Overview

overview

10

Static

static

10

XWorm V5.6/Xworm.exe

windows7-x64

10

XWorm V5.6/Xworm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm V5.6/Xworm.exe

  • Size

    8.1MB

  • MD5

    09a9589689f2e0f5697d413cca4e227b

  • SHA1

    2cb33d48a4b39c9304cbd8395a9a89074f8c14e2

  • SHA256

    d0a2637c7f1fe073e613d607da3ada027123c75194ebdf528734d8b48e808a8d

  • SHA512

    2c2494736c9fcd1a3d3b10e77c1af1ad60595d82897f7d82236f64b51d8bb46d8d723764fded8b3d94c68c43beb9c9e0c4c4a9c1d09603b46d56011f13b8e62f

  • SSDEEP

    196608:wQJFUQqPn9x5pJPU/Vp4uDubMUxOQZyl5pFfeYUkZV:PMF9JPUtp4uDubMc1ZylRf5

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

MXofXDDvLooD2jWq

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 11 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 9 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 9 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 47 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2720
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:912
      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\un4l5a4b\un4l5a4b.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2ECAC13B2C2A496A86B01642424A5A9.TMP"
            5⤵
              PID:588
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF586.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:2672
      • C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
        "C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhostw.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2384
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\taskhostw.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1036
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskhostw" /tr "C:\Users\Admin\AppData\Local\taskhostw.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:992
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2452
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {8A470643-12E4-4E88-A92C-45BD2B2D7C81} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\ProgramData\svchost.exe
          C:\ProgramData\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
        • C:\Users\Admin\AppData\Local\taskhostw.exe
          C:\Users\Admin\AppData\Local\taskhostw.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3056
        • C:\ProgramData\svchost.exe
          C:\ProgramData\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1908
        • C:\Users\Admin\AppData\Local\taskhostw.exe
          C:\Users\Admin\AppData\Local\taskhostw.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
      • C:\Users\Admin\Desktop\XClient.exe
        "C:\Users\Admin\Desktop\XClient.exe"
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1784

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp
        Filesize

        1KB

        MD5

        08641c6e84fd4b65dde1a95b3459043b

        SHA1

        265e359477f19cb4df98cd9bf2a009fde8036c0c

        SHA256

        031995d38abba1211ec7f9e0f261edc7997ddd39ef0566ba41741fe7285ce7a5

        SHA512

        49f073c42396bebcb79f0084cc88ba851a801af433d9c114fe3920425a586ed643664ecc9d37d887b244aa0105eea3a97a81e62a588666157cb178f847cce6fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\ClientsFolder\560CB861CED251A85791\Monitor\12-21-2024 11;47;23;655.jpg
        Filesize

        15KB

        MD5

        b3d8b26006c1cc6e66581f703e307465

        SHA1

        f3b892c1495a64b8fe581ca72c6ff89fe29daa4b

        SHA256

        0e32e6a07df20a1e96fa62743608def940a15fcc467d8b665bd8b26d22ba5fa2

        SHA512

        3a7f11ac3bb2be7e4eb2ea927ba5a4dbef2b4c80d5b99180e07ca516f9a9e9760a345bba947c1d853d64f324a40d973727e12e98c959f43e2e9b658a0c43f0dc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\ClientsFolder\560CB861CED251A85791\Monitor\12-21-2024 11;47;25;293.jpg
        Filesize

        19KB

        MD5

        51cb662d0dbabab67b4df029d99410e2

        SHA1

        b68768dc1ac05a533a3b0baf50126cd50663fcdf

        SHA256

        12925bb31f691a5f297f7a37e9cfcf0d2340f10289df3db5adbd835d5d5219c8

        SHA512

        16086e6d61402e2aa67673798236d2cfada40dd61f15f4306daa13ab6bbd3660a6d3b4732d3dee1fa1b5e6125412c21d0cacf53456c7ca496c37bdaaaf458dee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\ClientsFolder\560CB861CED251A85791\Monitor\12-21-2024 11;47;25;465.jpg
        Filesize

        19KB

        MD5

        f952394da401f9db83b1fb68172d21e7

        SHA1

        e44109f804d8b1d4f57acc12c738115a476e5d69

        SHA256

        247a3f7a0a8df1a1bb5bb1e2d9820ddeeaac16b970d1f88de312abe225ebcfce

        SHA512

        14e40ddfe3a8dc626d2fdad8cab816ed00372ca2345fd66cdd05e2bff65349c053d9b871fd68de7296a23503e9315834fb2f08955b0a674de0ee742640aae8b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\ClientsFolder\560CB861CED251A85791\Monitor\12-21-2024 11;47;25;793.jpg
        Filesize

        13KB

        MD5

        bfbcbe7dd99796ab980949753b55f2d5

        SHA1

        d9746cf1eaa9dff2d47f95b21cc312774d1a7c71

        SHA256

        ee7d080d7c41ee54ef5280bfa36b36dc3330d3a221d485e0017acbc961f13f5f

        SHA512

        63a3e6ac073e85fa3c5108fd172439e39fa5115fd813b5844e0fa875c2ed2cc7e939fd73a5edec41bf637c0d9f2dac48c58a9df97d14195042cb40c19ce241ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\ClientsFolder\560CB861CED251A85791\Monitor\12-21-2024 11;47;26;151.jpg
        Filesize

        13KB

        MD5

        14dbd52b6880caf39aa393640c676128

        SHA1

        fd9efed9440b1ea076b25bb1d29b2f07ce015328

        SHA256

        181d410ee0296194229d9cb7768a304dee1bacf499913f8fa6a032d3ff5835ba

        SHA512

        2197f817ec7ed0dfabd128b92602f5f3962959e8fcad22297469edddb0fcf4cd9867cfb0c4e77619e352b9f806c4ce8bef6473cab7dda357c1262e023bc8422f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe
        Filesize

        14.9MB

        MD5

        db51a102eab752762748a2dec8f7f67a

        SHA1

        194688ec1511b83063f7b0167ae250764b7591d1

        SHA256

        93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

        SHA512

        fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe
        Filesize

        7.9MB

        MD5

        5b757c6d0af650a77ba1bf7edea18b36

        SHA1

        c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

        SHA256

        c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

        SHA512

        93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        144KB

        MD5

        4b90399888a12fb85ccc3d0190d5a1d3

        SHA1

        3326c027bac28b9480b0c7f621481a6cc033db4e

        SHA256

        cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

        SHA512

        899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
        Filesize

        189KB

        MD5

        3636da95a3dd07300784e8146b76d1ec

        SHA1

        cb931a7f078a8af1024bbcdb3e84642b6298e1bc

        SHA256

        b121e69024dd83d1d69e8bc054cac5c1819b6cd22e307b76149066b29eff75fb

        SHA512

        20cfe53b164da34679ff3e3c622de9e9eff82ae5ef36da0442e1141b6e198fca3be4de1cc021a7c9359cf8ae3c405ec5ea0846f722560ab8ef16cedbb052ecf4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF586.tmp.bat
        Filesize

        174B

        MD5

        346c93a4b2e8c41e274610f0dd4f5982

        SHA1

        69d66f78b32b2ca0e1749497fa7d187330bf32e4

        SHA256

        81bcb97ba7e9c198c25d2ddb7dcd80fa9d294ef523eab87fd697340ebe1ae718

        SHA512

        5cd73aee67c8c41b886e49f6274b64c79c418905eeba6524ef4e3598d307754d873511831d8ff9eac29376e53ae3baa4517bb27d97b13541c7a71fda2a236498

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\un4l5a4b\un4l5a4b.0.vb
        Filesize

        78KB

        MD5

        27e315dca064ebc6d74c3136a772e758

        SHA1

        838f286422fff2b7c7da854285c5b0aa5ddd9c39

        SHA256

        bf36539c7e78356a5443b42b2663b3e4fc123c9019c26340f6677d1813a045ae

        SHA512

        ec9b5747cd7705d9c21f78f8d99ca17eed13774498fa01e2a9218c6fb8b2c5b4adcde84664ad2dd63e748edb4d37169d16484c7ce0c1b40d70d4695231903109

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\un4l5a4b\un4l5a4b.cmdline
        Filesize

        290B

        MD5

        646910215cfa0cc76ab027c5deba4a3d

        SHA1

        bbe00b97efea477605e2ff382e2f9b4320b2ef58

        SHA256

        92ee96b74a5f57648694f6c644c473d4e2c7c3eec8ff5ef04b22fb23e98f97b6

        SHA512

        512a471a5a06153c74d0f14fe0f18af405e2981307bef7e39fb3f04a5901bd4f0335c68b4c619b46de7ffe122a64116a46e6bd521c0d5194bc3e0587126f051c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vbc2ECAC13B2C2A496A86B01642424A5A9.TMP
        Filesize

        1KB

        MD5

        d40c58bd46211e4ffcbfbdfac7c2bb69

        SHA1

        c5cf88224acc284a4e81bd612369f0e39f3ac604

        SHA256

        01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

        SHA512

        48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        73c43e7b911427a47a3fe053ba86e69e

        SHA1

        c4bd50f36b3ace17d4e3057ff697d855307f315c

        SHA256

        4e59f1deb9b9268dad0490645f034be3e207b975ac96173ee5b768adc809c9b3

        SHA512

        b0873621c05f321f69da7487e64a15305d3c3480f189562126307c1ade84aca25517fcc1dc9bf2a3b59398c7d9b5d0e48b73844ff7b1a0da003bb0eaaadc59ae

        Download Submit

      • C:\Users\Admin\Desktop\XClient.exe
        Filesize

        32KB

        MD5

        db8d03249e10638875f874a045e6e7e7

        SHA1

        63e536d6a40435322803133ac155170612a44b73

        SHA256

        1818075b60fd67c5982340b4741fe09ab7e7f11067552475e11fde167df7e2b5

        SHA512

        d56c59b087b7755015993a4590948477df3f915782f996e749da840a79a6dc254672b585e38101288ea1644b5af1f476cb1d60488576cec07332ca6c2d48050b

        Download Submit

      • memory/1784-124-0x0000000001E10000-0x0000000001E1C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1784-123-0x0000000001E00000-0x0000000001E0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1784-114-0x00000000003B0000-0x00000000003BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1908-121-0x0000000000910000-0x000000000093A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2156-13-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2156-37-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2156-14-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2188-15-0x0000000000D20000-0x0000000000D56000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-50-0x000000001B6B0000-0x000000001B992000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2384-51-0x0000000002710000-0x0000000002718000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2500-93-0x0000000000880000-0x00000000008AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2648-44-0x0000000002820000-0x0000000002828000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2648-43-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2796-23-0x0000000000C80000-0x0000000000CAA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2904-86-0x000000001C5F0000-0x000000001C7E4000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2904-96-0x0000000026160000-0x0000000026170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2904-116-0x000000001CE90000-0x000000001CEBC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2904-117-0x0000000028710000-0x00000000289F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2904-118-0x00000000255F0000-0x00000000256A2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2904-97-0x0000000025D40000-0x0000000025EA8000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2904-115-0x000000001CE00000-0x000000001CE82000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2904-36-0x0000000000060000-0x0000000000F48000-memory.dmp

        Filesize

        14.9MB

        Download

      • memory/2944-0-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2944-16-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-2-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2944-1-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2960-122-0x0000000001040000-0x0000000001076000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3056-94-0x0000000000C80000-0x0000000000CB6000-memory.dmp

        Filesize

        216KB

        Download