Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1d52c92709...0c.exe

windows7-x64

10

1d52c92709...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d52c927094cc5862349a1b81ddaf10c.exe

  • Size

    988KB

  • MD5

    1d52c927094cc5862349a1b81ddaf10c

  • SHA1

    4f1038de14e08807f65ca8f240c034469c2479a0

  • SHA256

    da551ab6e000732499227a67f2be68d1256b58d95963a903cc316e2730db9d1e

  • SHA512

    7ce469e84160d9eac202c20f15bf008212cf681287055b5bacacd9ab6c18ad1ada8363db3b6a7601015caf231a00b9d29bf96b79bd43e01f5eca3e057667ec1e

  • SSDEEP

    12288:4rT5UqCUfsgddxK+0wC150c6QVSeNuQXeDPVmJiW0qWkdw+bezWMcsZI0Bz:4SDl15Fbtq0++buPay

Score
10/10
nanocorexmrigxwormdefense_evasiondiscoveryexecutionkeyloggerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

lxtihmjohnson163.airdns.org:43366

Mutex

3740d544-7efc-40b2-8c32-f31974309f7d

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-10-21T12:36:42.768385536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    43366

  • default_group

    JAMJAM01

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    3740d544-7efc-40b2-8c32-f31974309f7d

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    lxtihmjohnson163.airdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

xworm

Version

5.0

C2

tunhost.duckdns.org:57891

wintun.freemyip.com:57891

87.249.134.68:57891
Attributes
  • install_file

    琀㴀Ā ☀☀ �䔗渀瘀椀爀漀渀洀攀渀琀�眍椀渀搀椀爀�瀝漀眀攀爀猀栀攀氀氀⸀攀砀攀�醀-C schtasks.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 10 IoCs
    miner
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d52c927094cc5862349a1b81ddaf10c.exe
    "C:\Users\Admin\AppData\Local\Temp\1d52c927094cc5862349a1b81ddaf10c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\1d52c927094cc5862349a1b81ddaf10c.exe
      "C:\Users\Admin\AppData\Local\Temp\1d52c927094cc5862349a1b81ddaf10c.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCDC0.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1076
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCE1E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1564
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: SetClipboardViewer
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1408
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:464
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1776
      • C:\Users\Admin\AppData\Local\system32.exe
        "C:\Users\Admin\AppData\Local\system32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4932
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:432
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:512
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:3348
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "AHMOQNZH" binpath= "C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe" start= "auto"
          4⤵
          • Launches sc.exe
          PID:716
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          4⤵
          • Launches sc.exe
          PID:4040
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:316
      • C:\Users\Admin\AppData\Local\system32-checker.exe
        "C:\Users\Admin\AppData\Local\system32-checker.exe"
        3⤵
        • Executes dropped EXE
        PID:3404
  • C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:4068
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:4656
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
          PID:3060

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      System Services

      2
      T1569

      Service Execution

      2
      T1569.002

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Power Settings

      1
      T1653

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1d52c927094cc5862349a1b81ddaf10c.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpCDC0.tmp
        Filesize

        1KB

        MD5

        c5294abdc5d48ad2cfc408919358ecea

        SHA1

        6cdac5fd37dc54fa66178d77f6a7c9334b2dcc43

        SHA256

        8a74ba61a288c81c96f06f5d3bfcdc9019c7b9895e6cd898ca68f7aa44812934

        SHA512

        4063b221df0512fd4eb570c4b061d1114ed2e773459aca5d840b6628c7feaf6f796b875330cfae616e8ecf7711fe297ed4737c7ddae2168cc390ef993115a859

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpCE1E.tmp
        Filesize

        1KB

        MD5

        7f4b37265a0a4b0fea67999d11d911e8

        SHA1

        1b8e13e6a27c3768c30cf713b79eaa8a757e1349

        SHA256

        39b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b

        SHA512

        ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp
        Filesize

        1KB

        MD5

        55f737e134714dd479fb8d4417a14df5

        SHA1

        4195b4131fb1215140baaaf5a6d8e26f305572af

        SHA256

        f306ee4e70a9dd3281131c476541b78f8cbe387a8a507f3b98a48ef34ecf2835

        SHA512

        446fa2af1cfb7057fd96fbaa26b4dcec67427399c8859c85ed11d5fb7b64f6abca39581faa2f17ca32c5e57759a448266d4be6af39e730d5e596cc41701fd1bf

        Download Submit

      • C:\Users\Admin\AppData\Local\system32-checker.exe
        Filesize

        6KB

        MD5

        7c1867586dfd01366878ae08415c612c

        SHA1

        4526353fbb9b8be77f3c0f46778a740f84882f83

        SHA256

        521f29dd7236b22daba7ea9537ef6be31057a08eec9526805b4685d7970e1372

        SHA512

        ef4ff7128de21fcdec5019322247ae958b46c2ff20b36d65f32fd6921e2f7c7bd018168fb3a7c0c728f071160057c790b3d5b691aad24cd5ebd975e7abc409ba

        Download Submit

      • C:\Users\Admin\AppData\Local\system32.exe
        Filesize

        2.5MB

        MD5

        a5c4e57922031e587bf09fb90453d73e

        SHA1

        4bc3a265800ef4f7df8402292d8218553b2860b6

        SHA256

        3720ffed8da2ba9d4cabbe64331f939f36e750e7dd3d5b9ff4d937325b35543b

        SHA512

        0fd81c9ca1ea8587fa33f2da3f45896b9d22e9f8a014513316274674a4256a4f04654462ed4ed87021e999964c895734aa2814e5a37f23a2010c594ad113a491

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe
        Filesize

        32KB

        MD5

        bb88af07d7f92e77086eb2a090b508fd

        SHA1

        2fcf43147b61ed5c8e1d7d46398eb3749e649e78

        SHA256

        77ce6f10d6034a1d7ab7768278cf8322b719729f612e6afe8cff72cb637cd6ec

        SHA512

        7a41def72de640dbf057c41971b02213e75202a1863b41491e36644da17bcbfb16c41ae6c6af121b5b2f7fee4f0608f867a404f1bbbf8db5dc9444978868f7c3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
        Filesize

        191KB

        MD5

        ed3b00caa7c83ab730df4a14aeb5d6bf

        SHA1

        453eeebd3cd4a0faf5e7eca63ea6cdb0ed96971a

        SHA256

        456b4cf130884ff7283aa415425ff6e3f6c610211bc7504e41bba9346dacd827

        SHA512

        fb64f0d53215cfcbd18f9de977e2f41323192b9329e67f7c26f53692970a2688f0a6a80f836c073945404e84364620f49790b22499bbf65c904341b90ccba954

        Download Submit

      • memory/2404-5-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2404-9-0x0000000002CD0000-0x0000000002D4E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/2404-10-0x000000000C2B0000-0x000000000C34C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2404-8-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2404-7-0x000000007471E000-0x000000007471F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2404-15-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2404-6-0x00000000065F0000-0x000000000660E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2404-0-0x000000007471E000-0x000000007471F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2404-4-0x00000000053C0000-0x00000000053CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2404-3-0x0000000005300000-0x0000000005392000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2404-2-0x0000000005810000-0x0000000005DB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2404-1-0x0000000000970000-0x0000000000A6E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/3032-33-0x0000000006FC0000-0x0000000007004000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3032-11-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3032-30-0x0000000006F70000-0x0000000006F8A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3032-31-0x0000000006FA0000-0x0000000006FB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3032-32-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3032-26-0x00000000066C0000-0x00000000066CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-34-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3032-25-0x00000000059F0000-0x0000000005A0E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3032-24-0x0000000005740000-0x000000000574A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-29-0x0000000006F60000-0x0000000006F72000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3032-45-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3032-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3032-14-0x0000000074710000-0x0000000074EC0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3060-71-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-68-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-66-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-67-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-69-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-70-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-72-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-64-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-65-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-73-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-75-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-76-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3060-74-0x0000000140000000-0x0000000140835000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3404-81-0x0000000000050000-0x0000000000056000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3440-43-0x0000000000A90000-0x0000000000A9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4656-56-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4656-57-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4656-58-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4656-59-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4656-63-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4656-60-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download