xworm | 41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73

Analysis

max time kernel
140s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/11/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MR. OCTOPUS‌‌‌.exe
Size

61.4MB
MD5

16f4e4d66e5fdb5897af37ea7c067df9
SHA1

326468c89d4eeb4127e8db754f8bc738d3e6f3a7
SHA256

41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73
SHA512

4f81e5d182f8c49e4487b7782e283c2274ec27060b53cd1b56ec4ca8f14c25fb5e50158e7b5df6b3ced0fc6c896a01c63a5a84185349f900150cc89da9c88d06
SSDEEP

1572864:jFtdm5ugJDjavJqMV21ihlX1UZ9d34atoZyVr6aZNz:jFtdm5u0G61KBKZT3Qar6aH

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
smartscreen.exe
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000450b5-21.dat	family_xworm
behavioral1/memory/1588-37-0x0000000000190000-0x00000000001A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4616	powershell.exe
708	powershell.exe
800	powershell.exe
1720	powershell.exe
2540	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	MR. OCTOPUS‌‌‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	smartscreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk	smartscreen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk	smartscreen.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.lnk	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1956	MR. OCTOPUS.exe
1588	smartscreen.exe
3988	svchost.exe
4068	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MR. OCTOPUS.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2500	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1588	smartscreen.exe
4068	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
708	powershell.exe
708	powershell.exe
708	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
1588	smartscreen.exe
1588	smartscreen.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe
1588	smartscreen.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	smartscreen.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	smartscreen.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: 33	1736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1736	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	708	powershell.exe
Token: SeSecurityPrivilege	708	powershell.exe
Token: SeTakeOwnershipPrivilege	708	powershell.exe
Token: SeLoadDriverPrivilege	708	powershell.exe
Token: SeSystemProfilePrivilege	708	powershell.exe
Token: SeSystemtimePrivilege	708	powershell.exe
Token: SeProfSingleProcessPrivilege	708	powershell.exe
Token: SeIncBasePriorityPrivilege	708	powershell.exe
Token: SeCreatePagefilePrivilege	708	powershell.exe
Token: SeBackupPrivilege	708	powershell.exe
Token: SeRestorePrivilege	708	powershell.exe
Token: SeShutdownPrivilege	708	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeSystemEnvironmentPrivilege	708	powershell.exe
Token: SeRemoteShutdownPrivilege	708	powershell.exe
Token: SeUndockPrivilege	708	powershell.exe
Token: SeManageVolumePrivilege	708	powershell.exe
Token: 33	708	powershell.exe
Token: 34	708	powershell.exe
Token: 35	708	powershell.exe
Token: 36	708	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeIncreaseQuotaPrivilege	800	powershell.exe
Token: SeSecurityPrivilege	800	powershell.exe
Token: SeTakeOwnershipPrivilege	800	powershell.exe
Token: SeLoadDriverPrivilege	800	powershell.exe
Token: SeSystemProfilePrivilege	800	powershell.exe
Token: SeSystemtimePrivilege	800	powershell.exe
Token: SeProfSingleProcessPrivilege	800	powershell.exe
Token: SeIncBasePriorityPrivilege	800	powershell.exe
Token: SeCreatePagefilePrivilege	800	powershell.exe
Token: SeBackupPrivilege	800	powershell.exe
Token: SeRestorePrivilege	800	powershell.exe
Token: SeShutdownPrivilege	800	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeSystemEnvironmentPrivilege	800	powershell.exe
Token: SeRemoteShutdownPrivilege	800	powershell.exe
Token: SeUndockPrivilege	800	powershell.exe
Token: SeManageVolumePrivilege	800	powershell.exe
Token: 33	800	powershell.exe
Token: 34	800	powershell.exe
Token: 35	800	powershell.exe
Token: 36	800	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeIncreaseQuotaPrivilege	1720	powershell.exe
Token: SeSecurityPrivilege	1720	powershell.exe
Token: SeTakeOwnershipPrivilege	1720	powershell.exe
Token: SeLoadDriverPrivilege	1720	powershell.exe
Token: SeSystemProfilePrivilege	1720	powershell.exe
Token: SeSystemtimePrivilege	1720	powershell.exe
Token: SeProfSingleProcessPrivilege	1720	powershell.exe
Token: SeIncBasePriorityPrivilege	1720	powershell.exe
Token: SeCreatePagefilePrivilege	1720	powershell.exe
Token: SeBackupPrivilege	1720	powershell.exe
Token: SeRestorePrivilege	1720	powershell.exe
Token: SeShutdownPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeSystemEnvironmentPrivilege	1720	powershell.exe
Token: SeRemoteShutdownPrivilege	1720	powershell.exe
Token: SeUndockPrivilege	1720	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1588	smartscreen.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1956	4124	MR. OCTOPUS‌‌‌.exe	87
PID 4124 wrote to memory of 1956	4124	MR. OCTOPUS‌‌‌.exe	87
PID 4124 wrote to memory of 1956	4124	MR. OCTOPUS‌‌‌.exe	87
PID 4124 wrote to memory of 1588	4124	MR. OCTOPUS‌‌‌.exe	88
PID 4124 wrote to memory of 1588	4124	MR. OCTOPUS‌‌‌.exe	88
PID 1588 wrote to memory of 708	1588	smartscreen.exe	91
PID 1588 wrote to memory of 708	1588	smartscreen.exe	91
PID 1588 wrote to memory of 800	1588	smartscreen.exe	99
PID 1588 wrote to memory of 800	1588	smartscreen.exe	99
PID 1588 wrote to memory of 1720	1588	smartscreen.exe	101
PID 1588 wrote to memory of 1720	1588	smartscreen.exe	101
PID 1588 wrote to memory of 2540	1588	smartscreen.exe	103
PID 1588 wrote to memory of 2540	1588	smartscreen.exe	103
PID 4124 wrote to memory of 3988	4124	MR. OCTOPUS‌‌‌.exe	106
PID 4124 wrote to memory of 3988	4124	MR. OCTOPUS‌‌‌.exe	106
PID 3988 wrote to memory of 4800	3988	svchost.exe	107
PID 3988 wrote to memory of 4800	3988	svchost.exe	107
PID 3988 wrote to memory of 4616	3988	svchost.exe	108
PID 3988 wrote to memory of 4616	3988	svchost.exe	108
PID 3988 wrote to memory of 4068	3988	svchost.exe	111
PID 3988 wrote to memory of 4068	3988	svchost.exe	111
PID 3988 wrote to memory of 4784	3988	svchost.exe	113
PID 3988 wrote to memory of 4784	3988	svchost.exe	113
PID 4784 wrote to memory of 2500	4784	cmd.exe	115
PID 4784 wrote to memory of 2500	4784	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MR. OCTOPUS‌‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\MR. OCTOPUS‌‌‌.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\MR. OCTOPUS.exe
  "C:\Users\Admin\AppData\Local\Temp\MR. OCTOPUS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Users\Admin\AppData\Roaming\smartscreen.exe
  "C:\Users\Admin\AppData\Roaming\smartscreen.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Service_Host:_Network_Setup_Service /tr "C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe" /st 08:44 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Corporation'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
- - C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe
    "C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\timeout.exe
      timeout 6
      4⤵
      Delays execution with timeout.exe
      PID:2500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
660B

MD5
631aa7b352bb697733b86bf28738ccca

SHA1
08ecaf07c7f1219401c3c3b13754579ac1f19797

SHA256
3e004976bae302cf7c53f5d15b5175eecb851bd4eb49a9b9365f716a6ee27523

SHA512
2b456313b5d85160f96abfb4d4190c629063842bd48afbd1c9f87cc0978b2f9e758d4922c977418221a2df361fd0687975ad0c7a1c1367d8ae813c153cd98747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b27493719bb91528bd7fdb4b71d1d6d

SHA1
50e5879d35d2895e48ec1a7b8eeb75cfe767d6c4

SHA256
279860eae0661649af64c434196d784d3c4f56aa690ffa2780fa81b055164da2

SHA512
d900fe86d90429ff17892e54c2689445ce58be036f6cba34311f54c827f8b2145bac0f9c193e4ad0ea4efb666b9477a790929b707095b5b1f38d86d336540cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95c91ba452838b627feeedfa0a7b0a18

SHA1
96e09cbbb6f6751b9b330e0d1acfb5b62e965adf

SHA256
059a7944e3340472f021df1740b1e7c420b29fa9e2423927d477952f3ed205ec

SHA512
3853d40326106c3e9c7fac34b46ae711f37e6b7bcbe5c351167ac398a0c00b93b76a259c719737e9c6afb66674934fcdfe0630628e9c81163f00633aacf5254c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
539e69283f0bffcfd0ce76efb830ee58

SHA1
6f64e6df322286bea102e0453bc334bc172e3502

SHA256
b9b5683ff44e7240b321fab2106fdc8871d60f828911d32fcc0cf1fecac24cec

SHA512
0c06ac8cf5e8a6e5c0706f00e35d33db151eef1cc32ff76c2f6fef5fb05da0377f0ae0e232e01eadb0c3c2167626bb1f276cc2f8e9e3e53bd44861b72da9fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ig2cqem.wug.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.cmd

Filesize
139B

MD5
9be7170cddccd66cbbab8c58b048c498

SHA1
7592f32fb596a04dbbf69d1b94af13471752bf1a

SHA256
5c2af0f1c0ec9d4c4f47912a2ede2500a45feb37c77fdd4eecc4f956aaadb90f

SHA512
d56a66925f75c2d2c7056fbfd554028e02f57fc668927c74139ef39c9679dbbb5f2878e43cf71b0bbdd4fbcaeaa3f5c450dc6b178e9caaed18fa08e675c4382b

Download Submit
C:\Users\Admin\AppData\Roaming\smartscreen.exe

Filesize
75KB

MD5
925eedb4185257ff75aec67b45af052d

SHA1
3d8ed20c8ef287f93a5e9aec874d4247f1cdf4e7

SHA256
dfc10f23bfac59906a664e728f14b4ca09f5342e3cebbc980d1d69d9e494049f

SHA512
55f226e8a8f7577995e683b0c4f955d8cc49eb9261f636376d9ae2f91fb7bf433b0eb3740ce0938f80340921093725f21953f9933e991f33ebc7597d1a29ee4a

Download Submit
memory/708-55-0x000001F079A30000-0x000001F079A52000-memory.dmp

Filesize
136KB

Download
memory/1588-37-0x0000000000190000-0x00000000001A8000-memory.dmp

Filesize
96KB

Download
memory/1588-94-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/1588-95-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1588-35-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/1588-130-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1956-39-0x0000000009010000-0x00000000090AC000-memory.dmp

Filesize
624KB

Download
memory/1956-110-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1956-36-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1956-42-0x00000000090B0000-0x00000000090BA000-memory.dmp

Filesize
40KB

Download
memory/1956-44-0x0000000074ED0000-0x0000000075681000-memory.dmp

Filesize
7.7MB

Download
memory/1956-43-0x00000000091F0000-0x0000000009246000-memory.dmp

Filesize
344KB

Download
memory/1956-41-0x0000000009150000-0x00000000091E2000-memory.dmp

Filesize
584KB

Download
memory/1956-40-0x0000000009660000-0x0000000009C06000-memory.dmp

Filesize
5.6MB

Download
memory/1956-38-0x0000000000610000-0x0000000004612000-memory.dmp

Filesize
64.0MB

Download
memory/1956-111-0x0000000074ED0000-0x0000000075681000-memory.dmp

Filesize
7.7MB

Download
memory/3988-115-0x0000020336D20000-0x0000020336D54000-memory.dmp

Filesize
208KB

Download
memory/4124-45-0x00007FFA54643000-0x00007FFA54645000-memory.dmp

Filesize
8KB

Download
memory/4124-117-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/4124-0-0x00007FFA54643000-0x00007FFA54645000-memory.dmp

Filesize
8KB

Download
memory/4124-56-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/4124-2-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/4124-1-0x0000000000ED0000-0x0000000004C48000-memory.dmp

Filesize
61.5MB

Download