xworm | a19ca27eb45dc2e8851f7c93097f92ac78f7971d43b4685d16c706e3c2524434

Analysis

max time kernel
28s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

obfuscated.exe
Size

38.3MB
MD5

69a03bb48ee81a00bd8347bc420a0342
SHA1

b16cb191f4a5f5b151d8fe9591e81657e1d0366c
SHA256

a19ca27eb45dc2e8851f7c93097f92ac78f7971d43b4685d16c706e3c2524434
SHA512

63c3e80a6848fedf368e0be17119a21cba2074b2e4f1c50d48fcc200537e0c07f2da809cf463001a99da2fc56206414d0ceef6bebf5e5c1d9e22c4b8968275c7
SSDEEP

393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfcnVQx4urYsANulL7Na:d0LoCOn+2cs4urYDNulLBiue

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

91.92.245.248:7000

Mutex

8ZKAq60sTZYIePSv

Attributes

Install_directory
%ProgramData%
install_file
proquota.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4992-55-0x000001757F160000-0x000001757F170000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4992	powershell.exe
4	4992	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\proquota = "C:\\ProgramData\\proquota.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4992	powershell.exe
4992	powershell.exe
4036	powershell.exe
4036	powershell.exe
3216	powershell.exe
3216	powershell.exe
3088	powershell.exe
3088	powershell.exe
972	powershell.exe
972	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4992	3444	obfuscated.exe	78
PID 3444 wrote to memory of 4992	3444	obfuscated.exe	78
PID 4992 wrote to memory of 1576	4992	powershell.exe	79
PID 4992 wrote to memory of 1576	4992	powershell.exe	79
PID 1576 wrote to memory of 4188	1576	csc.exe	80
PID 1576 wrote to memory of 4188	1576	csc.exe	80
PID 4992 wrote to memory of 3588	4992	powershell.exe	81
PID 4992 wrote to memory of 3588	4992	powershell.exe	81
PID 3588 wrote to memory of 1920	3588	csc.exe	82
PID 3588 wrote to memory of 1920	3588	csc.exe	82
PID 4992 wrote to memory of 3260	4992	powershell.exe	83
PID 4992 wrote to memory of 3260	4992	powershell.exe	83
PID 3260 wrote to memory of 3412	3260	csc.exe	84
PID 3260 wrote to memory of 3412	3260	csc.exe	84
PID 4992 wrote to memory of 4036	4992	powershell.exe	86
PID 4992 wrote to memory of 4036	4992	powershell.exe	86
PID 4992 wrote to memory of 3216	4992	powershell.exe	88
PID 4992 wrote to memory of 3216	4992	powershell.exe	88
PID 4992 wrote to memory of 3088	4992	powershell.exe	90
PID 4992 wrote to memory of 3088	4992	powershell.exe	90
PID 4992 wrote to memory of 972	4992	powershell.exe	92
PID 4992 wrote to memory of 972	4992	powershell.exe	92

C:\Users\Admin\AppData\Local\Temp\obfuscated.exe
"C:\Users\Admin\AppData\Local\Temp\obfuscated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2yxglawr\2yxglawr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7474.tmp" "c:\Users\Admin\AppData\Local\Temp\2yxglawr\CSC27E30C5B457445B8CBEE5EBF87EA.TMP"
      4⤵
      PID:4188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbe4d3ri\hbe4d3ri.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7501.tmp" "c:\Users\Admin\AppData\Local\Temp\hbe4d3ri\CSC340522AB98324C64B766C294BA846EF7.TMP"
      4⤵
      PID:1920
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3fwug2m\n3fwug2m.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756E.tmp" "c:\Users\Admin\AppData\Local\Temp\n3fwug2m\CSC468EAD44D2524E5AA340F44903B9BA9.TMP"
      4⤵
      PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\proquota.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'proquota.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67a68c2b72b1e1c3e7ef431feacac89e

SHA1
c45aaf6dada965f54cf321f4479b6ff47b798c2f

SHA256
5f28392b70a00ed5242988005d175964f782dcac481078c3cd301607ece24779

SHA512
57b65f1975eb54ea501464c0f3571fc636f789f8f6b420c97c6a3f36486427ad1c3d7726ac7778df9f2f361ca923a7b976b1ec5bfb3f80067ecbfcd714709dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yxglawr\2yxglawr.dll

Filesize
3KB

MD5
12cd5bd7a3508b96d35107343057b1c9

SHA1
f647c3d00af147301260d8460819a4b6c976853b

SHA256
78becffbbb1ca3fbd6bf167309ce70a16ba99d500a4d4aa8ba2dc17696cf21d7

SHA512
571781666ab117af68b24d9bc455ac1a4daaf92b0913f7bf3a9acb2f8f87a28c5fe7ff13a6def2048de79e99d54b1afbef6708c5fbf2f60cf2c84f204b4f24b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7474.tmp

Filesize
1KB

MD5
cc4ef5225fa3eaa78eca4ba05927a5be

SHA1
ffdf50e6a322b35f20dd6eaaea50f9b0ddf63232

SHA256
88a69d6a451cda8ce1d82363ec298eb7a058b9b5779048e2cffab3050be6123e

SHA512
46647150796359b1277759f47e040e2193dc954594f474e117d282e95b2278a269221255840c540a89730ca2b72e987be4d5cc0ecdb24cc44b48c89f84b033cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7501.tmp

Filesize
1KB

MD5
c2bd777404a5d51116cb5631f489c63b

SHA1
83be69499a4e3f6c12b85901b43d24f3a1a2c1e6

SHA256
095d398938506c0410b1a5d9275a310a4fcd4be9fdcbeda01eea8f4abc31632c

SHA512
ec0bc8d0b58fff238bd57b2ccdef40582539fdba00e628fa87269d697a24bd7ca075c617931227bd6e83418ad25e6f90ed98385e44813a3c62083882f3813243

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES756E.tmp

Filesize
1KB

MD5
d8b26b9f364c658bbc9a435270b71d6f

SHA1
c13451b0da024a711b82ea3fdf5c4dc8cf7fbbaa

SHA256
3fe6ada7c30534744b32a8f4082d2184b56aabcd08a19d9c8ec2a404599df8f9

SHA512
d2912129090342290ce4d9120f45957647a12731448133159af3f0ad35f4d19f0c5e0e322f946b354cfb3cb59a78a3723a063164a82f5e48b2f72fe05a369641

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq2sfnzy.qst.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbe4d3ri\hbe4d3ri.dll

Filesize
3KB

MD5
6b81a0e0fcebc331d9e13bb9bce54440

SHA1
9569a207cc3ae4702e56e0dc878167f95cb0f932

SHA256
2bf45a37c2d077fd918356ac9939632bf7a619b7cd48c99d9db8ae33d3a06068

SHA512
43afe4bd1a0ac321342ec1646312c35757b7fdf9fe7f727fb4ab0ce9bc1a2be0ae04e2cabf5f3b89d523edf50800ae2dcac623d9e11c5a68e6e847f7b7961080

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3fwug2m\n3fwug2m.dll

Filesize
3KB

MD5
5291c7ecd7911fe7a7cc260edffadcfb

SHA1
8657dec18c1f80f9e32b79856cf921b2ba84803a

SHA256
bd17e24196fdaa49a619bc6ca3c598c30ec87571a1e9d5852993b3bd78fedb8b

SHA512
8bd563bbd48a6ccd33f2e1470d1e27ae419a42d17c6f027efae3a0376987e1407a3da10d44d4138f738610b827bce57a43309d62a1ab3ad1e62845f4852414c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2yxglawr\2yxglawr.0.cs

Filesize
264B

MD5
9d0f01551d19313082234ba8fd249c74

SHA1
292470353fb54ac4e4ab2468908930fb91696159

SHA256
38382d470f70733fc6bfe36bbfb53e2fbd5b1cca8a5c105203356c2cfaa61c7e

SHA512
6596948b9c6a9fb6101dbda3212188c70f752925d813bd64581aa6842820c1f69d387defee09a4e76749fe994ddea48025d7fd110789445b77db6cda5b34b958

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2yxglawr\2yxglawr.cmdline

Filesize
369B

MD5
500c32a8b544f0b0151c2a5c1b9a3739

SHA1
12e05f6e99681bcf213f2d187a8e4b5ed4f0f3d3

SHA256
7941510bb248a89f1fe5af3e5e74fc6ab23a90e791d830fefff2f6913a9ce0cb

SHA512
e377c250698d3f40518cf9e5c4d96acfb95a1a58d3a0dbfe7202f685fc716c0564dc5f034a1b39628e1ed103f3a5d8e5c7cbd79c2323f34984c8a99af65ab747

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2yxglawr\CSC27E30C5B457445B8CBEE5EBF87EA.TMP

Filesize
652B

MD5
118c80001c3809ef2003f7d18843d998

SHA1
dd8ecb4b10e182957e0e8d0dad58b9c3347ef69f

SHA256
87266b0857405aeaeb5cc541cbe0235ce75532eb7158353db25b2fb7230f1cd5

SHA512
ff0cfa903ff1c48646aa0048fe7505e3e0406c052a65fd740adb88bb126ed521d5577a248701be72382bc722bf71158132ac04bdc8d07227b6807857d263c85c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbe4d3ri\CSC340522AB98324C64B766C294BA846EF7.TMP

Filesize
652B

MD5
edcbece8a69012acde0ff7aed4a04af4

SHA1
f821d75a71441a368e471939559c734fcafbf357

SHA256
34fb18ba9ef9be3cff3bdf5a89d42edf003b00ee519b59a2bf911c33e18c9203

SHA512
d6c92cc3c4e595d5be979bbebfc539bd9827accf010542c8e243ef5f635c75348f8a369aa0da5aae8dbf9f2a899587c786548ec891ca0c15ecb68dddd3f6be96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbe4d3ri\hbe4d3ri.0.cs

Filesize
319B

MD5
118e2358315f8f7d2e2c77447e02ddb4

SHA1
b2074579d99b88ee378d6a2d7fcf02710e716c5b

SHA256
055679ce11f420946503e389078a5755a241393dea93c157a623c2446883d1d8

SHA512
46c2190d7b19cfc6b536d3822414f909efa83e774814d3e3128db901b0c51ce33f25d0cab5efdf7ad66ed4889f78d7200bf71f19a977ece709a9444f03255eec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbe4d3ri\hbe4d3ri.cmdline

Filesize
369B

MD5
9f64b1b3067424b115f1d8eb99ceb748

SHA1
c8e2c10deed76fa49d5595812db170e030e3aabd

SHA256
65e32591228f2ad553a84c9aaf2b3838b3927d21947e0dbe8fc268640e9f260f

SHA512
46f9c3a11dce2fecb823b943f11586123e717cf216ac9088315ccb4a7614a0ba1cc9bb2a36bd2e7ccebed3ef25e43b08af3c05a7456a37e54215522dcbe201a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3fwug2m\CSC468EAD44D2524E5AA340F44903B9BA9.TMP

Filesize
652B

MD5
8a3e6ec9cbf508eafb757d0e582af9f0

SHA1
b54d046b6ea8190803e82c498fd4528a864cad42

SHA256
47e6b3694dc4825e27e235b6c929488636795b54d2e4f4002f9114e326c907f3

SHA512
baf99eb7c5fd604b7e6231a3b4313a4378632d731964bd59b3923757bbe35a27973223f14d8a99ed08a0a68cf90821e47366b1c8768cfcdd8ad2ca2f0ac53925

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3fwug2m\n3fwug2m.0.cs

Filesize
236B

MD5
f91af8ddec9960fc584163630b3bc2f2

SHA1
ece9bd77573dceb4743f5a0eb47c031e5b1f9ead

SHA256
6de19715aa47895a8c4bf9efc410517ccfa9519456b58a50203ada4b624853d4

SHA512
45e9e201a9e969522100d032675b6dfcb1f2c6a7869ace5d40251b58215987ee4d49d2607bb840b5e03b3df682fc39cf7ce9efa6c0c3cc01afb43a91a639bcd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3fwug2m\n3fwug2m.cmdline

Filesize
369B

MD5
88eb270fb9a29a6acb51a7d20e69c6c8

SHA1
23d5338c2de1ed1754ae10d357f5e711dd4a398e

SHA256
4f1713482e4a2e44ee2d1e8b95cd5b1418d5c5a6c380393d5de6792517bd0959

SHA512
f5fb530c817efc0960351a85a097c2c02de43198911da7a78e22c1d942b652e90ded362e25696b6b4847311fe33026f8521dbeaa1d3efe96e5ac5b0289ca141f

Download Submit
memory/972-115-0x0000021A880D0000-0x0000021A880E0000-memory.dmp

Filesize
64KB

Download
memory/972-114-0x0000021A880D0000-0x0000021A880E0000-memory.dmp

Filesize
64KB

Download
memory/972-113-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/972-125-0x0000021A880D0000-0x0000021A880E0000-memory.dmp

Filesize
64KB

Download
memory/972-127-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/3088-108-0x0000023FB3BA0000-0x0000023FB3BB0000-memory.dmp

Filesize
64KB

Download
memory/3088-105-0x0000023FB3BA0000-0x0000023FB3BB0000-memory.dmp

Filesize
64KB

Download
memory/3088-112-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/3088-106-0x0000023FB3BA0000-0x0000023FB3BB0000-memory.dmp

Filesize
64KB

Download
memory/3088-96-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/3216-95-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/3216-92-0x000001E583CF0000-0x000001E583D00000-memory.dmp

Filesize
64KB

Download
memory/3216-79-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/3216-80-0x000001E583CF0000-0x000001E583D00000-memory.dmp

Filesize
64KB

Download
memory/3216-81-0x000001E583CF0000-0x000001E583D00000-memory.dmp

Filesize
64KB

Download
memory/4036-74-0x000001C48C010000-0x000001C48C020000-memory.dmp

Filesize
64KB

Download
memory/4036-77-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/4036-72-0x000001C48C010000-0x000001C48C020000-memory.dmp

Filesize
64KB

Download
memory/4036-71-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/4036-73-0x000001C48C010000-0x000001C48C020000-memory.dmp

Filesize
64KB

Download
memory/4992-61-0x000001757F170000-0x000001757F178000-memory.dmp

Filesize
32KB

Download
memory/4992-110-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-3-0x000001757EBE0000-0x000001757EC02000-memory.dmp

Filesize
136KB

Download
memory/4992-91-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download
memory/4992-59-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-58-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-55-0x000001757F160000-0x000001757F170000-memory.dmp

Filesize
64KB

Download
memory/4992-45-0x000001757F0C0000-0x000001757F0D1000-memory.dmp

Filesize
68KB

Download
memory/4992-109-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-93-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-43-0x000001757F0E0000-0x000001757F0E8000-memory.dmp

Filesize
32KB

Download
memory/4992-29-0x000001757EBD0000-0x000001757EBD8000-memory.dmp

Filesize
32KB

Download
memory/4992-16-0x000001757F110000-0x000001757F156000-memory.dmp

Filesize
280KB

Download
memory/4992-15-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-14-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-13-0x000001757EB30000-0x000001757EB40000-memory.dmp

Filesize
64KB

Download
memory/4992-12-0x00007FF874050000-0x00007FF874B12000-memory.dmp

Filesize
10.8MB

Download