xworm | 807365fb2ba6da0202b002ef59b76c7e5205cd7a20280b006403ca94ec700904

Analysis

max time kernel
1183s
max time network
1193s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26.06.2024/DxHax.exe
Size

9.0MB
MD5

254e6ae77b775c805562a031bc0a1c65
SHA1

843d67a36aa8baf1033c931740f03dd9f77749e1
SHA256

caba4ef02b4c6c301d6ebee2833d23f59dbad37c2cfc8702a4cb31801fdb8284
SHA512

7807054101bff645a3dadd0d70061b812485128ec9eb8c12de0251b2fd65fb1e835006989138afdd8193b8208f912157047ae97416620900b2fb1fbbab819edd
SSDEEP

196608:XIHhCuQfOiZWD/ylAu96GZDd1GmtD0z1rDS/7eDvgrST:mhCuQOwAjGVXGmp0xr87J

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

85.105.15.233:5555

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 15 IoCs

resource	yara_rule
behavioral6/files/0x000a00000001202e-4.dat	family_xworm
behavioral6/memory/1748-13-0x0000000001200000-0x000000000123E000-memory.dmp	family_xworm
behavioral6/memory/3068-53-0x0000000000970000-0x00000000009AE000-memory.dmp	family_xworm
behavioral6/memory/924-56-0x0000000000C60000-0x0000000000C9E000-memory.dmp	family_xworm
behavioral6/memory/1044-58-0x0000000001020000-0x000000000105E000-memory.dmp	family_xworm
behavioral6/memory/2548-60-0x0000000000170000-0x00000000001AE000-memory.dmp	family_xworm
behavioral6/memory/2408-62-0x0000000000D60000-0x0000000000D9E000-memory.dmp	family_xworm
behavioral6/memory/1660-64-0x0000000001220000-0x000000000125E000-memory.dmp	family_xworm
behavioral6/memory/1672-66-0x0000000000150000-0x000000000018E000-memory.dmp	family_xworm
behavioral6/memory/264-68-0x0000000000110000-0x000000000014E000-memory.dmp	family_xworm
behavioral6/memory/1560-70-0x0000000000C30000-0x0000000000C6E000-memory.dmp	family_xworm
behavioral6/memory/264-76-0x00000000000A0000-0x00000000000DE000-memory.dmp	family_xworm
behavioral6/memory/2528-78-0x0000000001170000-0x00000000011AE000-memory.dmp	family_xworm
behavioral6/memory/1308-81-0x0000000001260000-0x000000000129E000-memory.dmp	family_xworm
behavioral6/memory/672-84-0x0000000001360000-0x000000000139E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2756	powershell.exe
2884	powershell.exe
2596	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk	LocalgpXAJOk_AK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk	LocalgpXAJOk_AK.exe

Executes dropped EXE 22 IoCs

pid	Process
1748	LocalgpXAJOk_AK.exe
2212	LocalnrIszSVIvh.exe
3068	Appinfo
924	Appinfo
1044	Appinfo
2548	Appinfo
2408	Appinfo
1660	Appinfo
1672	Appinfo
264	Appinfo
1560	Appinfo
2688	Appinfo
2352	Appinfo
568	Appinfo
2196	Appinfo
264	Appinfo
2528	Appinfo
2184	Appinfo
1308	Appinfo
568	Appinfo
672	Appinfo
2492	Appinfo

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo"	LocalgpXAJOk_AK.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2212	LocalnrIszSVIvh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1120	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1748	LocalgpXAJOk_AK.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2212	LocalnrIszSVIvh.exe
2756	powershell.exe
2884	powershell.exe
2596	powershell.exe
2508	powershell.exe
1748	LocalgpXAJOk_AK.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	LocalgpXAJOk_AK.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1748	LocalgpXAJOk_AK.exe
Token: SeDebugPrivilege	3068	Appinfo
Token: SeDebugPrivilege	924	Appinfo
Token: SeDebugPrivilege	1044	Appinfo
Token: SeDebugPrivilege	2548	Appinfo
Token: SeDebugPrivilege	2408	Appinfo
Token: SeDebugPrivilege	1660	Appinfo
Token: SeDebugPrivilege	1672	Appinfo
Token: SeDebugPrivilege	264	Appinfo
Token: SeDebugPrivilege	1560	Appinfo
Token: SeDebugPrivilege	2688	Appinfo
Token: SeDebugPrivilege	2352	Appinfo
Token: SeDebugPrivilege	568	Appinfo
Token: SeDebugPrivilege	2196	Appinfo
Token: SeDebugPrivilege	264	Appinfo
Token: SeDebugPrivilege	2528	Appinfo
Token: SeDebugPrivilege	2184	Appinfo
Token: SeDebugPrivilege	1308	Appinfo
Token: SeDebugPrivilege	568	Appinfo
Token: SeDebugPrivilege	672	Appinfo
Token: SeDebugPrivilege	2492	Appinfo

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1748	LocalgpXAJOk_AK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1748	1736	DxHax.exe	29
PID 1736 wrote to memory of 1748	1736	DxHax.exe	29
PID 1736 wrote to memory of 1748	1736	DxHax.exe	29
PID 1736 wrote to memory of 2212	1736	DxHax.exe	30
PID 1736 wrote to memory of 2212	1736	DxHax.exe	30
PID 1736 wrote to memory of 2212	1736	DxHax.exe	30
PID 1736 wrote to memory of 2212	1736	DxHax.exe	30
PID 1748 wrote to memory of 2756	1748	LocalgpXAJOk_AK.exe	32
PID 1748 wrote to memory of 2756	1748	LocalgpXAJOk_AK.exe	32
PID 1748 wrote to memory of 2756	1748	LocalgpXAJOk_AK.exe	32
PID 1748 wrote to memory of 2884	1748	LocalgpXAJOk_AK.exe	34
PID 1748 wrote to memory of 2884	1748	LocalgpXAJOk_AK.exe	34
PID 1748 wrote to memory of 2884	1748	LocalgpXAJOk_AK.exe	34
PID 1748 wrote to memory of 2596	1748	LocalgpXAJOk_AK.exe	36
PID 1748 wrote to memory of 2596	1748	LocalgpXAJOk_AK.exe	36
PID 1748 wrote to memory of 2596	1748	LocalgpXAJOk_AK.exe	36
PID 1748 wrote to memory of 2508	1748	LocalgpXAJOk_AK.exe	38
PID 1748 wrote to memory of 2508	1748	LocalgpXAJOk_AK.exe	38
PID 1748 wrote to memory of 2508	1748	LocalgpXAJOk_AK.exe	38
PID 1748 wrote to memory of 1120	1748	LocalgpXAJOk_AK.exe	40
PID 1748 wrote to memory of 1120	1748	LocalgpXAJOk_AK.exe	40
PID 1748 wrote to memory of 1120	1748	LocalgpXAJOk_AK.exe	40
PID 2192 wrote to memory of 3068	2192	taskeng.exe	43
PID 2192 wrote to memory of 3068	2192	taskeng.exe	43
PID 2192 wrote to memory of 3068	2192	taskeng.exe	43
PID 2192 wrote to memory of 924	2192	taskeng.exe	44
PID 2192 wrote to memory of 924	2192	taskeng.exe	44
PID 2192 wrote to memory of 924	2192	taskeng.exe	44
PID 2192 wrote to memory of 1044	2192	taskeng.exe	45
PID 2192 wrote to memory of 1044	2192	taskeng.exe	45
PID 2192 wrote to memory of 1044	2192	taskeng.exe	45
PID 2192 wrote to memory of 2548	2192	taskeng.exe	46
PID 2192 wrote to memory of 2548	2192	taskeng.exe	46
PID 2192 wrote to memory of 2548	2192	taskeng.exe	46
PID 2192 wrote to memory of 2408	2192	taskeng.exe	47
PID 2192 wrote to memory of 2408	2192	taskeng.exe	47
PID 2192 wrote to memory of 2408	2192	taskeng.exe	47
PID 2192 wrote to memory of 1660	2192	taskeng.exe	48
PID 2192 wrote to memory of 1660	2192	taskeng.exe	48
PID 2192 wrote to memory of 1660	2192	taskeng.exe	48
PID 2192 wrote to memory of 1672	2192	taskeng.exe	49
PID 2192 wrote to memory of 1672	2192	taskeng.exe	49
PID 2192 wrote to memory of 1672	2192	taskeng.exe	49
PID 2192 wrote to memory of 264	2192	taskeng.exe	50
PID 2192 wrote to memory of 264	2192	taskeng.exe	50
PID 2192 wrote to memory of 264	2192	taskeng.exe	50
PID 2192 wrote to memory of 1560	2192	taskeng.exe	51
PID 2192 wrote to memory of 1560	2192	taskeng.exe	51
PID 2192 wrote to memory of 1560	2192	taskeng.exe	51
PID 2192 wrote to memory of 2688	2192	taskeng.exe	52
PID 2192 wrote to memory of 2688	2192	taskeng.exe	52
PID 2192 wrote to memory of 2688	2192	taskeng.exe	52
PID 2192 wrote to memory of 2352	2192	taskeng.exe	53
PID 2192 wrote to memory of 2352	2192	taskeng.exe	53
PID 2192 wrote to memory of 2352	2192	taskeng.exe	53
PID 2192 wrote to memory of 568	2192	taskeng.exe	54
PID 2192 wrote to memory of 568	2192	taskeng.exe	54
PID 2192 wrote to memory of 568	2192	taskeng.exe	54
PID 2192 wrote to memory of 2196	2192	taskeng.exe	55
PID 2192 wrote to memory of 2196	2192	taskeng.exe	55
PID 2192 wrote to memory of 2196	2192	taskeng.exe	55
PID 2192 wrote to memory of 264	2192	taskeng.exe	56
PID 2192 wrote to memory of 264	2192	taskeng.exe	56
PID 2192 wrote to memory of 264	2192	taskeng.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
  "C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1120
- C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
  "C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

C:\Windows\system32\taskeng.exe
taskeng.exe {3320FAE9-8169-4A5B-A5C9-C81B317D5FC4} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\ProgramData\Appinfo
  C:\ProgramData\Appinfo
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe

Filesize
227KB

MD5
78563d0035e1efbd4893ebfe5c531dd2

SHA1
422a139897211fb59d72e575854b266f7ce85e7c

SHA256
3a4d442da6508560c48369d1e388ca9a6d4b71d1884fe2aa267b66f7da8f26e8

SHA512
d0562d9f5985334f081933bcf1b608b012a93149c8b022b3bae95004ef2aabe46c245043338ddf97ff2c82e0848152278617c0e675609676128c98de61991b54

Download Submit
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe

Filesize
8.6MB

MD5
c9e5ab8a4ca9c024a9c7ee2928589a9f

SHA1
e3e9efcb92add817b599d60716e3145adfc68326

SHA256
db335459f68b4764704a113a44ad3dea7d1c97b868e2f59548ceb83af835f842

SHA512
378f9e5ecf3be4e00d6fa08fef576641be5dd881fe5c19363160f1e0adfef6be1ba6bce6cccb2cff0e9b9a36a819799908bd67e8c58edeeaf3c5b0362e380341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HZMR1QO0QLXXLQJ21O2W.temp

Filesize
7KB

MD5
369591d65ab09426513f4b7bf41323dc

SHA1
81497ea6c0ab0740cff87bc58548deae0d58ac16

SHA256
2ae69b6017142da203049e9ed57e74a9e6379f7772a4f99a196f278fbbc14ed3

SHA512
ddce5ec0e90f524cbc96fb2e77b503ed4baca8873c1ab25e6de9b8516fb7cd4c9a4086cb79bc564d4c94b4b8707714b28558fe324aff7d1303615fe571be4092

Download Submit
memory/264-76-0x00000000000A0000-0x00000000000DE000-memory.dmp

Filesize
248KB

Download
memory/264-68-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/672-84-0x0000000001360000-0x000000000139E000-memory.dmp

Filesize
248KB

Download
memory/924-56-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/1044-58-0x0000000001020000-0x000000000105E000-memory.dmp

Filesize
248KB

Download
memory/1308-81-0x0000000001260000-0x000000000129E000-memory.dmp

Filesize
248KB

Download
memory/1560-70-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/1660-64-0x0000000001220000-0x000000000125E000-memory.dmp

Filesize
248KB

Download
memory/1672-66-0x0000000000150000-0x000000000018E000-memory.dmp

Filesize
248KB

Download
memory/1736-0-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

Filesize
4KB

Download
memory/1736-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-49-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-13-0x0000000001200000-0x000000000123E000-memory.dmp

Filesize
248KB

Download
memory/2212-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2212-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2212-19-0x0000000000400000-0x000000000169A000-memory.dmp

Filesize
18.6MB

Download
memory/2212-18-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2408-62-0x0000000000D60000-0x0000000000D9E000-memory.dmp

Filesize
248KB

Download
memory/2528-78-0x0000000001170000-0x00000000011AE000-memory.dmp

Filesize
248KB

Download
memory/2548-60-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/2756-26-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2756-27-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2884-33-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2884-34-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3068-53-0x0000000000970000-0x00000000009AE000-memory.dmp

Filesize
248KB

Download