xworm | 1020e237ab79171c59cec569952f8f7c7d9ee2056fb3d09a6b3d39de6cb7ca07

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Size

455KB
MD5

c8d9593196962fa5d706a207c16674cd
SHA1

686a8e674e6615d5cd91f7b2cba0c755054b3f69
SHA256

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
SHA512

5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
SSDEEP

12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score

10^/10

xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/memory/2188-6-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2188-7-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2188-9-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2188-11-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2188-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2188-15-0x0000000004990000-0x00000000049D0000-memory.dmp	family_xworm
behavioral1/memory/2188-19-0x0000000004990000-0x00000000049D0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
1944	yhlfcs.exe
1856	oapavmkbdsqp.exe

Loads dropped DLL 7 IoCs

pid	Process
2188	CasPol.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
468	services.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl	oapavmkbdsqp.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 1944 set thread context of 1032	1944	yhlfcs.exe	34
PID 1032 set thread context of 1780	1032	explorer.exe	36

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
476	sc.exe
660	sc.exe
2288	sc.exe
1600	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	oapavmkbdsqp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	oapavmkbdsqp.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	oapavmkbdsqp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded = "1"	oapavmkbdsqp.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
1032	explorer.exe
1032	explorer.exe
1780	dialer.exe
1780	dialer.exe
1032	explorer.exe
1780	dialer.exe
1780	dialer.exe
1032	explorer.exe
1032	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Token: SeDebugPrivilege	2188	CasPol.exe
Token: SeDebugPrivilege	1780	dialer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2188	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2328 wrote to memory of 2836	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2328 wrote to memory of 2836	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2328 wrote to memory of 2836	2328	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2188 wrote to memory of 1944	2188	CasPol.exe	33
PID 2188 wrote to memory of 1944	2188	CasPol.exe	33
PID 2188 wrote to memory of 1944	2188	CasPol.exe	33
PID 2188 wrote to memory of 1944	2188	CasPol.exe	33
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 1032	1944	yhlfcs.exe	34
PID 1944 wrote to memory of 2344	1944	yhlfcs.exe	35
PID 1944 wrote to memory of 2344	1944	yhlfcs.exe	35
PID 1944 wrote to memory of 2344	1944	yhlfcs.exe	35
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1032 wrote to memory of 1780	1032	explorer.exe	36
PID 1780 wrote to memory of 424	1780	dialer.exe	5
PID 1780 wrote to memory of 468	1780	dialer.exe	6
PID 468 wrote to memory of 1856	468	services.exe	45
PID 468 wrote to memory of 1856	468	services.exe	45
PID 468 wrote to memory of 1856	468	services.exe	45
PID 1780 wrote to memory of 1856	1780	dialer.exe	45

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468
- C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
  C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:1856

C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
"C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\yhlfcs.exe
    "C:\Users\Admin\AppData\Local\Temp\yhlfcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GVKQGWZS"
        5⤵
        Launches sc.exe
        
        PID:660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:476
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1600
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GVKQGWZS"
        5⤵
        Launches sc.exe
        
        PID:2288
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1944 -s 724
      4⤵
      Loads dropped DLL
      PID:2344
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2328 -s 736
  2⤵
  PID:2836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yhlfcs.exe

Filesize
3.1MB

MD5
f3e70f68d7e2f644bcd312f1333094e1

SHA1
259dd00ddb8a08fb149c37254bfb865a74bb11b9

SHA256
6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e

SHA512
425d60775735804dce4a43aba0426966cc21ef5c0c997d073bc3d0740d3a07b13227fd1e5be93189079e8e01ca0c515d27ddc0451ee4e514e02bdc3bd8f4d33d

Download Submit
\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Filesize
2.7MB

MD5
ac4c51eb24aa95b77f705ab159189e24

SHA1
4583daf9442880204730fb2c8a060430640494b1

SHA256
6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

SHA512
011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

Download Submit
memory/424-68-0x000007FEBF150000-0x000007FEBF160000-memory.dmp

Filesize
64KB

Download
memory/424-63-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/424-62-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/424-77-0x0000000076F41000-0x0000000076F42000-memory.dmp

Filesize
4KB

Download
memory/424-98-0x0000000000890000-0x00000000008BB000-memory.dmp

Filesize
172KB

Download
memory/424-69-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/424-74-0x0000000000890000-0x00000000008BB000-memory.dmp

Filesize
172KB

Download
memory/424-64-0x0000000000890000-0x00000000008BB000-memory.dmp

Filesize
172KB

Download
memory/468-78-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/468-99-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/468-73-0x000007FEBF150000-0x000007FEBF160000-memory.dmp

Filesize
64KB

Download
memory/468-70-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/468-79-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/1032-43-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-34-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-42-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-76-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-40-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-38-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/1032-36-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-35-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-30-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-31-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-32-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1032-33-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1780-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1780-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1780-97-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1780-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1780-55-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1780-59-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1780-58-0x0000000076CD0000-0x0000000076DEF000-memory.dmp

Filesize
1.1MB

Download
memory/1780-56-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1780-50-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1856-86-0x0000000000450000-0x000000000047B000-memory.dmp

Filesize
172KB

Download
memory/1856-92-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-89-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-102-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-101-0x0000000000450000-0x000000000047B000-memory.dmp

Filesize
172KB

Download
memory/1856-87-0x000007FEBF150000-0x000007FEBF160000-memory.dmp

Filesize
64KB

Download
memory/1856-91-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-88-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/1856-96-0x00000000FF710000-0x00000000FF9D0000-memory.dmp

Filesize
2.8MB

Download
memory/1856-95-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-93-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1856-94-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1944-67-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1944-28-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1944-29-0x000000001B7D0000-0x000000001BAE6000-memory.dmp

Filesize
3.1MB

Download
memory/1944-27-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-26-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1944-49-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-15-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2188-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-18-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-19-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2328-16-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-17-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2328-2-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2328-1-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-0-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/2328-3-0x0000000001ED0000-0x0000000001F34000-memory.dmp

Filesize
400KB

Download