xworm | ce410544a8c50321cbb0fa4fa0f903ec927f4d6d173d09bc37aa54ad5c7ad49e

Analysis

max time kernel
2016s
max time network
2692s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

34KB
MD5

4d42d6e6cd742d5ceb230cc03bd68ddb
SHA1

febe5e6fdb4cf23e32015bd8c51e6c8af9e95d05
SHA256

ce410544a8c50321cbb0fa4fa0f903ec927f4d6d173d09bc37aa54ad5c7ad49e
SHA512

f1bcd03c98ad29234cf0f1adb805083bd77e718b0eeb9f0806b9a4eb6265356e1ef3967b45f4f5b6e918a06db9a5d78a26724421dedb03e70201a7b261c7cc42
SSDEEP

384:tVxu9qBOae6oK/I7Z9plUzO7LMecZ9CZpbW3tXe3qXR8pkFXBLTIZwYGzcvw9IkF:rxuaUJRnpcZ96pbWx9FV9jhNOjhd/4H

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lefferek-42016.portmap.host:61672

budget-compiled.gl.at.ply.gg:61672

Mutex

ANnWPu8LZzU6MzOM

Attributes

Install_directory
%AppData%
install_file
DiscordClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4800-1-0x00000000009F0000-0x00000000009FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	lol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	lol.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5016	msedge.exe
5016	msedge.exe
5076	msedge.exe
5076	msedge.exe
3780	identity_helper.exe
3780	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4800	lol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	lol.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3492	5076	msedge.exe	94
PID 5076 wrote to memory of 3492	5076	msedge.exe	94
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 3688	5076	msedge.exe	95
PID 5076 wrote to memory of 5016	5076	msedge.exe	96
PID 5076 wrote to memory of 5016	5076	msedge.exe	96
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97
PID 5076 wrote to memory of 1980	5076	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffbba546f8,0x7fffbba54708,0x7fffbba54718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3047929475031560520,10598867602276639167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8c0ada980c2f050d8f8fb7dbe107441

SHA1
6eba43c2a8c7164c404bc1f66030f2d59529fe3c

SHA256
de3bf760418d23ba608bfe4d08fd933a0b973262f840bb569cdd991f6cf48a32

SHA512
42562c8f8590a592773986ef5ac7cd6d22c911f4f4028d1970bb6452828d9089395cf2e7f502c96b48e01d3afbbee3e4b1054dcd4d8338e554b3c7c8f7b31ad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
461e313ec80b68136c4da7461e82dc43

SHA1
ccb535bdfe80430c1e824cca6c80b22b09696028

SHA256
9ab05661cfb160d45c364c0394b61320912be09b3f80015679e4dcd6e937b2db

SHA512
049d7b14b061431917c0b80bce075c1ad27e101326af20abb82ff624ac54ecbab150a808b7b40eb015c27fa6d270cc116c989b8a01aeb62e249d703619c722bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e62c5d9ecffcb58e99fd06d16b22b21e

SHA1
18577c12dc0c9d00707115fab5e0c6b2ee3ca5e5

SHA256
4daa1041cf4a92a2cc5dddd43eaa5d594abef6d901f86a61b82c75a116dc7d9a

SHA512
1bb3397c7ea053ea11d9d2997faeb397314e40eaff7915454f43491ec1f18f39589eb3901f04d2cd80b80c0496f0862e9aa34fa0c9e222158c972375b48cca54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b8542190916ea5270e3c012a23a23974

SHA1
6f505d0e9c71d69e3d55586f264fb1645f8ae309

SHA256
699fcd9da96b1fbe27566efca756f8db6968607c9c747d18747ca9b9eb3e03c2

SHA512
2ed51bfb7e0a088143a2f5b500448ba87fbc40342ddadacb90fe670f7d7a898a44d722ebb3cd62c2da018918996341ca1a46ad686b9138a2fb20bd643257f9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18b98de8d4d634f60730490a014fa948

SHA1
010bc526731d5091e62c6b3f7fb979b4ea0b8874

SHA256
a9ddd364e612873924a8054884c2f6c6073be668e21b11e2ebaf27ebdd326ddb

SHA512
d1f3632e581aadacd3f555d15c532dd89121b0c0fc9e285c72c4bb9186b3fd22d4aa2507b60b7303eeaae9d9dab6e93dac5c13b57fd8c02df35cc6a32da15b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/4800-8-0x00007FFFAC7B0000-0x00007FFFAD271000-memory.dmp

Filesize
10.8MB

Download
memory/4800-7-0x00007FFFAC7B3000-0x00007FFFAC7B5000-memory.dmp

Filesize
8KB

Download
memory/4800-6-0x00007FFFAC7B0000-0x00007FFFAD271000-memory.dmp

Filesize
10.8MB

Download
memory/4800-0-0x00007FFFAC7B3000-0x00007FFFAC7B5000-memory.dmp

Filesize
8KB

Download
memory/4800-1-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/4800-143-0x0000000001190000-0x000000000119C000-memory.dmp

Filesize
48KB

Download