xworm | bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9IDU7463.exe
Size

971KB
MD5

26efc684ddd0782b295a6ee4a76e3256
SHA1

08cc73ef5c1b02e09765181a5acee1a7018dcffc
SHA256

bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab
SHA512

20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49
SSDEEP

24576:5tVd1nnqxDvo1QtHCX1LcsRt0ni/V27INjQL:5tVDnquatHCX1Lcs422kpQL

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00130000000054a9-54.dat	family_xworm
behavioral1/memory/1544-56-0x0000000000030000-0x0000000000052000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1792	powershell.exe
2240	powershell.exe
1828	powershell.exe
2352	powershell.exe
2148	powershell.exe
1596	powershell.exe

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 3 IoCs

pid	Process
2108	Client Server Runtime Process.exe
752	Windows Security.exe
1544	Windows Security Notification.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1224	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1544	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2436	c9IDU7463.exe
2436	c9IDU7463.exe
2436	c9IDU7463.exe
2240	powershell.exe
1828	powershell.exe
2056	powershell.exe
3000	powershell.exe
2352	powershell.exe
2148	powershell.exe
1596	powershell.exe
1792	powershell.exe
1544	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	c9IDU7463.exe
Token: SeBackupPrivilege	2132	vssvc.exe
Token: SeRestorePrivilege	2132	vssvc.exe
Token: SeAuditPrivilege	2132	vssvc.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2108	Client Server Runtime Process.exe
Token: SeDebugPrivilege	2108	Client Server Runtime Process.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1544	Windows Security Notification.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1544	Windows Security Notification.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2240	2436	c9IDU7463.exe	34
PID 2436 wrote to memory of 2240	2436	c9IDU7463.exe	34
PID 2436 wrote to memory of 2240	2436	c9IDU7463.exe	34
PID 2436 wrote to memory of 1828	2436	c9IDU7463.exe	36
PID 2436 wrote to memory of 1828	2436	c9IDU7463.exe	36
PID 2436 wrote to memory of 1828	2436	c9IDU7463.exe	36
PID 2436 wrote to memory of 2444	2436	c9IDU7463.exe	40
PID 2436 wrote to memory of 2444	2436	c9IDU7463.exe	40
PID 2436 wrote to memory of 2444	2436	c9IDU7463.exe	40
PID 2444 wrote to memory of 1224	2444	cmd.exe	42
PID 2444 wrote to memory of 1224	2444	cmd.exe	42
PID 2444 wrote to memory of 1224	2444	cmd.exe	42
PID 2032 wrote to memory of 2108	2032	taskeng.exe	43
PID 2032 wrote to memory of 2108	2032	taskeng.exe	43
PID 2032 wrote to memory of 2108	2032	taskeng.exe	43
PID 2108 wrote to memory of 2056	2108	Client Server Runtime Process.exe	44
PID 2108 wrote to memory of 2056	2108	Client Server Runtime Process.exe	44
PID 2108 wrote to memory of 2056	2108	Client Server Runtime Process.exe	44
PID 2108 wrote to memory of 752	2108	Client Server Runtime Process.exe	46
PID 2108 wrote to memory of 752	2108	Client Server Runtime Process.exe	46
PID 2108 wrote to memory of 752	2108	Client Server Runtime Process.exe	46
PID 752 wrote to memory of 3000	752	Windows Security.exe	47
PID 752 wrote to memory of 3000	752	Windows Security.exe	47
PID 752 wrote to memory of 3000	752	Windows Security.exe	47
PID 752 wrote to memory of 1544	752	Windows Security.exe	49
PID 752 wrote to memory of 1544	752	Windows Security.exe	49
PID 752 wrote to memory of 1544	752	Windows Security.exe	49
PID 1544 wrote to memory of 2352	1544	Windows Security Notification.exe	50
PID 1544 wrote to memory of 2352	1544	Windows Security Notification.exe	50
PID 1544 wrote to memory of 2352	1544	Windows Security Notification.exe	50
PID 1544 wrote to memory of 2148	1544	Windows Security Notification.exe	52
PID 1544 wrote to memory of 2148	1544	Windows Security Notification.exe	52
PID 1544 wrote to memory of 2148	1544	Windows Security Notification.exe	52
PID 1544 wrote to memory of 1596	1544	Windows Security Notification.exe	54
PID 1544 wrote to memory of 1596	1544	Windows Security Notification.exe	54
PID 1544 wrote to memory of 1596	1544	Windows Security Notification.exe	54
PID 1544 wrote to memory of 1792	1544	Windows Security Notification.exe	56
PID 1544 wrote to memory of 1792	1544	Windows Security Notification.exe	56
PID 1544 wrote to memory of 1792	1544	Windows Security Notification.exe	56
PID 1544 wrote to memory of 2836	1544	Windows Security Notification.exe	58
PID 1544 wrote to memory of 2836	1544	Windows Security Notification.exe	58
PID 1544 wrote to memory of 2836	1544	Windows Security Notification.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
"C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD079.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\taskeng.exe
taskeng.exe {A54C3C24-CC1C-4596-A0A6-9A2887C56A43} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\Client Server Runtime Process.exe
  "C:\Windows\System32\Client Server Runtime Process.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD079.tmp.bat

Filesize
161B

MD5
85b198e0ceb42e8889a3431ab462862b

SHA1
2e8fd589d5f90ec3c2f245ef110da367ea79f2bb

SHA256
a386e2faba834a3fcbc453b9a7b7052172bafe7d4cd896a7d5afc34c3ed54a21

SHA512
883a102def4f360e5ced0933783ed583898b212a6d33d6b5aaabbc66614304862a1da526bcf1b77a3bdb7f36e3c9611d2aa83fe4d15e1fce0c4207a5464095b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4f0e7ccd703c3fcd69deb7430a7c1ad4

SHA1
546d29162a2049e0f303e49e868d87bbf28c966b

SHA256
07267bdd7040491adeba7359298e6d2f7705e9fb26e3e2efcac128232f071d99

SHA512
d2429c6a250fda52ead3db49b5a510b0d09387c9bcee2d57a8c83d7c2a3d05dbf21d890cf42d700b328f4c971f9b5a51d57d7be0691c041e186b80397accb129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c61513dd7527e37e9c087a0f88fe04d1

SHA1
75eb2a959cd1a856578d528c0ccca2000dc17d96

SHA256
a5db6933d1889f0918ce2cbda2d90fc59b4848f59752f24c6673ec75cb10fa60

SHA512
9bcab283524db58c9b6ded3d18e48fe2d1ef29477d944e34335fda580b336f1a73638e8d61d2aa4dfbf70444fa1feebb10ead0f33178ff939abe09a0ec9667c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb9d70b4fd0ab956e11225408571ddf0

SHA1
14e11e12a44378d612e185152a967ede6e9644c5

SHA256
3c98d1e70f6d4a487698324a5225295e790ccc636a694fba48406610023e287c

SHA512
ad775e101034601d1a26b3ed6f5a231409befced88adf51c5bc3fb34e6cf346f96d0953f012d69d7c7cb712cf4c48412be9254d9a389d806e6be9b63bd1a0d33

Download Submit
C:\Windows\System32\Client Server Runtime Process.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
memory/752-40-0x0000000000AF0000-0x0000000000B1E000-memory.dmp

Filesize
184KB

Download
memory/1544-56-0x0000000000030000-0x0000000000052000-memory.dmp

Filesize
136KB

Download
memory/1828-14-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/1828-15-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2108-32-0x0000000000220000-0x000000000031A000-memory.dmp

Filesize
1000KB

Download
memory/2108-33-0x000000001AD70000-0x000000001AE38000-memory.dmp

Filesize
800KB

Download
memory/2108-34-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/2148-69-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2240-8-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2240-7-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2352-63-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2436-28-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2436-19-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-1-0x0000000000270000-0x000000000036A000-memory.dmp

Filesize
1000KB

Download
memory/2436-18-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download