      082c236d03f726f662fca0cd874ae112edf4c01777ad887472a5f06adc72ff65bbc9a6eb2aca43ec11c0656d0732630ce37950c86ac99b7a750d5f3a92cbdfab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      17e358e39c45f3515e18a80c4aa7bb3c

      SHA1

      b8c5981d762abb8be7e8e7c7b474963e7162d8a6

      SHA256

      9b682ccc07fc7d3073b258ea5d6b9dce095621fec7746ef855e916d228ffb9a9

      SHA512

      508468cfdcbd6301c0c226f9c97e580949d83792fc642900f2ed7b38e5b5e0fb124b7d7a76c46bdde8da754b4cfc7fd8a4202b3378562d23a960921aec675a1f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabCCE3.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarCDA1.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NL4C88364MKR0H77PT0D.temp
      Filesize

      7KB

      MD5

      170bc2e6589189412a0927e889f4c3d2

      SHA1

      3c46a805958849b393a50ddf9f1c0881aef74b10

      SHA256

      844688079b2154d6843daf98f24bf9187fcd5ab7ade87fa60e32e9138a985c4b

      SHA512

      ebc21c54670938bb7b699874e671d85164a45b9950cc466994ec36bd02d924357ef28f111e0110d79c73a5a3fc580d25ef55a563aedc22679caec505f088a4e4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      43KB

      MD5

      7e71f66eb4bd975fa6894f7be63d9de7

      SHA1

      a0b6a69adffde7a5209498ce1656f0d406da9204

      SHA256

      89055b8db329f28180bdd72d02227f175a46b79b470c5131e932d235104ab6e1

      SHA512

      5a776de6708ffa802700febe9a6a1cd95cd907f8d435c7ea28644c3c31565e373223b8db05ca142cb5bdc0d13745fba03099edbfc2fe7f9095232a997cdf6bf1

      Download Submit

    • C:\Users\Admin\Desktop\How To Decrypt My Files.html
      Filesize

      723B

      MD5

      553cf6c7e10d1c701098d7e1d0a01839

      SHA1

      3cbdf41c6d02de51754a2696a382485be5175771

      SHA256

      bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae

      SHA512

      591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c

      Download Submit

    • C:\Users\Admin\Desktop\SelectSend.mpeg2
      Filesize

      568KB

      MD5

      3a0c5e3b977117f413521dc033efc801

      SHA1

      866c140254c3d9fdd300fbeafb7d0a68924eac2b

      SHA256

      4374c612fd837267b535e31f84d306f3b308428af232894272781e7e55447e62

      SHA512

      5d457b2ab727fd696ba589b91caa82d4e89215dc71905d535a08c1a59d9038bdee83436fbad83bdb00118a57e48646a41ea4896579603d44aa6ad99aa38f8639

      Download Submit

    • C:\Users\Admin\Desktop\desktop.ini
      Filesize

      282B

      MD5

      9e36cc3537ee9ee1e3b10fa4e761045b

      SHA1

      7726f55012e1e26cc762c9982e7c6c54ca7bb303

      SHA256

      4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

      SHA512

      5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

      Download Submit

    • C:\Users\Admin\Documents\CloseDismount.xlsx
      Filesize

      12KB

      MD5

      aee47713681f597ed729cd9214349717

      SHA1

      061df0315fa905da37e30f374c7902a36e2e77b5

      SHA256

      170c0f8aa62f1a5f7995a3127b0a4e4a6e3c1b2d94506189406764d47d8afdc4

      SHA512

      b5f880ff1c7639e025fbe7713e1ecd4bdc392e5827875f49b449117a2b6c4bd08d75c9a5fe2bfff3795324177aba4c1415bf98dc494c8bbd11454e5d156f61ad

      Download Submit

    • C:\Users\Admin\Documents\CloseDismount.xlsx.ENC
      Filesize

      12KB

      MD5

      b49efffaeeeca56d073e169780cde3ad

      SHA1

      2044e9f26c56da4bf3cf19714eb2de480cc7d280

      SHA256

      03c94baee15393955f538b0a2e53efa12c0dd61c6fcc2470864367430af2219c

      SHA512

      28492f1af8512413d61da0a2ee251182c3582f30e22e7383b4ef6f5f3c802edb7ce9776035861d145de988084811b4a1b7ea2f1a48f29c6cf548500a66750ceb

      Download Submit

    • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
      Filesize

      16B

      MD5

      ae6108264b800ee2f6ef597cebb09451

      SHA1

      9bbc1173c50dd788385dab7d8c1c257b474d87eb

      SHA256

      698aed449c7ec7359cd4d4b832861febdd146510c7d8ba617285582b1de70ff9

      SHA512

      17135a075c5d39783d9486e1a4b9cae4b1b6d15b6ea342a0e6b2f30a939aec28c2881ea0ba5b8613deb3e1052d767cfe264275ab4c50f4b3214a6a35a1cc2c1d

      Download Submit

    • memory/1636-37-0x0000000000D50000-0x0000000000D62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1720-1189-0x000007FEF1970000-0x000007FEF19A4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1720-1188-0x000000013FCA0000-0x000000013FD98000-memory.dmp

      Filesize

      992KB

      Download

    • memory/1720-1190-0x000007FEED740000-0x000007FEED9F6000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1720-1191-0x000007FEEC560000-0x000007FEED610000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/2096-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2096-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2096-6-0x0000000002BE0000-0x0000000002C60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2224-1193-0x0000000000E30000-0x0000000000E42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2268-15-0x0000000002B60000-0x0000000002B68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-14-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2296-32-0x000000001B220000-0x000000001B2A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2296-1194-0x0000000001F60000-0x0000000001F6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2296-30-0x000000001B220000-0x000000001B2A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2296-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2296-31-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2296-33-0x0000000000690000-0x000000000069A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2296-38-0x00000000006A0000-0x00000000006AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2296-1-0x0000000000B40000-0x0000000000B52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2296-1627-0x0000000001F70000-0x0000000001F7A000-memory.dmp

      Filesize

      40KB

      Download