xworm | 27f53d6d1b4f4edb6c517ac1a517a4e9158d5d96eeccfd324c925d3772c3f44c

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.4MB
MD5

ebe8a0f61f53a3817c3fbcc3ab3a1f4c
SHA1

d87d66d53f29464d1f32b2c1e3b7ce507c51c40d
SHA256

27f53d6d1b4f4edb6c517ac1a517a4e9158d5d96eeccfd324c925d3772c3f44c
SHA512

33138b6fc03af9598821377dfdacaad64a56b7a05e7c7ae48de958e0002c8eec695e49633aec8be212be321f525ca165e40abf81bf0c69a57a0582f94698385b
SSDEEP

24576:HMjhUS5MaULo18LoNubLFwUoTh+tasCU1Yc0zRgYEz405bmktUNudtJjdPrF:6t5CLQ8sNg9oThYoic27cab7SNudXjdZ

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

91.212.166.99:4404

Mutex

f35pmRFzPiiasEf1

Attributes

Install_directory
%LocalAppData%
install_file
dllhost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2856-82-0x0000000002420000-0x0000000002430000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	random.tmp

Executes dropped EXE 4 IoCs

pid	Process
4740	random.tmp
2376	random.tmp
2236	dllhost.exe
1628	dllhost.exe

Loads dropped DLL 8 IoCs

pid	Process
4740	random.tmp
4740	random.tmp
2376	random.tmp
2376	random.tmp
1336	regsvr32.exe
2856	regsvr32.exe
3468	regsvr32.EXE
3248	regsvr32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
2396	powershell.exe
2008	powershell.exe
4468	powershell.exe
2444	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1660	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2856	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2376	random.tmp
2376	random.tmp
2856	regsvr32.exe
2856	regsvr32.exe
4468	powershell.exe
4468	powershell.exe
2444	powershell.exe
2444	powershell.exe
2856	regsvr32.exe
2856	regsvr32.exe
2856	regsvr32.exe
3468	regsvr32.EXE
3468	regsvr32.EXE
2396	powershell.exe
2396	powershell.exe
3468	regsvr32.EXE
3468	regsvr32.EXE
3248	regsvr32.EXE
3248	regsvr32.EXE
2008	powershell.exe
2008	powershell.exe
3248	regsvr32.EXE
3248	regsvr32.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe
Token: SeManageVolumePrivilege	4468	powershell.exe
Token: 33	4468	powershell.exe
Token: 34	4468	powershell.exe
Token: 35	4468	powershell.exe
Token: 36	4468	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeIncreaseQuotaPrivilege	2444	powershell.exe
Token: SeSecurityPrivilege	2444	powershell.exe
Token: SeTakeOwnershipPrivilege	2444	powershell.exe
Token: SeLoadDriverPrivilege	2444	powershell.exe
Token: SeSystemProfilePrivilege	2444	powershell.exe
Token: SeSystemtimePrivilege	2444	powershell.exe
Token: SeProfSingleProcessPrivilege	2444	powershell.exe
Token: SeIncBasePriorityPrivilege	2444	powershell.exe
Token: SeCreatePagefilePrivilege	2444	powershell.exe
Token: SeBackupPrivilege	2444	powershell.exe
Token: SeRestorePrivilege	2444	powershell.exe
Token: SeShutdownPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeSystemEnvironmentPrivilege	2444	powershell.exe
Token: SeRemoteShutdownPrivilege	2444	powershell.exe
Token: SeUndockPrivilege	2444	powershell.exe
Token: SeManageVolumePrivilege	2444	powershell.exe
Token: 33	2444	powershell.exe
Token: 34	2444	powershell.exe
Token: 35	2444	powershell.exe
Token: 36	2444	powershell.exe
Token: SeIncreaseQuotaPrivilege	2444	powershell.exe
Token: SeSecurityPrivilege	2444	powershell.exe
Token: SeTakeOwnershipPrivilege	2444	powershell.exe
Token: SeLoadDriverPrivilege	2444	powershell.exe
Token: SeSystemProfilePrivilege	2444	powershell.exe
Token: SeSystemtimePrivilege	2444	powershell.exe
Token: SeProfSingleProcessPrivilege	2444	powershell.exe
Token: SeIncBasePriorityPrivilege	2444	powershell.exe
Token: SeCreatePagefilePrivilege	2444	powershell.exe
Token: SeBackupPrivilege	2444	powershell.exe
Token: SeRestorePrivilege	2444	powershell.exe
Token: SeShutdownPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeSystemEnvironmentPrivilege	2444	powershell.exe
Token: SeRemoteShutdownPrivilege	2444	powershell.exe
Token: SeUndockPrivilege	2444	powershell.exe
Token: SeManageVolumePrivilege	2444	powershell.exe
Token: 33	2444	powershell.exe
Token: 34	2444	powershell.exe
Token: 35	2444	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	random.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	regsvr32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4740	4992	random.exe	85
PID 4992 wrote to memory of 4740	4992	random.exe	85
PID 4992 wrote to memory of 4740	4992	random.exe	85
PID 4740 wrote to memory of 5084	4740	random.tmp	86
PID 4740 wrote to memory of 5084	4740	random.tmp	86
PID 4740 wrote to memory of 5084	4740	random.tmp	86
PID 5084 wrote to memory of 2376	5084	random.exe	87
PID 5084 wrote to memory of 2376	5084	random.exe	87
PID 5084 wrote to memory of 2376	5084	random.exe	87
PID 2376 wrote to memory of 1336	2376	random.tmp	88
PID 2376 wrote to memory of 1336	2376	random.tmp	88
PID 2376 wrote to memory of 1336	2376	random.tmp	88
PID 1336 wrote to memory of 2856	1336	regsvr32.exe	89
PID 1336 wrote to memory of 2856	1336	regsvr32.exe	89
PID 2856 wrote to memory of 4468	2856	regsvr32.exe	90
PID 2856 wrote to memory of 4468	2856	regsvr32.exe	90
PID 2856 wrote to memory of 2444	2856	regsvr32.exe	93
PID 2856 wrote to memory of 2444	2856	regsvr32.exe	93
PID 2856 wrote to memory of 1660	2856	regsvr32.exe	99
PID 2856 wrote to memory of 1660	2856	regsvr32.exe	99
PID 3468 wrote to memory of 2396	3468	regsvr32.EXE	116
PID 3468 wrote to memory of 2396	3468	regsvr32.EXE	116
PID 3248 wrote to memory of 2008	3248	regsvr32.EXE	121
PID 3248 wrote to memory of 2008	3248	regsvr32.EXE	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\is-O9LEQ.tmp\random.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O9LEQ.tmp\random.tmp" /SL5="$6020E,1104885,161792,C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\is-LKMU5.tmp\random.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LKMU5.tmp\random.tmp" /SL5="$501F6,1104885,161792,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D1AD7B3E-B38B-4E86-8B24-44C6BE037043}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660

C:\Users\Admin\AppData\Local\dllhost.exe
C:\Users\Admin\AppData\Local\dllhost.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

C:\Users\Admin\AppData\Local\dllhost.exe
C:\Users\Admin\AppData\Local\dllhost.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc35bf2367ee5c6feb084ab39f5c26eb

SHA1
cd9742c05391a92780a81fe836797a5909c7f9c1

SHA256
7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64

SHA512
0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00068d34580ca0b4e186c4a6f303b09e

SHA1
59fe7294b796d4848709b32042246f1bb73acfab

SHA256
68f5b87085e5d444e29c42f79d24740e03f6658edb8bd2230cce896aac871fa6

SHA512
96359172ef18684d8b81977a3d79246427ce0b328e160f2e8b548b338feb081817293b04593960f679915c42a5b86255b30f5b56d06318de8dcb4e77e9d277ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c594f077d5a28f772c2f05ada17636b

SHA1
f139c59084f7a70b19e67dfae9e99a66b95d601d

SHA256
d8d871ff1409d75e4b05bb96983ad4cb62ba156908f583ab92e5f05098bde16c

SHA512
4e8d476e9b56016bcddd26f66a093eb258b0e4430b0741bf2d1bcb9656d2de0d2ea48a90f68ff6986441ccb5c8a38bc3c4710833de089e8fb5309313b93762fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grfgq1f5.tq0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76G93.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K8LG1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9LEQ.tmp\random.tmp

Filesize
1.1MB

MD5
bcc236a3921e1388596a42b05686ff5e

SHA1
43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

SHA256
43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

SHA512
e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\AppData\Roaming\uxtheme_2.drv

Filesize
3.0MB

MD5
022a2e01cd6ff624652952cf43b0fe0d

SHA1
f3670138ac48304d5ce26202ed51b20ada4f0052

SHA256
f4213387bf82edf9929ba45b8c4d6942e99b31b7b3d155f0b7d1d22bffe1d607

SHA512
c0ad1737197ce2216287a2d53251048a8cfca7ee67a54f3316b0d7be12728114e2b68e8b92b67eb5b6e3115164a02589c449f4432c1b9a7dc35c2f49d44e6155

Download Submit
memory/2376-31-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/2376-53-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/2376-52-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2856-83-0x00007FFA07760000-0x00007FFA07A60000-memory.dmp

Filesize
3.0MB

Download
memory/2856-82-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/3248-123-0x00007FFA07760000-0x00007FFA07A60000-memory.dmp

Filesize
3.0MB

Download
memory/3468-103-0x00007FFA07760000-0x00007FFA07A60000-memory.dmp

Filesize
3.0MB

Download
memory/4468-56-0x0000023DC3AD0000-0x0000023DC3AF2000-memory.dmp

Filesize
136KB

Download
memory/4740-24-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4740-25-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/4740-7-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/4992-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-2-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/4992-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5084-23-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/5084-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5084-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download