xworm | 95f75183ae20ba58029f7a082b18ac082e36a0bac463c4e30ff1c5738afc3ca0

Analysis

max time kernel
128s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
Size

528KB
MD5

046dc61545c4ca911c25cfc844b3b00c
SHA1

671cda72944c3920edb83520eb5d2317af0c60cb
SHA256

edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386
SHA512

c8024a51ede593157cc7a881a8587536cf010c4c8f9838e44518371dbcec12e96fcac16742617eec414f6a280a5abbcf8d9fe3bcac9c04b75049006f2d93af6e
SSDEEP

12288:5hU2ft8hWSxwvzeA5ScGZshgwnmnmalFYCJVM:bHfuWSxWRGgLmnmaQCJV

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

pkaraven.duckdns.org:9387

Mutex

PN8dWiUH0oIhIHhD

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1912-35-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
4260	powershell.exe
3668	powershell.exe
1652	powershell.exe
1688	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.lnk	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.lnk	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
876	powershell.exe
4260	powershell.exe
2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
876	powershell.exe
4260	powershell.exe
3668	powershell.exe
3668	powershell.exe
1652	powershell.exe
1652	powershell.exe
1688	powershell.exe
1688	powershell.exe
1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 876	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	94
PID 2752 wrote to memory of 876	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	94
PID 2752 wrote to memory of 876	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	94
PID 2752 wrote to memory of 4260	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	96
PID 2752 wrote to memory of 4260	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	96
PID 2752 wrote to memory of 4260	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	96
PID 2752 wrote to memory of 4456	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	98
PID 2752 wrote to memory of 4456	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	98
PID 2752 wrote to memory of 4456	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	98
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 2752 wrote to memory of 1912	2752	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	100
PID 1912 wrote to memory of 3668	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	101
PID 1912 wrote to memory of 3668	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	101
PID 1912 wrote to memory of 3668	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	101
PID 1912 wrote to memory of 1652	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	104
PID 1912 wrote to memory of 1652	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	104
PID 1912 wrote to memory of 1652	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	104
PID 1912 wrote to memory of 1688	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	107
PID 1912 wrote to memory of 1688	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	107
PID 1912 wrote to memory of 1688	1912	edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe	107

C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
"C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UAfIsZeb.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UAfIsZeb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A35.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe
  "C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a01f903d8bada3c9f1f2d3534f73e74f

SHA1
8304f899e61bf6318fdee613e3289c049593af92

SHA256
3284eaee0c4102f2a25f902527d9af9347eb2b35a9f6d85fbef981bbe26ef8a3

SHA512
8c377780d96b46f9c47c2f9bf5b58c412506bbd1159a023af6579495f353ff163b929ce074a54b2c0716b8bdfeb08f78de9b05a8b98ef94ae4247a5462715b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b31a4ffda3aa0c07859ed038b7dccadb

SHA1
093290c25edd3dacc7458d524da05a70de5e8b19

SHA256
a31c5e045ce6e96bf33c4be16bacf9463fdd3b02875589fa21feef6d39cea711

SHA512
b801852146c38b979048e74192328f9ef9f1b1b0d9c312a6cbaa9085cad676c917ce35ec247fc157c806c0dfcb38254074a9506dec32af2417f4ade67d1d41ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a0b0355642eac291775dcec2ef3fb2f9

SHA1
2da89913af1814d36d744f56938fbabd7412d44c

SHA256
2f150902104ddb01e91349a61e3ba662c6228bf523350ac63e565d51c5980e26

SHA512
015b939fb24131a318e839bf4c8042d29b8e4c5ed5d5b40a2579fe44b3d7ad0598eaeb4bde0e46fab8edbe629325d871802d50e7e120a50c58af1cefe40dfcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tm0mpsbj.150.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A35.tmp

Filesize
1KB

MD5
1829ea10511420363b8e1d5680d3e31a

SHA1
773755b6b1d75b495e468b04786be96b5e91a47f

SHA256
122921026c8452e6d1ee4089c54fefdd20fd0fcefda3bca7e49c1b0a607a11f9

SHA512
c210012c289c094697f8df68e23195695fcffa50be98fa971b3506004ba1075ff37dc09594c37703f4be2d75d596d85fdfa1ad03cfc8a4a3e3f1ccabf95ec91c

Download Submit
C:\Users\Admin\AppData\Roaming\edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386.exe

Filesize
528KB

MD5
046dc61545c4ca911c25cfc844b3b00c

SHA1
671cda72944c3920edb83520eb5d2317af0c60cb

SHA256
edb8cc2548ed59dc491c0a1cb0b4907a2235b13bbe06a880053bbab544f91386

SHA512
c8024a51ede593157cc7a881a8587536cf010c4c8f9838e44518371dbcec12e96fcac16742617eec414f6a280a5abbcf8d9fe3bcac9c04b75049006f2d93af6e

Download Submit
memory/876-50-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/876-108-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/876-86-0x0000000007100000-0x0000000007196000-memory.dmp

Filesize
600KB

Download
memory/876-87-0x0000000007080000-0x0000000007091000-memory.dmp

Filesize
68KB

Download
memory/876-15-0x0000000002250000-0x0000000002286000-memory.dmp

Filesize
216KB

Download
memory/876-16-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/876-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/876-18-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/876-63-0x0000000006D40000-0x0000000006DE3000-memory.dmp

Filesize
652KB

Download
memory/876-20-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/876-23-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/876-62-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/876-22-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/876-52-0x0000000075530000-0x000000007557C000-memory.dmp

Filesize
304KB

Download
memory/876-51-0x0000000006AE0000-0x0000000006B12000-memory.dmp

Filesize
200KB

Download
memory/876-88-0x00000000070B0000-0x00000000070BE000-memory.dmp

Filesize
56KB

Download
memory/876-36-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/876-34-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/876-49-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/876-75-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/1652-116-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/1652-122-0x0000000006D80000-0x0000000006DCC000-memory.dmp

Filesize
304KB

Download
memory/1652-123-0x0000000070900000-0x000000007094C000-memory.dmp

Filesize
304KB

Download
memory/1652-133-0x0000000007AD0000-0x0000000007B73000-memory.dmp

Filesize
652KB

Download
memory/1652-134-0x0000000007D80000-0x0000000007D91000-memory.dmp

Filesize
68KB

Download
memory/1652-135-0x0000000007DB0000-0x0000000007DC4000-memory.dmp

Filesize
80KB

Download
memory/1688-147-0x0000000070900000-0x000000007094C000-memory.dmp

Filesize
304KB

Download
memory/1912-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2752-7-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download
memory/2752-3-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/2752-1-0x0000000000A60000-0x0000000000AEA000-memory.dmp

Filesize
552KB

Download
memory/2752-9-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2752-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2752-2-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/2752-10-0x0000000006AE0000-0x0000000006B34000-memory.dmp

Filesize
336KB

Download
memory/2752-8-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2752-5-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/2752-4-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/2752-6-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2752-48-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3668-92-0x0000000075530000-0x000000007557C000-memory.dmp

Filesize
304KB

Download
memory/4260-90-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/4260-47-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4260-107-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4260-91-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/4260-24-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4260-19-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4260-76-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/4260-89-0x0000000007590000-0x00000000075A4000-memory.dmp

Filesize
80KB

Download
memory/4260-64-0x0000000075530000-0x000000007557C000-memory.dmp

Filesize
304KB

Download
memory/4260-74-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download