xworm | eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
Size

625KB
MD5

3a2f7315aa9aa110c98c396bff591c0d
SHA1

33793dfc29dc8997ad535aa5a4af58b699e864a0
SHA256

eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8
SHA512

79a33baa45a0e6ef6bf9dfadee5b9bad82cd26adda7a5673e0774d31601f86d77a096ecbb74814a5a3517b7405134261f26c7d0a3876a570da66347e84d29ede
SSDEEP

12288:o7FvizoyZ7UtcPZe69HP/RdAJrz7KKLjKdUcLz9dnHJZs:oxEFZ7Ui99HvEzxjiUYdnU

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012266-5.dat	family_xworm
behavioral1/memory/1288-8-0x0000000001190000-0x00000000011A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
2336	powershell.exe
1512	powershell.exe
2820	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
1288	svchost.exe
2984	windxten.exe
1212	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	windxten.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	windxten.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	windxten.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1044	powershell.exe
2336	powershell.exe
1512	powershell.exe
2820	powershell.exe
1288	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1288	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1288	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1288	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	30
PID 2488 wrote to memory of 1288	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	30
PID 2488 wrote to memory of 1288	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	30
PID 2488 wrote to memory of 2984	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	31
PID 2488 wrote to memory of 2984	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	31
PID 2488 wrote to memory of 2984	2488	eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe	31
PID 2984 wrote to memory of 3020	2984	windxten.exe	33
PID 2984 wrote to memory of 3020	2984	windxten.exe	33
PID 2984 wrote to memory of 3020	2984	windxten.exe	33
PID 3020 wrote to memory of 568	3020	cmd.exe	34
PID 3020 wrote to memory of 568	3020	cmd.exe	34
PID 3020 wrote to memory of 568	3020	cmd.exe	34
PID 3020 wrote to memory of 2208	3020	cmd.exe	35
PID 3020 wrote to memory of 2208	3020	cmd.exe	35
PID 3020 wrote to memory of 2208	3020	cmd.exe	35
PID 3020 wrote to memory of 3000	3020	cmd.exe	36
PID 3020 wrote to memory of 3000	3020	cmd.exe	36
PID 3020 wrote to memory of 3000	3020	cmd.exe	36
PID 2984 wrote to memory of 3028	2984	windxten.exe	37
PID 2984 wrote to memory of 3028	2984	windxten.exe	37
PID 2984 wrote to memory of 3028	2984	windxten.exe	37
PID 2984 wrote to memory of 2552	2984	windxten.exe	39
PID 2984 wrote to memory of 2552	2984	windxten.exe	39
PID 2984 wrote to memory of 2552	2984	windxten.exe	39
PID 2552 wrote to memory of 2192	2552	cmd.exe	40
PID 2552 wrote to memory of 2192	2552	cmd.exe	40
PID 2552 wrote to memory of 2192	2552	cmd.exe	40
PID 1288 wrote to memory of 1044	1288	svchost.exe	41
PID 1288 wrote to memory of 1044	1288	svchost.exe	41
PID 1288 wrote to memory of 1044	1288	svchost.exe	41
PID 1288 wrote to memory of 2336	1288	svchost.exe	43
PID 1288 wrote to memory of 2336	1288	svchost.exe	43
PID 1288 wrote to memory of 2336	1288	svchost.exe	43
PID 1288 wrote to memory of 1512	1288	svchost.exe	46
PID 1288 wrote to memory of 1512	1288	svchost.exe	46
PID 1288 wrote to memory of 1512	1288	svchost.exe	46
PID 1288 wrote to memory of 2820	1288	svchost.exe	48
PID 1288 wrote to memory of 2820	1288	svchost.exe	48
PID 1288 wrote to memory of 2820	1288	svchost.exe	48

C:\Users\Admin\AppData\Local\Temp\eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe
"C:\Users\Admin\AppData\Local\Temp\eca7af7a2ec657cbeb527d13253d29872d706b22358d59b76bd6a93d37119ca8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\ProgramData\windxten.exe
  "C:\ProgramData\windxten.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\ProgramData\windxten.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\ProgramData\windxten.exe" MD5
      4⤵
      PID:568
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2208
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c MODE CON COLS=56 LINES=5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\mode.com
      MODE CON COLS=56 LINES=5
      4⤵
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
73KB

MD5
a6e3543ed1eeb525e84cc28e97713491

SHA1
442ab143ae0ca371e495cefc87c893d1642a98df

SHA256
3cc4913315247d3d179e8bfdd5778caf030926f68bcb12aacff481dca5d7857b

SHA512
01e079a5ae6e3d3f860e0c91b61d2dbbf4c02e4f52f1ccce3f7f628c9882b4e704dfe78a4389bec70459df898acab1bc6cdb18f15e7287a8d276117bf6f7453d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be26d60e7b801270f8f52a7d91281283

SHA1
58ed2b24f1ce56f6b0f0534475fcff67c897c4e8

SHA256
67317c7c3d12fd34fa2117f9f4b3d1218ea1f9f72940bde34dfb24093a2aec19

SHA512
7379ce12b5849b31f9fe0fbbec414f358bcf0387d3e518e2454d2c588deff854b965582e8bc979bb21e629e76a57ca00b29995850ce9e133b27844a62d03793d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d3334cdb044cbafd5a20685c7b61f7f

SHA1
9218f9fd6bd8a9546c01f91b626862c36ed0735a

SHA256
fa4ddea1aa8d5b83526cc3e67dc9d7fa0dfb8b6375c91d6619e4af1504945750

SHA512
d94b39bb670cf3a535279fca9ffcea3098bc0eb6dae617998f46e66c73e81602360f67b263c90e40eb9ec78522c7c9b5b696663261776430ff1853f5fce3fcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC100.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC132.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e30a90727cfba8f4728cfcd78a40e0f5

SHA1
02249c10f0bc88af00fc7fe1bc9f4f27d86e5a79

SHA256
2a6923ad155bcaba0dc56496961191e36fdf8ce5947718e145fa43edbd9b52d4

SHA512
124d6075eceda4d9e7a3e9d71472bbb61f35900c801b34672bb21bbf673543c13b1e745989bdad770e53bfb99052c6d8ce41abdec9f0828622fb0bb6885beef5

Download Submit
\ProgramData\windxten.exe

Filesize
538KB

MD5
7775aa2691793fd8b5796622f6cdeba2

SHA1
ecf724467ccf9eff7fcfc18e62947f8a1ab66f42

SHA256
9323cca187bca8657e9bb87ac986f3e6eb0dd235edc308b2bd3ba7306ef21286

SHA512
0722d63371329f2855c38865d5517df04c20d365bf0465d22459e5edcda7a58fbd11284b4bd53e5d75ffe193549dc8c1bedac5aac05d0257c3a1eb1eac645a42

Download Submit
memory/1044-54-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/1044-55-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/1288-15-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-14-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-8-0x0000000001190000-0x00000000011A8000-memory.dmp

Filesize
96KB

Download
memory/1288-177-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-80-0x000000001B110000-0x000000001B3F2000-memory.dmp

Filesize
2.9MB

Download
memory/2336-81-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2488-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000001270000-0x0000000001312000-memory.dmp

Filesize
648KB

Download