xworm | f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
Size

85.1MB
MD5

8310bdf3ac82001830f75c15fba8cc15
SHA1

581d729268cbd245d091633cc19692c4b5bfa0af
SHA256

f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
SHA512

ceab56619fa83baddcc3af7b781ce144ec53db919a6a80079b51e874d495e78349dc6882dad3f815c95274d8caca514765f34086f0b7acb8d42c616ca1714bf0
SSDEEP

49152:kDSdqvdbLqSewjI63pCESb+7sQuJwomAiyHwjfUZo+JP0D73BB681fhojkIG1l0D:

Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

45.145.41.178:1111

Attributes

Install_directory
%AppData%
install_file
Windows Defender Notification.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d3a-19.dat	family_xworm
behavioral1/memory/2644-25-0x0000000001170000-0x000000000118A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
1768	powershell.exe
2008	powershell.exe
2624	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1848	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk	Windows Defender Notification.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Windows Defender Real Time Protection.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Windows Defender Real Time Protection.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk	Windows Defender Notification.exe

Executes dropped EXE 3 IoCs

pid	Process
2188	Windows Defender Real Time Protection.exe
2244	CraxsRat.exe
2644	Windows Defender Notification.exe

Loads dropped DLL 3 IoCs

pid	Process
1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e75fed00639ea9e725255499292dcdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender Real Time Protection.exe\" .."	Windows Defender Real Time Protection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0e75fed00639ea9e725255499292dcdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender Real Time Protection.exe\" .."	Windows Defender Real Time Protection.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Notification.exe"	Windows Defender Notification.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender Real Time Protection.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1848	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2668	powershell.exe
1768	powershell.exe
2008	powershell.exe
2624	powershell.exe
2644	Windows Defender Notification.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	Windows Defender Notification.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2188	Windows Defender Real Time Protection.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2644	Windows Defender Notification.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe
Token: 33	2188	Windows Defender Real Time Protection.exe
Token: SeIncBasePriorityPrivilege	2188	Windows Defender Real Time Protection.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	Windows Defender Notification.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2188	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	30
PID 1420 wrote to memory of 2188	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	30
PID 1420 wrote to memory of 2188	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	30
PID 1420 wrote to memory of 2188	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	30
PID 1420 wrote to memory of 2244	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	31
PID 1420 wrote to memory of 2244	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	31
PID 1420 wrote to memory of 2244	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	31
PID 1420 wrote to memory of 2244	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	31
PID 1420 wrote to memory of 2644	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	32
PID 1420 wrote to memory of 2644	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	32
PID 1420 wrote to memory of 2644	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	32
PID 1420 wrote to memory of 2644	1420	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe	32
PID 2244 wrote to memory of 2748	2244	CraxsRat.exe	33
PID 2244 wrote to memory of 2748	2244	CraxsRat.exe	33
PID 2244 wrote to memory of 2748	2244	CraxsRat.exe	33
PID 2644 wrote to memory of 2668	2644	Windows Defender Notification.exe	34
PID 2644 wrote to memory of 2668	2644	Windows Defender Notification.exe	34
PID 2644 wrote to memory of 2668	2644	Windows Defender Notification.exe	34
PID 2644 wrote to memory of 1768	2644	Windows Defender Notification.exe	36
PID 2644 wrote to memory of 1768	2644	Windows Defender Notification.exe	36
PID 2644 wrote to memory of 1768	2644	Windows Defender Notification.exe	36
PID 2644 wrote to memory of 2008	2644	Windows Defender Notification.exe	38
PID 2644 wrote to memory of 2008	2644	Windows Defender Notification.exe	38
PID 2644 wrote to memory of 2008	2644	Windows Defender Notification.exe	38
PID 2188 wrote to memory of 1848	2188	Windows Defender Real Time Protection.exe	40
PID 2188 wrote to memory of 1848	2188	Windows Defender Real Time Protection.exe	40
PID 2188 wrote to memory of 1848	2188	Windows Defender Real Time Protection.exe	40
PID 2188 wrote to memory of 1848	2188	Windows Defender Real Time Protection.exe	40
PID 2644 wrote to memory of 2624	2644	Windows Defender Notification.exe	42
PID 2644 wrote to memory of 2624	2644	Windows Defender Notification.exe	42
PID 2644 wrote to memory of 2624	2644	Windows Defender Notification.exe	42
PID 2644 wrote to memory of 2992	2644	Windows Defender Notification.exe	44
PID 2644 wrote to memory of 2992	2644	Windows Defender Notification.exe	44
PID 2644 wrote to memory of 2992	2644	Windows Defender Notification.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe
"C:\Users\Admin\AppData\Local\Temp\f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    PID:1848
- C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe
  "C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2244 -s 528
    3⤵
    PID:2748
- C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2992

C:\Windows\system32\taskeng.exe
taskeng.exe {B33A6ECB-93B3-49D5-990B-9C8A40F7489E} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e7ff008fe031f9e716f34aca193ba973

SHA1
4636f4b908cacc2cbfae9b12073d02f1e21701ff

SHA256
ce3abb2682110304d53f4b394f2a65e5ae85e2e202cec7a08a00b3fd72724aaf

SHA512
74b53bcad59e18c8a5e7e6f431b1c7aeedcd78dd9ba028b5504c0a2e2e796209885ed0cd4749df8feca63022d67ee720cea36a4f9b6879540f22c88304301e70

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe

Filesize
75KB

MD5
8d6e86e6e799c75bd5123534bdbf411b

SHA1
9fc526e97077ed2a5e78371fdab5ab7ecf789368

SHA256
7892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888

SHA512
8cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Filesize
32KB

MD5
fc15fb0cec248ea16a6eda92ab97b1f8

SHA1
01af6a8e81a92487ed29b9706ef8c86957666a45

SHA256
73e71dc70f6daeebd9a257d0b0c6e67e87c6d50b27eb94af08d15f1afb6ed02c

SHA512
525dbba870aeeb38edf40a31ab36230f11b481a63e14b441dc314f40da310d936dcac1b46f05aa93bbcf511acf1375aaaea5aa0438b399ba24812bddec93d730

Download Submit
memory/1420-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-3-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/1420-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-39-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1768-38-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2188-10-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-11-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-57-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-26-0x0000000000AD0000-0x0000000004A80000-memory.dmp

Filesize
63.7MB

Download
memory/2624-51-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2624-52-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2644-25-0x0000000001170000-0x000000000118A000-memory.dmp

Filesize
104KB

Download
memory/2668-31-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2668-32-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download