xworm | 16a8928df1da51875715a7bf50162f5601b0a7e6ed357d5c5919188affaa7774

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
Size

753KB
MD5

912a9f5960f78c14a1bfe528860b5cc5
SHA1

6e23c3b72f56358efc066b6ae60d173902a0f033
SHA256

4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde
SHA512

0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352
SSDEEP

12288:2ufjVpNKUF3OjhlYnf8KPGNaTp7WeqCdmgzKrQXOxTXbebLw7:2sGQOjhlYUUGkp7FzO

Score

10^/10

xworm persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2392-51-0x0000000000870000-0x000000000088C000-memory.dmp	family_xworm
behavioral1/memory/2392-46-0x0000000000820000-0x000000000083E000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\hhrjcird.exe,"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
3044	hhrjcird.exe
2560	UehdjUej.exe
1076	UehdjUej.exe

Loads dropped DLL 4 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe
3044	hhrjcird.exe
2560	UehdjUej.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2392	3044	hhrjcird.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2804	PING.EXE
2756	PING.EXE
1996	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2392	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
3044	hhrjcird.exe
3044	hhrjcird.exe
3044	hhrjcird.exe
3044	hhrjcird.exe
3044	hhrjcird.exe
2560	UehdjUej.exe
1076	UehdjUej.exe
1076	UehdjUej.exe
1076	UehdjUej.exe
2392	AddInProcess32.exe
3044	hhrjcird.exe
3044	hhrjcird.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
Token: SeDebugPrivilege	3044	hhrjcird.exe
Token: SeDebugPrivilege	2560	UehdjUej.exe
Token: SeDebugPrivilege	1076	UehdjUej.exe
Token: SeDebugPrivilege	2392	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	AddInProcess32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3020	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	28
PID 1892 wrote to memory of 3020	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	28
PID 1892 wrote to memory of 3020	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	28
PID 1892 wrote to memory of 3020	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	28
PID 3020 wrote to memory of 1996	3020	cmd.exe	30
PID 3020 wrote to memory of 1996	3020	cmd.exe	30
PID 3020 wrote to memory of 1996	3020	cmd.exe	30
PID 3020 wrote to memory of 1996	3020	cmd.exe	30
PID 1892 wrote to memory of 2708	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	31
PID 1892 wrote to memory of 2708	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	31
PID 1892 wrote to memory of 2708	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	31
PID 1892 wrote to memory of 2708	1892	4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe	31
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 3020 wrote to memory of 2068	3020	cmd.exe	34
PID 3020 wrote to memory of 2068	3020	cmd.exe	34
PID 3020 wrote to memory of 2068	3020	cmd.exe	34
PID 3020 wrote to memory of 2068	3020	cmd.exe	34
PID 2708 wrote to memory of 2756	2708	cmd.exe	35
PID 2708 wrote to memory of 2756	2708	cmd.exe	35
PID 2708 wrote to memory of 2756	2708	cmd.exe	35
PID 2708 wrote to memory of 2756	2708	cmd.exe	35
PID 2708 wrote to memory of 3044	2708	cmd.exe	36
PID 2708 wrote to memory of 3044	2708	cmd.exe	36
PID 2708 wrote to memory of 3044	2708	cmd.exe	36
PID 2708 wrote to memory of 3044	2708	cmd.exe	36
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 3048	3044	hhrjcird.exe	37
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2392	3044	hhrjcird.exe	38
PID 3044 wrote to memory of 2560	3044	hhrjcird.exe	41
PID 3044 wrote to memory of 2560	3044	hhrjcird.exe	41
PID 3044 wrote to memory of 2560	3044	hhrjcird.exe	41
PID 3044 wrote to memory of 2560	3044	hhrjcird.exe	41
PID 2560 wrote to memory of 1076	2560	UehdjUej.exe	42
PID 2560 wrote to memory of 1076	2560	UehdjUej.exe	42
PID 2560 wrote to memory of 1076	2560	UehdjUej.exe	42
PID 2560 wrote to memory of 1076	2560	UehdjUej.exe	42

C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe
"C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\hhrjcird.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 9
    3⤵
    - Runs ping.exe
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\hhrjcird.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe" "C:\Users\Admin\AppData\Roaming\hhrjcird.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Roaming\hhrjcird.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 9
    3⤵
    - Runs ping.exe
    PID:2804
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 9
    3⤵
    - Runs ping.exe
    PID:2756
- - C:\Users\Admin\AppData\Roaming\hhrjcird.exe
    "C:\Users\Admin\AppData\Roaming\hhrjcird.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
      "C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UehdjUej.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt

Filesize
54B

MD5
96be7f86b2c6b158f6d6520e515b9845

SHA1
d51e21d48161e9db5b53905223f083307876983b

SHA256
bf09dde54474083d6de1e52c6d525c3ad212f916b3c413c971affdffedccfc30

SHA512
4c2c0136cd148a347156d87e0768e5fc2e6e0019e66e2d7a83f9c88c035b5f461cba3a941d8ef0ab8915376af403f9a3febe4dc7cbdd9f3447678c74cecb48f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt

Filesize
57B

MD5
57839cd4bbfc3d5d964f1dda11dbf399

SHA1
4f353e4a100aabbab798204d5817b108e32f1b7e

SHA256
77de8007a5ff3f6b3fa89783bc09889a602a6e7effcbde9f2c13228993b0d75c

SHA512
3f152af8936bfbe46048201b03cd6ce5585034d32ea4f908dfdaea7b75014277d4c629429759dee5a4088c490675f3338b03b39bbb71928e88986d19e0f6cd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UehdjUej.txt

Filesize
57B

MD5
57839cd4bbfc3d5d964f1dda11dbf399

SHA1
4f353e4a100aabbab798204d5817b108e32f1b7e

SHA256
77de8007a5ff3f6b3fa89783bc09889a602a6e7effcbde9f2c13228993b0d75c

SHA512
3f152af8936bfbe46048201b03cd6ce5585034d32ea4f908dfdaea7b75014277d4c629429759dee5a4088c490675f3338b03b39bbb71928e88986d19e0f6cd0e

Download Submit
C:\Users\Admin\AppData\Roaming\hhrjcird.exe

Filesize
753KB

MD5
912a9f5960f78c14a1bfe528860b5cc5

SHA1
6e23c3b72f56358efc066b6ae60d173902a0f033

SHA256
4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

SHA512
0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

Download Submit
C:\Users\Admin\AppData\Roaming\hhrjcird.exe

Filesize
753KB

MD5
912a9f5960f78c14a1bfe528860b5cc5

SHA1
6e23c3b72f56358efc066b6ae60d173902a0f033

SHA256
4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

SHA512
0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

Download Submit
C:\Users\Admin\AppData\Roaming\hhrjcird.exe

Filesize
753KB

MD5
912a9f5960f78c14a1bfe528860b5cc5

SHA1
6e23c3b72f56358efc066b6ae60d173902a0f033

SHA256
4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

SHA512
0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

Download Submit
\Users\Admin\AppData\Local\Temp\UehdjUej.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\UehdjUej.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\hhrjcird.exe

Filesize
753KB

MD5
912a9f5960f78c14a1bfe528860b5cc5

SHA1
6e23c3b72f56358efc066b6ae60d173902a0f033

SHA256
4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

SHA512
0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

Download Submit
\Users\Admin\AppData\Roaming\hhrjcird.exe

Filesize
753KB

MD5
912a9f5960f78c14a1bfe528860b5cc5

SHA1
6e23c3b72f56358efc066b6ae60d173902a0f033

SHA256
4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

SHA512
0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

Download Submit
memory/1076-75-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/1076-67-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-0-0x0000000000E20000-0x0000000000EE2000-memory.dmp

Filesize
776KB

Download
memory/1892-4-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-3-0x00000000046D0000-0x0000000004714000-memory.dmp

Filesize
272KB

Download
memory/1892-2-0x0000000004730000-0x0000000004770000-memory.dmp

Filesize
256KB

Download
memory/1892-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2392-69-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-76-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-73-0x00000000072D0000-0x000000000743E000-memory.dmp

Filesize
1.4MB

Download
memory/2392-74-0x0000000002290000-0x00000000022C0000-memory.dmp

Filesize
192KB

Download
memory/2392-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2392-72-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-49-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-51-0x0000000000870000-0x000000000088C000-memory.dmp

Filesize
112KB

Download
memory/2392-50-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-48-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-47-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-46-0x0000000000820000-0x000000000083E000-memory.dmp

Filesize
120KB

Download
memory/2392-71-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2392-70-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-66-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-59-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-58-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/3044-16-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-41-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/3044-19-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/3044-18-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/3044-17-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/3044-39-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-15-0x00000000002C0000-0x0000000000382000-memory.dmp

Filesize
776KB

Download
memory/3044-40-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/3048-28-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/3048-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-20-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/3048-26-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/3048-24-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/3048-22-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download