xworm | 9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7

Analysis

max time kernel
328s
max time network
333s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.6MB
MD5

c655d958dac296c3e6b0667e5f00dada
SHA1

678c76f62274a01a98ddd70082589c4a283c5a5a
SHA256

9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
SHA512

98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
SSDEEP

98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

allows-welfare.gl.at.ply.gg:49180

Attributes

Install_directory
%AppData%
install_file
System32pdfc.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe family_xworm
behavioral2/memory/3916-10-0x0000000000FA0000-0x0000000000FB8000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2160 powershell.exe
1604 powershell.exe
3904 powershell.exe
4660 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe	family_xworm
behavioral2/memory/3916-10-0x0000000000FA0000-0x0000000000FB8000-memory.dmp	family_xworm

pid	process
2160	powershell.exe
1604	powershell.exe
3904	powershell.exe
4660	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exesystem32transmitter.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	system32transmitter.exe

Drops startup file 2 IoCs

Processes:

system32transmitter.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk	system32transmitter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk	system32transmitter.exe

Executes dropped EXE 4 IoCs

Processes:

system32transmitter.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

3916 system32transmitter.exe
1500 AnyDesk.exe
1428 AnyDesk.exe
1408 AnyDesk.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 9.9.9.9
Destination IP 9.9.9.9
Destination IP 9.9.9.9
Destination IP 9.9.9.9
Destination IP 9.9.9.9
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3916	system32transmitter.exe
1500	AnyDesk.exe
1428	AnyDesk.exe
1408	AnyDesk.exe

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

AnyDesk.exepowershell.exepowershell.exepowershell.exepowershell.exesystem32transmitter.exe

pid	process
1428	AnyDesk.exe
1428	AnyDesk.exe
2160	powershell.exe
2160	powershell.exe
1604	powershell.exe
1604	powershell.exe
3904	powershell.exe
3904	powershell.exe
4660	powershell.exe
4660	powershell.exe
3916	system32transmitter.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

system32transmitter.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3916	system32transmitter.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3916	system32transmitter.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

1408 AnyDesk.exe
1408 AnyDesk.exe
1408 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1408 AnyDesk.exe
1408 AnyDesk.exe
1408 AnyDesk.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system32transmitter.exe

pid process

3916 system32transmitter.exe

pid	process
1408	AnyDesk.exe
1408	AnyDesk.exe
1408	AnyDesk.exe

pid	process
1408	AnyDesk.exe
1408	AnyDesk.exe
1408	AnyDesk.exe

pid	process
3916	system32transmitter.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

AnyDesk.execmd.exeAnyDesk.exesystem32transmitter.exe

description	pid	process	target process
PID 3984 wrote to memory of 3512	3984	AnyDesk.exe	cmd.exe
PID 3984 wrote to memory of 3512	3984	AnyDesk.exe	cmd.exe
PID 3984 wrote to memory of 3512	3984	AnyDesk.exe	cmd.exe
PID 3512 wrote to memory of 3916	3512	cmd.exe	system32transmitter.exe
PID 3512 wrote to memory of 3916	3512	cmd.exe	system32transmitter.exe
PID 3512 wrote to memory of 1500	3512	cmd.exe	AnyDesk.exe
PID 3512 wrote to memory of 1500	3512	cmd.exe	AnyDesk.exe
PID 3512 wrote to memory of 1500	3512	cmd.exe	AnyDesk.exe
PID 1500 wrote to memory of 1428	1500	AnyDesk.exe	AnyDesk.exe
PID 1500 wrote to memory of 1428	1500	AnyDesk.exe	AnyDesk.exe
PID 1500 wrote to memory of 1428	1500	AnyDesk.exe	AnyDesk.exe
PID 1500 wrote to memory of 1408	1500	AnyDesk.exe	AnyDesk.exe
PID 1500 wrote to memory of 1408	1500	AnyDesk.exe	AnyDesk.exe
PID 1500 wrote to memory of 1408	1500	AnyDesk.exe	AnyDesk.exe
PID 3916 wrote to memory of 2160	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 2160	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 1604	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 1604	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 3904	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 3904	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 4660	3916	system32transmitter.exe	powershell.exe
PID 3916 wrote to memory of 4660	3916	system32transmitter.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "system32transmitter.exe" & start "" "AnyDesk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
"system32transmitter.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"AnyDesk.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-service
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-control
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
Filesize
73KB

MD5
864c37423bb1332bb4ae49b13da56cbc

SHA1
6a710197408e7e50e78b529e85499a364447fbd3

SHA256
d61cc856e397eccad395768e0046e54a1b2b32b580c358195206dcf3cd08da3c

SHA512
4dae0ee5c4dc08ca295e557a3aef27187a7b1db9bc9ec27445f83f06937c9c81ddd0974219df34d6556c0646685287997a97ec2702a3eaac433c985c7e976c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utmclnjp.vfm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
6c61a5984935b4d5f15f95e47a92bb44

SHA1
59356971c573b7bfe4c52e19acc837e2597db19f

SHA256
41a3585fa2180e7074de79494bdf66b4230963cfde45a718db64812fc01aa825

SHA512
f3417f06ab5bd5167cd0ac5072068c8f0495437d5221e2882303629fd163361d067b6e995affbacccbcd612216dc17f925e995bb53c0b68a9b806fd9e12289c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
82ab52552ba52bdd035a7a123e85ff6c

SHA1
1ec86d61d37cad5b6ae9f13c35e2424a2558b594

SHA256
a69e699d702e03499c0cb348815c71e3427cb0e8d3eaf25cf303c0aa27f570cd

SHA512
ceaf71f25881685f68e6512a61d2b8fa39b72dce6a26a1dfda8e6d4085dc00d810fbdaccd0828a261db167812a09ff60e40009df6e4daf9a03a3c8327d2aaaae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
e9d78e6bacb0404390096bec7fed70d7

SHA1
4768ae2337edca3a73f229e70fdbebdcea764758

SHA256
28d14dd5ec7fc629465e6c64162fa444d14036e0a8a60db4116630e558f83196

SHA512
40728c4ed994a1090f0158bac31247eed33619e4b5fd0f012cdeee764ea21e3b03a00c4adcc18922697a6542ad57a5283762f8142b434d6b3ba23077ce70e63c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
9a4b754b555f2214725bee7fb688128a

SHA1
646a3aba6ff8dc47fff1b518a4be39c4aa386879

SHA256
52e148a8136c69f2a601540f156f7f71999da4fea1b70f3351adef651971a66a

SHA512
0aed026ef541d6840f34e0ea38306707f7be6da982ec12744df44e6ec7dce8b630ab4ae8c92fb734566aedd8460c10e4d2a31584e467a66b79a5c5774e35252e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
b52f9a7c7ab47195a568728ca5494244

SHA1
6352483077acb4aca83930d660c2d7a1a2f7ad88

SHA256
3c5de188f936a33a6b7a08b014cbf7cf2b5caa6e27f6cb6182c91ea73c13502a

SHA512
3f166cef146770fb72e68de6b4e90e8b8e287dc20abdc8a1e61c43df7586913f54eca025bfdec24a7743a945be82fa8e96d2731b1b0c5635c1300e5aaadd4992

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
a88eafafa6bbc9a15929e1714812faff

SHA1
f065d6166fc8cc82bf140e726aeef803f5732e17

SHA256
bae747f2064099f2ccf9d01587236c10aa8c32f74c165f506244342f567e037f

SHA512
440406208154c018a74541229ac2fb76c1956f2bd81513a9a5977e3094833d19361877057139400103cfa4fa2f8acdde7843b4686990d8c53fca1a059e437be9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
21951a6faf0f7c58c92b79a5f6c01958

SHA1
dfc56ac3e6e4f708a4a667b09be12cf77bc27adb

SHA256
55556e17e9cf6d5fb58586896e52a1e201321a16be107c76ee2db63d75e9fed0

SHA512
4626db72e868633bc6c5b28ad8035df198cd77b6c6d532f93a2ea73eabbc9e2a600ddd642617a8da3309b29cbfbef66f8e1524c834cf935d344a67dc245a49a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
1ef796e6e219bd254bbd52b7001978d1

SHA1
518056e4ea7f30e3f5dad59eae8fc53e1096c0e9

SHA256
8f66382123dfd417eb0c6e0faea343c21211ed1135424602ca630003245720a5

SHA512
f36471daa5e22e7fd965087fd737d701b3f74816e19109a885e96ed46d1c30b195dbd4ae6bd6927e56fe0638bb93e36dab89de83f2e791634f1851a93405f16b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0fc8b40ff258a14b24ea774e01eb2e2d

SHA1
be50e7ee65bcedf13e3c507ed41383e4234529f3

SHA256
4b1432ca062d9a84b7293355c2f222ad9185b2ea1b884394d86f603d6350d17e

SHA512
4f4f975c1ce65af757f53d6d02bc2b5d9f05c1eab551376e0f5245c8e941734fb873fe2293bd3e604808373c4af2519b120f9819624647257c7596b68aba43e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
b017fae578e3960a52ae63fc55b3ae93

SHA1
9cce4c5867e477a5f2505c40b3ac7206e23c5d6b

SHA256
4aa1b416b8c987678d8d5f5e9f338fb4c47640e304f1178bb383899fefa7c201

SHA512
e620e27a373a9d504b8be389b1cb0e568fdbf599175366ea5617cf0ae49491e437d5a5b6946c0440b34ea35cb047a53ed822639f3fedf3c1eed8b7760a2a216b

Download Submit
memory/1408-94-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1408-27-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1408-268-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1408-399-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-193-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-200-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-93-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-431-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-412-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-26-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-405-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-150-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-398-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-306-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-281-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-158-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-278-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-267-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1428-225-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1500-217-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1500-15-0x0000000000554000-0x000000000178A000-memory.dmp

Filesize
18.2MB

Download
memory/1500-155-0x0000000000554000-0x000000000178A000-memory.dmp

Filesize
18.2MB

Download
memory/1500-13-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/1500-92-0x0000000000550000-0x0000000001C99000-memory.dmp

Filesize
23.3MB

Download
memory/2160-100-0x00000252F65C0000-0x00000252F65E2000-memory.dmp

Filesize
136KB

Download
memory/3916-10-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Filesize
96KB

Download
memory/3916-156-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/3916-9-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

Filesize
8KB

Download
memory/3916-152-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

Filesize
8KB

Download
memory/3916-91-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download