xworm | 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
Size

1.5MB
MD5

fcb52672d473cf136f8bfa03d3e60aa0
SHA1

8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6
SHA256

385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077
SHA512

db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273
SSDEEP

24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

usr-internal.gl.at.ply.gg:36003

Attributes

Install_directory
%ProgramData%
install_file
dllhost.exe
telegram
https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001226b-5.dat	family_xworm
behavioral1/memory/3040-34-0x0000000001350000-0x0000000001366000-memory.dmp	family_xworm
behavioral1/memory/3016-199-0x0000000000F80000-0x0000000000F96000-memory.dmp	family_xworm
behavioral1/memory/3032-225-0x0000000000200000-0x0000000000216000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2780	powershell.exe
2252	powershell.exe
560	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	1.exe

Executes dropped EXE 5 IoCs

pid	Process
3040	1.exe
3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
3016	dllhost.exe
3032	dllhost.exe

Loads dropped DLL 14 IoCs

pid	Process
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
2796	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\dllhost.exe"	1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2936	powershell.exe
2780	powershell.exe
2252	powershell.exe
560	powershell.exe
3040	1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	1.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	3040	1.exe
Token: SeDebugPrivilege	3016	dllhost.exe
Token: SeDebugPrivilege	3032	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3040	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	28
PID 2848 wrote to memory of 3040	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	28
PID 2848 wrote to memory of 3040	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	28
PID 2848 wrote to memory of 3040	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	28
PID 2848 wrote to memory of 3064	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	29
PID 2848 wrote to memory of 3064	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	29
PID 2848 wrote to memory of 3064	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	29
PID 2848 wrote to memory of 3064	2848	385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe	29
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3064 wrote to memory of 2796	3064	[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe	30
PID 3040 wrote to memory of 2936	3040	1.exe	32
PID 3040 wrote to memory of 2936	3040	1.exe	32
PID 3040 wrote to memory of 2936	3040	1.exe	32
PID 3040 wrote to memory of 2780	3040	1.exe	34
PID 3040 wrote to memory of 2780	3040	1.exe	34
PID 3040 wrote to memory of 2780	3040	1.exe	34
PID 3040 wrote to memory of 2252	3040	1.exe	36
PID 3040 wrote to memory of 2252	3040	1.exe	36
PID 3040 wrote to memory of 2252	3040	1.exe	36
PID 3040 wrote to memory of 560	3040	1.exe	38
PID 3040 wrote to memory of 560	3040	1.exe	38
PID 3040 wrote to memory of 560	3040	1.exe	38
PID 3040 wrote to memory of 1856	3040	1.exe	40
PID 3040 wrote to memory of 1856	3040	1.exe	40
PID 3040 wrote to memory of 1856	3040	1.exe	40
PID 1580 wrote to memory of 3016	1580	taskeng.exe	45
PID 1580 wrote to memory of 3016	1580	taskeng.exe	45
PID 1580 wrote to memory of 3016	1580	taskeng.exe	45
PID 1580 wrote to memory of 3032	1580	taskeng.exe	46
PID 1580 wrote to memory of 3032	1580	taskeng.exe	46
PID 1580 wrote to memory of 3032	1580	taskeng.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
"C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\ProgramData\dllhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe
  "C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp" /SL5="$500F4,739062,190976,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {A1895B0E-E9AC-4B40-956C-AA77E2BBB663} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\ProgramData\dllhost.exe
  C:\ProgramData\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\ProgramData\dllhost.exe
  C:\ProgramData\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp

Filesize
1.5MB

MD5
5380849aba66bec4970ee80e31c7ae49

SHA1
88dbeaf07f97a6159bf28bb8bb7fc9365e8a2b05

SHA256
c0bf62c200297b1de58ebc284176121e94097dddf81ce5a860831d786c830d19

SHA512
4e49ccad558b24772f7e781eefe4a212d23a4dfe814f8f80efab7ab9b99bf1df1c6ac8db53a89a04e7246d7cf96bf229652550099a68a74202a31451271ded4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\CheckBox.png

Filesize
7KB

MD5
abd301b0263b0e0cebdd71e4855ac7d3

SHA1
1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

SHA256
aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

SHA512
b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\WizardImage.jpg

Filesize
62KB

MD5
b91658597f15d7f689c86f5a2e7824bd

SHA1
00da609aa0b39140b767a3bc2644433d64edbd71

SHA256
b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

SHA512
00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\button.png

Filesize
12KB

MD5
51af4120d6d22b1126cc87a5143740ef

SHA1
1cb4e91e765537a72c9628056d29fbd6a7ce515c

SHA256
c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

SHA512
2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5QPQH47Y9H010IALBYB1.temp

Filesize
7KB

MD5
7cdf2b4d34da66f84accdaf9ea2206f5

SHA1
3954f86215839bbaaeb9c8d7556e44aed994e095

SHA256
5e77849482aca207db335cfac9d0745ea9332e8d9ac0548d56010d28b310f809

SHA512
f2f58b1bd1fc9d3f93e5f765be391d6f1d9d44873ade8c7e9c72295eb23d7361aa19234e9b6ae79fcab54e8a62c09304d8c15f4d9e362ed8f63c1a7dd5e00b1b

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
61KB

MD5
fc66a6c50b60c8452850844a795c943f

SHA1
5c071198335dd337c8540b32e8ba1e805101733d

SHA256
5391282e3e5fa8fb0c1ffd4eae7082c3dcf8d3c64e622856e9659d40af3ef089

SHA512
f07c20404cda4f2e6fa6a3a229e29c82b778b445e3cb5c40580d1b14ebcfc0c9a3bd65f684e1d087cc57740476c50e8fec85eb37b23224e0bd0eacef924ea491

Download Submit
\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe

Filesize
1.2MB

MD5
7c9be3d33bf8913f16b8d1762b05bd96

SHA1
a5f652e382e326ba8bdecf736b727304910c31f3

SHA256
a2c287f865ded8ddd825301616575079ea22757b943dafccf1ff9dabf1e67e2a

SHA512
bdbafcf544fad69e377a47246d7ab988b24fb181812b3c24350c7fa0c81a355d59886dfd4ae0279e6cc0d84434aa399e7d8a8e7d2508606f0bfccada42befa49

Download Submit
\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\get_hw_caps.dll

Filesize
76KB

MD5
2e35d2894df3b691dbd8e0d4f4c84efc

SHA1
d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

SHA256
869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

SHA512
29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

Download Submit
\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
memory/2252-160-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2252-159-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2780-64-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2780-63-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-120-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

Filesize
84KB

Download
memory/2796-186-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

Filesize
84KB

Download
memory/2796-80-0x0000000007340000-0x000000000734D000-memory.dmp

Filesize
52KB

Download
memory/2796-185-0x0000000007340000-0x000000000734D000-memory.dmp

Filesize
52KB

Download
memory/2796-173-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

Filesize
84KB

Download
memory/2796-172-0x0000000007340000-0x000000000734D000-memory.dmp

Filesize
52KB

Download
memory/2796-171-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/2936-54-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-55-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/3016-199-0x0000000000F80000-0x0000000000F96000-memory.dmp

Filesize
88KB

Download
memory/3032-225-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/3040-30-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/3040-178-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/3040-34-0x0000000001350000-0x0000000001366000-memory.dmp

Filesize
88KB

Download
memory/3064-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download