Overview

overview

10

Static

static

3

Nursultan ...m).exe

windows7-x64

10

Nursultan ...m).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan Alpha (prem).exe

  • Size

    3.6MB

  • MD5

    9da7ae2451efded063b29e9763aa244c

  • SHA1

    fb8ca87e4858331ea25485312a5d71ba25704cbc

  • SHA256

    a993be0a000fc4fff5b3806da4d35981551c2ed13655a19985e2f1928f869e07

  • SHA512

    370af95e2ef727f05051738d9f878e9b3954f9a95e2d486afc1000bb2619f9105c1078ecfda78e73cc609e87799c7e67bd19afdd1d1a9ea5b781b896f8825c66

  • SSDEEP

    98304:7u7xU6HERA18WXVP46ir0HKNDKx8/0hYC3srW5cXVR:7u7i6HctF6g0HKND0

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

192.121.16.228:8324

Attributes
  • Install_directory

    %AppData%

  • install_file

    NurClient.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 29 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Roaming\nur.exe
      "C:\Users\Admin\AppData\Roaming\nur.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\nur.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nur.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
    • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
          "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3460
          • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
            "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
              "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3268
              • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
                "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
                7⤵
                • Executes dropped EXE
                PID:5052
              • C:\Users\Admin\AppData\Roaming\test1w.exe
                "C:\Users\Admin\AppData\Roaming\test1w.exe"
                7⤵
                • Executes dropped EXE
                PID:4796
            • C:\Users\Admin\AppData\Roaming\test1w.exe
              "C:\Users\Admin\AppData\Roaming\test1w.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4636
              • C:\Users\Admin\AppData\Roaming\skeet.exe
                "C:\Users\Admin\AppData\Roaming\skeet.exe"
                7⤵
                • Executes dropped EXE
                PID:2628
              • C:\Users\Admin\AppData\Roaming\NurClient.exe
                "C:\Users\Admin\AppData\Roaming\NurClient.exe"
                7⤵
                • Checks computer location settings
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4848
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5052
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2244
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4252
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3504
          • C:\Users\Admin\AppData\Roaming\test1w.exe
            "C:\Users\Admin\AppData\Roaming\test1w.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3640
            • C:\Users\Admin\AppData\Roaming\skeet.exe
              "C:\Users\Admin\AppData\Roaming\skeet.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:5108
              • C:\Users\Admin\AppData\Roaming\skeet.exe
                "C:\Users\Admin\AppData\Roaming\skeet.exe"
                7⤵
                • Executes dropped EXE
                PID:4568
              • C:\Users\Admin\AppData\Roaming\NurClient.exe
                "C:\Users\Admin\AppData\Roaming\NurClient.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:400
            • C:\Users\Admin\AppData\Roaming\NurClient.exe
              "C:\Users\Admin\AppData\Roaming\NurClient.exe"
              6⤵
              • Executes dropped EXE
              PID:1120
        • C:\Users\Admin\AppData\Roaming\test1w.exe
          "C:\Users\Admin\AppData\Roaming\test1w.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Users\Admin\AppData\Roaming\skeet.exe
            "C:\Users\Admin\AppData\Roaming\skeet.exe"
            5⤵
            • Executes dropped EXE
            PID:4912
          • C:\Users\Admin\AppData\Roaming\NurClient.exe
            "C:\Users\Admin\AppData\Roaming\NurClient.exe"
            5⤵
            • Executes dropped EXE
            PID:924
      • C:\Users\Admin\AppData\Roaming\test1w.exe
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Roaming\skeet.exe
          "C:\Users\Admin\AppData\Roaming\skeet.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4996
          • C:\Users\Admin\AppData\Roaming\skeet.exe
            "C:\Users\Admin\AppData\Roaming\skeet.exe"
            5⤵
            • Executes dropped EXE
            PID:560
          • C:\Users\Admin\AppData\Roaming\NurClient.exe
            "C:\Users\Admin\AppData\Roaming\NurClient.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:648
            • C:\Users\Admin\AppData\Roaming\skeet.exe
              "C:\Users\Admin\AppData\Roaming\skeet.exe"
              6⤵
              • Executes dropped EXE
              PID:4216
        • C:\Users\Admin\AppData\Roaming\NurClient.exe
          "C:\Users\Admin\AppData\Roaming\NurClient.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Users\Admin\AppData\Roaming\skeet.exe
            "C:\Users\Admin\AppData\Roaming\skeet.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Users\Admin\AppData\Roaming\skeet.exe
              "C:\Users\Admin\AppData\Roaming\skeet.exe"
              6⤵
              • Executes dropped EXE
              PID:3084
            • C:\Users\Admin\AppData\Roaming\NurClient.exe
              "C:\Users\Admin\AppData\Roaming\NurClient.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4692
              • C:\Users\Admin\AppData\Roaming\skeet.exe
                "C:\Users\Admin\AppData\Roaming\skeet.exe"
                7⤵
                • Executes dropped EXE
                PID:5092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan Alpha (prem).exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    cae60f0ddddac635da71bba775a2c5b4

    SHA1

    386f1a036af61345a7d303d45f5230e2df817477

    SHA256

    b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

    SHA512

    28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    15dde0683cd1ca19785d7262f554ba93

    SHA1

    d039c577e438546d10ac64837b05da480d06bf69

    SHA256

    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

    SHA512

    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    f9181f64418cae3d8eb73498c74ea2c2

    SHA1

    b034df207dcd05550132de526b89fc7f45e77f3a

    SHA256

    969ebc05f9daffc5ea9c54fa23cfa46ba967cfa4370364e8f47ed988aa0846a0

    SHA512

    ce0ecccdb4bed314f67e7271d1e4c86d0e4db89f3aa37755de355fecc596fc1d7c0a86e0a053dbce2db834cf5f4c382c503ed64880cb8c1ed5155ed70637865c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_um413tnr.bjr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk
    Filesize

    783B

    MD5

    43ecf4297611719290dbfc4cfa0ceb25

    SHA1

    aec8bb5a6404cde463186f74d1e35f7177b00646

    SHA256

    05066a0ef49f4048f6adab9368b74271c551431d8397addfd6a75da7fd091a68

    SHA512

    7877c59db7865fa3f27923cd34bb9140a93a8bb9616425ea8fb2a4e92da78bcb4e14fd512548759ceac6d2e0ba5f0a089d6a914d007994432fe3d1f56890adf9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NurClient.exe
    Filesize

    67KB

    MD5

    44b3f88bf41cc94d7a29d74428179686

    SHA1

    7b50d502801013ed340a538f1932a6062dfc765d

    SHA256

    2add340de381aa0c3c0c1f45a37ebf5a757c873cbc070f2ccb00e80d793d3342

    SHA512

    ce623b0f55d02ac0b09a665919a786147b640c6df63004cc1f0443e3af642907119e04e1c8be0fcc932c9707275ee50ea67f09078fbcf0a4c061bae57bf60f03

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NurClient.exe
    Filesize

    157KB

    MD5

    98198dc506f9038bdb935e06635f8f0c

    SHA1

    0d6f7f2f0b082c0158a42f96136202337da33c64

    SHA256

    27c1a6f4ed357879f5d43758d1f596e9c899e2995fc6c7ee1e426e59fb050817

    SHA512

    c7caa8313899d5f6127b46485428713026ea409604ad6803325123927ccada8528d2709990e813d737466dd23dcb63ac4383dd4b2bec6a9107bd3c637e6a12f5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
    Filesize

    3.5MB

    MD5

    3972af0b29e3708ed0a24a8228450248

    SHA1

    544656d4cd451afce236bc8e8b4f138d3b573e7d

    SHA256

    a54b54c7a1b3a6966b7207aece9d77cdcf48caddd8236fc61060689867ab258f

    SHA512

    a0b4ca8e728531a9992fec26154260b8cc8d0b380d32e8da3a4f451509640e23d2771ddf4bfe2488c81d4869e7bb648251da3507d98ab3142e48c8e09e7b5dd4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nur.exe
    Filesize

    71KB

    MD5

    162addbe2fd96d0442c7fb4231855279

    SHA1

    119ab55811b46e949266b393964f6d494d0dc96e

    SHA256

    780f577c0620f1245217cbefbbd0f94c66b9bd0efb49310204f8b414a293b854

    SHA512

    8e594992482f15a9d366986b438e598a71d98055aaea87e78abf8b518d76d59524bf80cabf84bba508352ca1022d0a98b01301c91278ff86a47246462d89e605

    Download Submit

  • C:\Users\Admin\AppData\Roaming\skeet.exe
    Filesize

    147KB

    MD5

    7967febe5c8d05429d8b86b3f526a7b6

    SHA1

    87d3d6e07ed6a4fb076a7561ab5f9e9d6064b1e4

    SHA256

    a1199d6afa00693691e03b3244e970798c128b7f52d78887a9622aabd2ba8303

    SHA512

    2ccbd355ec7c781abb322ed62ba22671f79080f61a21937d615e2744f6069d5dd31477d7682e7d1c682b1305c9261a20dc68bd06723be18d583d6258acf826a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\test1w.exe
    Filesize

    319KB

    MD5

    ff9321376e90e0ae1478bd12fce85931

    SHA1

    639cb9225bb206f620e8a258d34032b4197c3440

    SHA256

    f157f48da00a80bbacecb0a912f2b213cee321c080bd753e1eb871005ada9a74

    SHA512

    be76d7aa3bc7aa0f9fc0f2128f9c5348ce107419bb6734f09eafdf2ff4ff709692f3d726952f6d9857a6c58766963d2c3e88cc30e2011a1b8011687d092db98f

    Download Submit

  • memory/1136-70-0x0000000000BF0000-0x0000000000C1E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2180-103-0x000001D6EF230000-0x000001D6EF252000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3056-27-0x0000000000E20000-0x00000000011AC000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3056-42-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3056-29-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4592-43-0x0000000000B70000-0x0000000000BC6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4848-118-0x0000000000CF0000-0x0000000000D08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4996-69-0x00000000005A0000-0x00000000005CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/5032-156-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-28-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-189-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-21-0x0000000000B00000-0x0000000000B18000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5032-203-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5060-0-0x00007FFF06BF3000-0x00007FFF06BF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5060-1-0x0000000000320000-0x00000000006C0000-memory.dmp

    Filesize

    3.6MB

    Download