xworm | aa1beca1ce33a11a5c56a8a79d03e38b51339d0fe977495ad72eb8b068b379bc

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fwanufwa.exe
Size

16.7MB
MD5

157d1a68e8368cb8ed46e3173122562b
SHA1

9fda498d3101ab26afe01a630f7dfec445cbef0c
SHA256

aa1beca1ce33a11a5c56a8a79d03e38b51339d0fe977495ad72eb8b068b379bc
SHA512

94ccf7674c0f5f849cd28c04da7d4dd045107fe78ca98e62f622511c3953ef94b6f248703820b29d01713d062984b300b37d5ba1c7d2e5b15febeddcb603a83d
SSDEEP

393216:Aw73+t5XTNsNiI7T+PkdymUAZDtGACaeIXHZzvhh0fLD4DbTpcF13X:AQ3+t7I7TXCaeaZzv7GDAcF13

Score

10^/10

xworm evasion execution persistence rat themida trojan

Malware Config

Extracted

Family

xworm

94.13.152.8:25565

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0033000000014983-11.dat	family_xworm
behavioral1/memory/2768-12-0x00000000000F0000-0x0000000000106000-memory.dmp	family_xworm
behavioral1/memory/1732-97-0x0000000000180000-0x0000000000196000-memory.dmp	family_xworm
behavioral1/memory/1736-104-0x0000000000040000-0x0000000000056000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5Bzkgs9t.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1136	powershell.exe
1560	powershell.exe
1084	powershell.exe
2324	powershell.exe
2840	powershell.exe
1340	powershell.exe
1820	powershell.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5Bzkgs9t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5Bzkgs9t.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
2120	5Bzkgs9t.exe
2768	XClient.exe
1200	Process not Found
1732	XClient.exe
1736	XClient.exe

Loads dropped DLL 4 IoCs

pid	Process
2944	fwanufwa.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c00000001450b-4.dat	themida
behavioral1/memory/2120-14-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-16-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-17-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-18-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-19-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-91-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral1/memory/2120-102-0x0000000140000000-0x00000001428C5000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5Bzkgs9t.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2120	5Bzkgs9t.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2076	schtasks.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2840	powershell.exe
1660	powershell.exe
1820	powershell.exe
1340	powershell.exe
1136	powershell.exe
1560	powershell.exe
1084	powershell.exe
2324	powershell.exe
2768	XClient.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	XClient.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2768	XClient.exe
Token: SeDebugPrivilege	1732	XClient.exe
Token: SeDebugPrivilege	1736	XClient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2120	5Bzkgs9t.exe
2768	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2120	2944	fwanufwa.exe	28
PID 2944 wrote to memory of 2120	2944	fwanufwa.exe	28
PID 2944 wrote to memory of 2120	2944	fwanufwa.exe	28
PID 2944 wrote to memory of 2768	2944	fwanufwa.exe	29
PID 2944 wrote to memory of 2768	2944	fwanufwa.exe	29
PID 2944 wrote to memory of 2768	2944	fwanufwa.exe	29
PID 2120 wrote to memory of 2840	2120	5Bzkgs9t.exe	30
PID 2120 wrote to memory of 2840	2120	5Bzkgs9t.exe	30
PID 2120 wrote to memory of 2840	2120	5Bzkgs9t.exe	30
PID 2120 wrote to memory of 2472	2120	5Bzkgs9t.exe	32
PID 2120 wrote to memory of 2472	2120	5Bzkgs9t.exe	32
PID 2120 wrote to memory of 2472	2120	5Bzkgs9t.exe	32
PID 2472 wrote to memory of 2496	2472	net.exe	34
PID 2472 wrote to memory of 2496	2472	net.exe	34
PID 2472 wrote to memory of 2496	2472	net.exe	34
PID 2120 wrote to memory of 2212	2120	5Bzkgs9t.exe	35
PID 2120 wrote to memory of 2212	2120	5Bzkgs9t.exe	35
PID 2120 wrote to memory of 2212	2120	5Bzkgs9t.exe	35
PID 2120 wrote to memory of 2520	2120	5Bzkgs9t.exe	37
PID 2120 wrote to memory of 2520	2120	5Bzkgs9t.exe	37
PID 2120 wrote to memory of 2520	2120	5Bzkgs9t.exe	37
PID 2120 wrote to memory of 2984	2120	5Bzkgs9t.exe	39
PID 2120 wrote to memory of 2984	2120	5Bzkgs9t.exe	39
PID 2120 wrote to memory of 2984	2120	5Bzkgs9t.exe	39
PID 2984 wrote to memory of 2688	2984	net.exe	41
PID 2984 wrote to memory of 2688	2984	net.exe	41
PID 2984 wrote to memory of 2688	2984	net.exe	41
PID 2120 wrote to memory of 2744	2120	5Bzkgs9t.exe	42
PID 2120 wrote to memory of 2744	2120	5Bzkgs9t.exe	42
PID 2120 wrote to memory of 2744	2120	5Bzkgs9t.exe	42
PID 2120 wrote to memory of 2412	2120	5Bzkgs9t.exe	44
PID 2120 wrote to memory of 2412	2120	5Bzkgs9t.exe	44
PID 2120 wrote to memory of 2412	2120	5Bzkgs9t.exe	44
PID 2412 wrote to memory of 380	2412	net.exe	47
PID 2412 wrote to memory of 380	2412	net.exe	47
PID 2412 wrote to memory of 380	2412	net.exe	47
PID 2120 wrote to memory of 1660	2120	5Bzkgs9t.exe	48
PID 2120 wrote to memory of 1660	2120	5Bzkgs9t.exe	48
PID 2120 wrote to memory of 1660	2120	5Bzkgs9t.exe	48
PID 2120 wrote to memory of 1820	2120	5Bzkgs9t.exe	49
PID 2120 wrote to memory of 1820	2120	5Bzkgs9t.exe	49
PID 2120 wrote to memory of 1820	2120	5Bzkgs9t.exe	49
PID 2120 wrote to memory of 1340	2120	5Bzkgs9t.exe	51
PID 2120 wrote to memory of 1340	2120	5Bzkgs9t.exe	51
PID 2120 wrote to memory of 1340	2120	5Bzkgs9t.exe	51
PID 2120 wrote to memory of 3016	2120	5Bzkgs9t.exe	54
PID 2120 wrote to memory of 3016	2120	5Bzkgs9t.exe	54
PID 2120 wrote to memory of 3016	2120	5Bzkgs9t.exe	54
PID 2768 wrote to memory of 1136	2768	XClient.exe	55
PID 2768 wrote to memory of 1136	2768	XClient.exe	55
PID 2768 wrote to memory of 1136	2768	XClient.exe	55
PID 2768 wrote to memory of 1560	2768	XClient.exe	57
PID 2768 wrote to memory of 1560	2768	XClient.exe	57
PID 2768 wrote to memory of 1560	2768	XClient.exe	57
PID 2768 wrote to memory of 1084	2768	XClient.exe	59
PID 2768 wrote to memory of 1084	2768	XClient.exe	59
PID 2768 wrote to memory of 1084	2768	XClient.exe	59
PID 2768 wrote to memory of 2324	2768	XClient.exe	61
PID 2768 wrote to memory of 2324	2768	XClient.exe	61
PID 2768 wrote to memory of 2324	2768	XClient.exe	61
PID 2768 wrote to memory of 2076	2768	XClient.exe	63
PID 2768 wrote to memory of 2076	2768	XClient.exe	63
PID 2768 wrote to memory of 2076	2768	XClient.exe	63
PID 1804 wrote to memory of 1732	1804	taskeng.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fwanufwa.exe
"C:\Users\Admin\AppData\Local\Temp\fwanufwa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\ProgramData\5Bzkgs9t.exe
  "C:\ProgramData\5Bzkgs9t.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command Remove-Item 'C:\ProgramData\5Bzkgs9t.exe.bak' -force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\system32\net.exe
    net stop w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop w32time
      4⤵
      PID:2496
- - C:\Windows\system32\w32tm.exe
    w32tm /unregister
    3⤵
    PID:2212
- - C:\Windows\system32\w32tm.exe
    w32tm /register
    3⤵
    - Sets DLL path for service in the registry
    PID:2520
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:2688
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /force
    3⤵
    PID:2744
- - C:\Windows\system32\net.exe
    net stop w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop w32time
      4⤵
      PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (GWMI Win32_Processor).VirtualizationFirmwareEnabled
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "confirm-securebootuefi"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$env:firmware_type"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2120 -s 888
    3⤵
    - Loads dropped DLL
    PID:3016
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2152
- - C:\Windows\system32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:2680
- C:\ProgramData\XClient.exe
  "C:\ProgramData\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2076

C:\Windows\system32\taskeng.exe
taskeng.exe {6BF5529C-703E-46DB-9AF8-64F207853626} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XClient.exe

Filesize
59KB

MD5
373a87e2d6e4f2d5b6b530bece8ceb67

SHA1
17b5e6fdc6a6a797e5833ccb8c0d8aebae96d60f

SHA256
1d6dd855bb196a7b983bd151fda3c0a302ebad418395b737cdf300de40c08a31

SHA512
0d99eb06b36a73124ccffe9e5251dbba71b905c5eb3b2d38492512d4b6327845017eb0cdc30273d917556f701cd37f26385936bee4feaa0982b89fa4541ad5c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92a0b694e858eaf5304d6f48ff855ed0

SHA1
97abadd7313d9bf989ef902c9985329c3812a383

SHA256
242bb7ed7f8e3effb563fb53ec0cd34e8021b1e573960173968a0bd855a1042f

SHA512
214374c56c1aa6230fa58375bbc37315e31fa44691421b06d3dc58c95ea8e2ae4455c2058b227e323bdcfd7ba4e65441290d431db13d47d2bfcf1d80422077bb

Download Submit
\ProgramData\5Bzkgs9t.exe

Filesize
16.6MB

MD5
2168b2eff6aa08948aa8bec7304a3358

SHA1
b19f9edd3fa9a53a687120f778ce6b9bfd6c0ac1

SHA256
cbc18abc563c1fe2d1a71c7bc2350807c62ecffdb02b11f1a34946b0777bd677

SHA512
76f1963825df8b9cc7427127357216ce27a0e61f4b8500f7b2f6e65093fd98e7cdd7289a6867f223e23f2cedd10ae52ba72ccb21075c2eee70efeaca50f4f04b

Download Submit
memory/1136-70-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1136-69-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/1660-50-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1660-55-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1732-97-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/1736-104-0x0000000000040000-0x0000000000056000-memory.dmp

Filesize
88KB

Download
memory/2120-14-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-16-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-102-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-37-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/2120-19-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-18-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-17-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2120-91-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2768-12-0x00000000000F0000-0x0000000000106000-memory.dmp

Filesize
88KB

Download
memory/2840-24-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2840-25-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2944-0-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp

Filesize
4KB

Download
memory/2944-13-0x0000000140000000-0x00000001428C5000-memory.dmp

Filesize
40.8MB

Download
memory/2944-1-0x0000000000870000-0x000000000192C000-memory.dmp

Filesize
16.7MB

Download