xworm | 734583184759ee71d9a25e037f25e409f2f1c7adfd1927bf6838bbfb62f2195e

Resubmissions

18/01/2025, 02:54

250118-dd9fbs1ncr 10

18/01/2025, 02:49

250118-da9a6azrcz 10

18/01/2025, 02:47

250118-c9v25s1mcq 10

Analysis

max time kernel
42s
max time network
47s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18/01/2025, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

61KB
MD5

6afe04684a757675a359e7152592e644
SHA1

d436a89ed573a6f5cb5d9b5f5d971cc12ac09e7b
SHA256

734583184759ee71d9a25e037f25e409f2f1c7adfd1927bf6838bbfb62f2195e
SHA512

25d29d6ceb7d2aaf57d689dba5bad64268151cad17d989b34dadb5146a10f6e15e9a424c927a453d2cdc0e78e0561c348d78e98c1250fc590420ad21b3bed94a
SSDEEP

1536:wmtWxjhNJeaJXi+btWeYpive5scO3yKWRC6:wPjhNwaJXi+bw3EqhO3yKWU6

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:18889

147.185.221.25:18889

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3812-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe
3812	Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	Update.exe
Token: SeDebugPrivilege	2656	Update.exe
Token: SeDebugPrivilege	1228	firefox.exe
Token: SeDebugPrivilege	1228	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe
1228	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3812	Update.exe
1228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1840 wrote to memory of 1228	1840	firefox.exe	96
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4784	1228	firefox.exe	97
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98
PID 1228 wrote to memory of 4956	1228	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 26921 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7db28a8c-134f-404e-87c1-8cfc76f21e16} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" gpu
    3⤵
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 26799 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7633f9b-38d4-4db6-91e5-1a7d749870de} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" socket
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2856 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 3012 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a125c28d-f631-4eb3-b967-bf386cb3cdad} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 32173 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a2c02c-d8d7-442f-9784-7d78b529f968} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab
    3⤵
    PID:3376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1572 -prefMapHandle 1496 -prefsLen 32173 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2566a730-47df-4c47-984e-99176a471b2e} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" utility
    3⤵
    - Checks processor information in registry
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5292 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3c5687c-5374-405e-9536-abd71ecea075} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab
    3⤵
    PID:240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04fb301b-4274-4595-962e-884b21ddee69} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab
    3⤵
    PID:1216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ada2d6-ab62-4252-94a3-bdb6d75b7efd} 1228 "\\.\pipe\gecko-crash-server-pipe.1228" tab
    3⤵
    PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8xqgylkg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
5bd8d0ced2984b88d01e5e80555e16f9

SHA1
d058f5986e713f28f90ae897b3ae41c1e1bc9519

SHA256
440a390d690814346b1b3b66e059fca24985b6c918d0c83401d1b45552072aee

SHA512
2eab670ea70b80f0834c8344a6e537ce2dd6cbf6145da87a1345d1ccdcbcef56695858bca6f6e497c7067a2bc290ee6fbe9f7ce4f25775bd252bb80a4df04e02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
8105b3b27b1e970fd5a7262957276f62

SHA1
dd5fa6f8cd2774f7f3896cfb0f5da508319259ec

SHA256
ba4b02bf1d3a0e64279e4e207ca6938f9fd6d8c4c7a61d6aba08a72bf1d15772

SHA512
27c1a50309f1c97abf868b4eb86fcbc2d9543995fe476bffc2be3cf5882864fab6cfdc6a1d15e0cd79c7c80b8ee65c234a1402f9bcaed2ff6c1541eb3a446056

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
dd4dd7ef278a8358e5c19a43e14fb712

SHA1
1ad55a57b71e82cdcdafa9cba63830906b5049d2

SHA256
4b455b138aa7f3b11994677137c0f7ca0cfe352226287e4757d0d3f4f908368f

SHA512
47c61918222954d0bd99f748a4075ad653ea906ca4537df3afaa68f97053247d58a7f29b1800c0f6d361d0731d327dc8a8be1baf3577bbae987d4adbe403f221

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6a46929cff0d42ce41c26ae44121e3d8

SHA1
eeb7c26407726c804a08cd5c383cd7a9cc0f9c31

SHA256
0c9743cd89385a8fd3629b6c8444fda1ab75b9c8dc42c825c1724d24c31a9f4b

SHA512
e9393b553d09d6d209c20e8e00fb7c72728261164dec97c5bb7b95069852732e7c119a6578366d9a01f8b6b2fdf1680701cc261a8ed61d4718a88146bb011773

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
02aef37261780bbf52e1fa2c2cfab47b

SHA1
81f5e83f0a7ffeea5427fbe9a5b96552e74df87e

SHA256
c874c2cf53db03761524d6007234b1290bfdd687049af908f26a0eefa35f7916

SHA512
d6311894c9ece495060ae671886fb53d1ddbbbad165dd369d6a448edb832f40c5ca5656fe94a2c66b1c5e0e6243f6b0cc40b6e909463b01409ede332cf99118e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
66cf2498a886d0e9073c3d41c168a2e4

SHA1
7f31210e3752e57f883faee7de94c1b790292a45

SHA256
49ca87b39858c30e5a0d39776e0f3f9b89d6c5b540f9d3e7098f6b71fccb0fa6

SHA512
ee03c51901e55f21cfaa0a5021fbba46e2ee1c522e10a6eabba6edb2040e44bff91122b1192fbbc727154bd03099e0418aff264f633fccbb5fab386b2472a7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\pending_pings\ed0cb74c-8ab4-4fe9-96be-dfd89c38cb2d

Filesize
659B

MD5
1287732a12faf61e35bcccc8c7387a92

SHA1
cbaa541fa33d2a42f957cae2c18f2c131b5640be

SHA256
5933b8b620c5d502385c37e0d1831a7ac988356b1359f90970d3164034a31fe7

SHA512
ce609d4c7c8d428e62e967f6cfaa9289f72c09a887740e731203771dd3937362994a8376dc38ccb5a5a05cdb05e9b5ae65f83d18961a654ae529ba90f64e351e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\pending_pings\f2108491-f753-47f1-a99f-6b7dc86c711c

Filesize
982B

MD5
8e428a14dfbe527888bb380292977133

SHA1
fb82f88ed4757dee79336b57d461860f9aa0660c

SHA256
838ab2544cb4862f08a2af09b8e86155b9c301958874d8363126c21509793825

SHA512
12dd900b1d4af07f796a97b49b639ec025cbc43ade644f13e196a7f7f5882bfb94c851c3c91adb3fa61f98f8ade683b5bb7794556af6e4e4d063198a09e055e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs-1.js

Filesize
9KB

MD5
1f40ed9ae7efab64a8d12e946321ea74

SHA1
b125194dcc014c89484f865ccdeab9a455bdb565

SHA256
ea9f6acedaefea067c376636641ee17973b77b211f3a4e98d1056b5512ab8395

SHA512
b9852e32e2eadfc874a6eb12aa6fae3280fdb17afaa5a0fe8142726ee9438c849f79cccec2c8e97de3a5fba55e547fe34535d539675858f5e8d9460603353a48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs.js

Filesize
9KB

MD5
370e52b65da86449a62446eb9b99b271

SHA1
5a405f234476c35334a0501bf9be2f9d3cc9343d

SHA256
bad322c97a16fc763d405e35413d7779fce6dcf91a3cf5eae6b37b248d783835

SHA512
5c99b2447dd33a01d904382ef172d83e0467743bde239f5f637b99fbb405efcf3dcff9ad2798a8e5ab819bc4477944ce8b0c6b3f5a6c87588adc5c72d44083a2

Download Submit
memory/2656-18-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/2656-16-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-6-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-273-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/3812-15-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-0-0x00007FFEC44F3000-0x00007FFEC44F5000-memory.dmp

Filesize
8KB

Download
memory/3812-2-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-333-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-19-0x00007FFEC44F0000-0x00007FFEC4FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download