Overview

overview

10

Static

static

10

rat test xworm.exe

windows7-x64

10

rat test xworm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rat test xworm.exe

  • Size

    65KB

  • MD5

    fbe7f61c52a1754815d5da441a4fb469

  • SHA1

    5540bfc30a9b05f1972d896283bd1f107db18987

  • SHA256

    5d8c53e451c55ce6969cfe254e0c22a3c48915c1400c66fc9dc806d7ad824f24

  • SHA512

    e524006b40df8d3a677f20928d6fb5f31d08197d351bcfcdb30bd08cf041500794998728397119775d584f4f3f4359e7d881deea4aec9f9cc9add524454d4635

  • SSDEEP

    1536:axvYQ2kEC1wXbFDGTRwZrt6UxKQO7U/1iI:ahYeLKbRTLO7U95

Score
10/10
stormkittyxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:21252

land-long.gl.at.ply.gg:21252
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe
    "C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rat test xworm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat test xworm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3112
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ImportJoin.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3960
  • C:\Users\Admin\svchost.exe
    C:\Users\Admin\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\HideEnable.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4336
  • C:\Users\Admin\svchost.exe
    C:\Users\Admin\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    471B

    MD5

    0ebf61bb7f2cc2c9774d08403733ce02

    SHA1

    41ebe21d6e9be7c89e0465d81d8de6b1859d4a94

    SHA256

    2d75a639d7924d125be0ab23056d033bb728991e75b563ba8228600c8b6d6f6b

    SHA512

    d159e103325a30c40f153c7fa7c8ace0f035f8ba24c3cf589905a2742c06bea96c58cc5f84a3c746eff5cb0af5787d9ed105cce34aa7eeebb0c093fea98bfc85

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    420B

    MD5

    265935be10388a472f24548db28e017a

    SHA1

    7d0bfffc38ef8e1e4c21e33b793234fdfe4c0bf3

    SHA256

    e2b11fe2fbee89b973c2d42b2fba0b92a6727df2f29cb2cc940a85fa5818d8a6

    SHA512

    e33ae20fc85658d12a649fe5aa325ed9e464faf43deb01b661f783564938522dc8c4b6d5665ab94561b87140b244caacbcbd0cd6d724bd79947a1c47940782c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    a43e653ffb5ab07940f4bdd9cc8fade4

    SHA1

    af43d04e3427f111b22dc891c5c7ee8a10ac4123

    SHA256

    c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

    SHA512

    62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
    Filesize

    21B

    MD5

    f1b59332b953b3c99b3c95a44249c0d2

    SHA1

    1b16a2ca32bf8481e18ff8b7365229b598908991

    SHA256

    138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

    SHA512

    3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
    Filesize

    417B

    MD5

    c56ff60fbd601e84edd5a0ff1010d584

    SHA1

    342abb130dabeacde1d8ced806d67a3aef00a749

    SHA256

    200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

    SHA512

    acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
    Filesize

    87B

    MD5

    e4e83f8123e9740b8aa3c3dfa77c1c04

    SHA1

    5281eae96efde7b0e16a1d977f005f0d3bd7aad0

    SHA256

    6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

    SHA512

    bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
    Filesize

    14B

    MD5

    6ca4960355e4951c72aa5f6364e459d5

    SHA1

    2fd90b4ec32804dff7a41b6e63c8b0a40b592113

    SHA256

    88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

    SHA512

    8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0EAAF53D-4340-47E1-A700-4DFF9652728B
    Filesize

    177KB

    MD5

    088f1622632fb6ef8934f75ae2e84685

    SHA1

    84d3eb314eab1a9c33c2595e6cce138de239abf3

    SHA256

    cfbe8f1fc5e3afac3ff9239b666f56ab07eebf39f6134554961df9db7b47c322

    SHA512

    8edb93b3f4cd01b5df1510f761a5fa897a85e998f0b4ada702d02409171e3e4ea5adc69c0ece81af4fd712cdab15ac7fc482bcb85b86c0e13c619a6eef95ed95

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
    Filesize

    12KB

    MD5

    eedfeaaf2c5d40ec6b6f51b3bc3e2b2d

    SHA1

    9731f73e750ff160950b710add95c935a0f747af

    SHA256

    2e2078d2d40549cadc8ab97308dc8117135ce464ff3cc30e7a99916c6f512cc4

    SHA512

    a6bc711310e5d338fd03191b5646e3c9fe8f26322816f6524ab12ba772562824168e704edd467f7020c1fe67958dd9e9ab0a300b938385e3f8f12fbfe1a84462

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
    Filesize

    24KB

    MD5

    8665de22b67e46648a5a147c1ed296ca

    SHA1

    b289a96fee9fa77dd8e045ae8fd161debd376f48

    SHA256

    b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

    SHA512

    bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
    Filesize

    2KB

    MD5

    dcb2dfd943b547247c2f66c32fa9b26f

    SHA1

    f7e1277f1601e3a8de705a863fc6bd6118c00660

    SHA256

    ece4ee22731c7ff3a4c2d86aba764f9468eb4ee3f6556fcafcd06584b95f7653

    SHA512

    7994e812cbe0e4e16fa4b52b123704413d651b33238cd3a79ccb970e44221708c8896dacbe6287654a41d692b4c84c153f543b253fbb7e4a598cfdbeee7e2c11

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
    Filesize

    2KB

    MD5

    fce7ee8db325686a9723355472655bd5

    SHA1

    0f26a9064404c458481cdd61b8e460295552cf13

    SHA256

    65406c61470b3b23e12cc7bc4980759e304d6e6761b0a50d1d5efc8ec3f5281d

    SHA512

    f51ab38954bd7b9cad44ce95b38422a1c85d61ae07c852aa9176b172c4dd110abc053526b8a050e5f6f51fd79a8417cbc82e8cbb027903784427f778ce0912f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e2da2d9f90026fdcbf934311a18284a2

    SHA1

    56de674db9fb5e29a62562191b498d976228dfd4

    SHA256

    199babd6ffc35f86a277f477aa21cc4242a5650779f79c64928eb469c857183e

    SHA512

    c7ed9f7540a927186f6192c71a18e41d43f87a6b7c578d0bbc63718a9f5ff3e4e597cf4ae18b2cb50ee5730d4360b45994a5931c648291f3250fd0ddfbb70bb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d8cb3e9459807e35f02130fad3f9860d

    SHA1

    5af7f32cb8a30e850892b15e9164030a041f4bd6

    SHA256

    2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

    SHA512

    045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    0fd3f36f28a947bdd05f1e05acf24489

    SHA1

    cf12e091a80740df2201c5b47049dd231c530ad3

    SHA256

    d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

    SHA512

    5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msz2ruow.end.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9778.tmp
    Filesize

    100KB

    MD5

    1b942faa8e8b1008a8c3c1004ba57349

    SHA1

    cd99977f6c1819b12b33240b784ca816dfe2cb91

    SHA256

    555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

    SHA512

    5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    375B

    MD5

    d97432430ab0eba8eb431fb1368355fe

    SHA1

    8620263f21988d8921107bef24c9b923d57f8f39

    SHA256

    9faa7ad3e3bbad9300ada9b3829f09a27c6e83ee7ee6b56a9e259cdbb3a2e066

    SHA512

    3743d43927fae90dab43c122b1ef41dc1564b3e6aca22fa6e290197843ad1b38aefb22b41767407234ab0bd31be475547defcd447916e33f8bdb00ea68806067

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    373B

    MD5

    6ea0c62f82af4b54be49e2bb260419f6

    SHA1

    bcf0d04e73bc8a657b53065668f12bf2f2641f7f

    SHA256

    28809b3b89e593afcb6dfde465acc86bef32a803a30db17b078d29a697b5dca3

    SHA512

    b1cb739b3cc24f37c230dd08b34796811698bc426ceda3ea73d5e63611dbf466c904e09b60a51a4483ced86a67c292a4a895e23b96e58d039790b89d66f6145e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\svchost.exe
    Filesize

    65KB

    MD5

    fbe7f61c52a1754815d5da441a4fb469

    SHA1

    5540bfc30a9b05f1972d896283bd1f107db18987

    SHA256

    5d8c53e451c55ce6969cfe254e0c22a3c48915c1400c66fc9dc806d7ad824f24

    SHA512

    e524006b40df8d3a677f20928d6fb5f31d08197d351bcfcdb30bd08cf041500794998728397119775d584f4f3f4359e7d881deea4aec9f9cc9add524454d4635

    Download Submit

  • memory/2304-18-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-15-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-14-0x000002717ED60000-0x000002717ED82000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2304-13-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-12-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3960-112-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-114-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-59-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-61-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-113-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-62-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-60-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-63-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-64-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-65-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-115-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-177-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-224-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-175-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-176-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-223-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-178-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-225-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-226-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-174-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4900-58-0x000000001DB80000-0x000000001DB8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4900-57-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4900-2-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4900-122-0x000000001ECF0000-0x000000001F040000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4900-125-0x000000001DED0000-0x000000001DFF0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4900-165-0x000000001B600000-0x000000001B60C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4900-116-0x000000001DC10000-0x000000001DC4A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4900-1-0x0000000000650000-0x0000000000666000-memory.dmp

    Filesize

    88KB

    Download