stormkitty | 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17-08-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

llllll.exe
Size

156KB
MD5

aa50dea32c4398f49128d5b903a38aef
SHA1

cca7429109dd0e0d2d7f046a6af4ff40773d6722
SHA256

8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523
SHA512

6ae2342df6fd7f0b70562b40d608f5f0c8b2230715934adff39ddae01ff7c0cfa9e78bf4261df473a73ad71cdea963d08ce36b919a5ca0f3a264af32eb5795c9
SSDEEP

3072:NUWIAXFeSQ0oMfYMp2fCoeq63ychNeGQVm3Q4x4+VQ6s:NdIuppY6sdeZywNeGC4xI

Score

10^/10

stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

sites-sing.gl.at.ply.gg:6789

Mutex

hsYEUqkLaSySRVeL

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a057-6.dat	family_xworm
behavioral1/memory/4112-22-0x0000000000B60000-0x0000000000B70000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000002aaef-24.dat	family_stormkitty
behavioral1/memory/4504-30-0x0000000000820000-0x0000000000876000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3716	powershell.exe
1572	powershell.exe
724	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4112	svchost.exe
4504	zzzz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\Saved Pictures\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\Camera Roll\desktop.ini	zzzz.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
5	api.ipify.org
7	freegeoip.app
8	ip-api.com
34	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	zzzz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	zzzz.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
4504	zzzz.exe
3716	powershell.exe
3716	powershell.exe
1572	powershell.exe
1572	powershell.exe
724	powershell.exe
724	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	svchost.exe
Token: SeDebugPrivilege	4504	zzzz.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	4112	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 4112	2684	llllll.exe	82
PID 2684 wrote to memory of 4112	2684	llllll.exe	82
PID 2684 wrote to memory of 4504	2684	llllll.exe	83
PID 2684 wrote to memory of 4504	2684	llllll.exe	83
PID 2684 wrote to memory of 4504	2684	llllll.exe	83
PID 4112 wrote to memory of 3716	4112	svchost.exe	85
PID 4112 wrote to memory of 3716	4112	svchost.exe	85
PID 4112 wrote to memory of 1572	4112	svchost.exe	87
PID 4112 wrote to memory of 1572	4112	svchost.exe	87
PID 4112 wrote to memory of 724	4112	svchost.exe	89
PID 4112 wrote to memory of 724	4112	svchost.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

C:\Users\Admin\AppData\Local\Temp\llllll.exe
"C:\Users\Admin\AppData\Local\Temp\llllll.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- C:\Users\Admin\AppData\Local\Temp\zzzz.exe
  "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n310r2tx.g2e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
35KB

MD5
90feaeac1ed833652f5267124acd8293

SHA1
ba3fa9aa1c28e54d712bf8766234410d56494859

SHA256
a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b

SHA512
0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzzz.exe

Filesize
320KB

MD5
de4824c195cf1b2bb498511ef461e49b

SHA1
f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

SHA256
51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

SHA512
b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Desktop\BackupOptimize.html

Filesize
767KB

MD5
ab35baaf61d9ce9807adbc738a8c81ad

SHA1
3a6bdc74ff0f65d8200797d40c3fb128f403048c

SHA256
c876bba4111af795f85a150baedc28639466cffd5cb5034316a5080cfdcd988e

SHA512
2af996ce434a75452ea03415d93810e3d6ae4f99261b8c51f53449e7b6a90a0c43e1b3016a9b2a8bd70f32b9a730259f1dad8fd2a531a12ca2826e3cea271704

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Desktop\ClearRedo.rtf

Filesize
938KB

MD5
fb15895a56d7db04c964807d1b92a0cc

SHA1
76bcc9191b451e0c208298ad93981d05505e4fd5

SHA256
7192e2df6cef10cc961941f7839771cdcd68b91f42b8badaeb425a7ef74711e2

SHA512
5054efcef298b8bc6e8c92b5a031f9f763196afdbab5fbb2684a6e7f19f8d90cd5a7896d33cc2648d7f5f0b2ff31960d6a9131b75c70b27ff5a0da998374988a

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Documents\CompareFormat.xls

Filesize
1.5MB

MD5
c96fe54ec6643ab07909a470650f0bae

SHA1
fa3ba0ef1722a0b091768a9bd49828b6ed7eb600

SHA256
f7c5cbe52a0356affa83ed4bdf213311438540d0932a9e627b446cead27f7203

SHA512
e2d66eaf819bab7aeebd874a0e072a5ebde2ad1be1a48596e3972344bc2fb03dececefbd35a667ff90b3b139bbb32b8e7d19e98e43a1124bb2ea90718bf21a86

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\DebugConvertFrom.rtf

Filesize
611KB

MD5
901be9f307c00c8fb37b4e5e62435f45

SHA1
9fedffeafb4f4b5009edb96eacba4bcc4754220a

SHA256
03903c6ecf72c3bee185427170a8aa2fdd15f5a864cdbcfc30ba5f42201c618b

SHA512
1856b1e894391e14332582753856e80db66fa2c038b2cf41039a0971bbef8cc79ba6482cffe16807c8dbf65063cdacb9a197e0efd91aac7b7700700bc36dc390

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\LimitApprove.pdf

Filesize
570KB

MD5
0e2f98fb5db86680616609808b8eb3a7

SHA1
7a5212d446cf1af6fa1194ca99c77bfd0cefe19a

SHA256
c0913a3c22e67375889ba2e5415273cb417482a93ee87a982ea100b6ebc0751d

SHA512
a095e1d218a7362469beba6eca74dd1b55251e945150d0537d523cc9da3b30c42a71a552886c4a8f975a298016611810bdc4a12db753c67c33932cb7c66fc61a

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\MergeReceive.bmp

Filesize
774KB

MD5
eea412c37b56594c90dacd1c9a7dbf22

SHA1
1035e2aca1c82d12cb9078fb4b270fd7fdd01584

SHA256
3c3de7cbbc5819dc2686c412fe6eadecce527d76a689715dd131c79eff92320c

SHA512
55cf6272cb640fea23ba94e0d97c0f611070047acfbaa90b08ce4d1c0c7754de0dac8b7e1d29b7096208843dab9f2f89c79d2a274ba2c89c7b81dcaa2e88f39b

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\FindConnect.jpg

Filesize
234KB

MD5
5882078b25d2b68587d727a23f7105ec

SHA1
6af40a9125c6d42228dad7d723b8148c45ed12de

SHA256
b1602e22ac59993aa92ea18fd8751a5f15379c3e156f59ceabbf98f7ab47814c

SHA512
e1ca3bae013185a0fcd983c72058871a16db3b7191bba649d45200263979c927f09aadc9d77a49af742571ded4d0c1291f4c33cca48b9931e33e79761e098c09

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\ReceiveEnable.jpeg

Filesize
211KB

MD5
b76561855f3cdb932d41c25bde0afd7e

SHA1
a18dca64155f3a631d09176628da4c3663cacb83

SHA256
f84bf83635c570a241971b70445544cf8ff3d7104ea768c5e0841d56824787bb

SHA512
1c156c1519152ccc5e8ae7176811141fb859fd74c84f010196fb8121b96e5f43d3e1804dd93182146e535709e7348b75c86c8d46665c9b799594b7ad6b8ef42d

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\RedoMove.jpg

Filesize
262KB

MD5
cff1f9cee049e91376838ba3e56c6fe0

SHA1
875418bfb64f6bcb653b9f6b174cfa1a242ddcc9

SHA256
320222905b17077e1828092fa4e61d67d15c7fd5cb75abf00bb6164103c5642c

SHA512
439ebd25a14ec6daf8cb749981efef43939f69b6944b0e2cd659e6d59639978fa6d36d1129415ecea1fdad5bdb4dbb3346757f344c6893ac3cf60e1dfee19336

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\UseCompress.png

Filesize
132KB

MD5
bce9a2a73c508af15bbe2e83e3c74f81

SHA1
38c8bfefe8deb75542ef370de8bbb25043b1bfe4

SHA256
ab7a2b5e6c48cff3218f234c3f31ef4b64952e14632ff6702982f9a66236706a

SHA512
bfe566b1f259b956256cfd3984e5ce05333c84f0da01c4157e785731b90d5b269457ea8cdcdeaa2dd22b4cf1d1ccfc16376161290d6aa21dbe0c6a8cf87ccbee

Download Submit
C:\Users\Admin\AppData\Roaming\ASAAPRDB\Process.txt

Filesize
4KB

MD5
575768b92bb5c9f41410b05ae94046f3

SHA1
cbc694fb1efe08212249b1363dfdea112e6927a1

SHA256
17ceaf3032c01ebdbdff98fc3063df35675443890b32973b34d2287371e3872a

SHA512
44360f25f6999b96acfd51f67dc3c5373b47b595cb74a1497e12e3bbad84388f2fa8ecb0edab10890e2d2ce8a2c354439005d28570c62d8409fc4d9e13a5067d

Download Submit
memory/2684-10-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2684-27-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2684-0-0x00007FF8A6D53000-0x00007FF8A6D55000-memory.dmp

Filesize
8KB

Download
memory/2684-1-0x0000000000B40000-0x0000000000B6E000-memory.dmp

Filesize
184KB

Download
memory/3716-139-0x000002AECBA40000-0x000002AECBA62000-memory.dmp

Filesize
136KB

Download
memory/4112-22-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/4112-191-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/4112-28-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/4504-30-0x0000000000820000-0x0000000000876000-memory.dmp

Filesize
344KB

Download
memory/4504-198-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/4504-29-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/4504-52-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/4504-55-0x0000000006A40000-0x0000000006AA6000-memory.dmp

Filesize
408KB

Download
memory/4504-53-0x0000000006CA0000-0x0000000007246000-memory.dmp

Filesize
5.6MB

Download