xworm | 8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

Resubmissions

20/02/2024, 17:31

240220-v341kscc7s 10

20/02/2024, 16:50

240220-vcd2gacc66 10

Analysis

max time kernel
1559s
max time network
1559s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

76KB
MD5

d3953f8988cf3b75478a3c8d103d1e1e
SHA1

19a8d8f0c06902af448800faf29761a5dba7344c
SHA256

8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef
SHA512

cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11
SSDEEP

1536:0hy4PT1ivp6kJ4pHbkQBh7Q4iMnMg6jOjUKHq:W0Q1bD5iWcOjtq

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

hydraforce-45677.portmap.io:45677

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000F30000-0x0000000000F4A000-memory.dmp	family_xworm
behavioral1/files/0x001000000001224d-60.dat	family_xworm
behavioral1/memory/2604-62-0x0000000001070000-0x000000000108A000-memory.dmp	family_xworm
behavioral1/memory/2988-70-0x0000000000370000-0x000000000038A000-memory.dmp	family_xworm
behavioral1/memory/2328-74-0x0000000000940000-0x000000000095A000-memory.dmp	family_xworm
behavioral1/memory/1752-78-0x0000000000F60000-0x0000000000F7A000-memory.dmp	family_xworm
behavioral1/memory/1752-91-0x000000001B400000-0x000000001B480000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
872	cmd.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
2604	XClient.exe
1700	XClient.exe
2988	XClient.exe
2328	XClient.exe
1752	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
9	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
648	schtasks.exe
320	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2152	timeout.exe
2648	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1012	powershell.exe
2288	powershell.exe
2788	powershell.exe
2560	powershell.exe
1620	XClient.exe
280	powershell.exe
1924	powershell.exe
2440	powershell.exe
1964	powershell.exe
1752	XClient.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	XClient.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1620	XClient.exe
Token: SeDebugPrivilege	2604	XClient.exe
Token: SeDebugPrivilege	1700	XClient.exe
Token: SeDebugPrivilege	2988	XClient.exe
Token: SeDebugPrivilege	2328	XClient.exe
Token: SeDebugPrivilege	1752	XClient.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1752	XClient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1620	XClient.exe
1752	XClient.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1012	1620	XClient.exe	29
PID 1620 wrote to memory of 1012	1620	XClient.exe	29
PID 1620 wrote to memory of 1012	1620	XClient.exe	29
PID 1620 wrote to memory of 2288	1620	XClient.exe	32
PID 1620 wrote to memory of 2288	1620	XClient.exe	32
PID 1620 wrote to memory of 2288	1620	XClient.exe	32
PID 1620 wrote to memory of 2788	1620	XClient.exe	34
PID 1620 wrote to memory of 2788	1620	XClient.exe	34
PID 1620 wrote to memory of 2788	1620	XClient.exe	34
PID 1620 wrote to memory of 2560	1620	XClient.exe	36
PID 1620 wrote to memory of 2560	1620	XClient.exe	36
PID 1620 wrote to memory of 2560	1620	XClient.exe	36
PID 1620 wrote to memory of 320	1620	XClient.exe	38
PID 1620 wrote to memory of 320	1620	XClient.exe	38
PID 1620 wrote to memory of 320	1620	XClient.exe	38
PID 1712 wrote to memory of 2604	1712	taskeng.exe	42
PID 1712 wrote to memory of 2604	1712	taskeng.exe	42
PID 1712 wrote to memory of 2604	1712	taskeng.exe	42
PID 1712 wrote to memory of 1700	1712	taskeng.exe	43
PID 1712 wrote to memory of 1700	1712	taskeng.exe	43
PID 1712 wrote to memory of 1700	1712	taskeng.exe	43
PID 1712 wrote to memory of 2988	1712	taskeng.exe	44
PID 1712 wrote to memory of 2988	1712	taskeng.exe	44
PID 1712 wrote to memory of 2988	1712	taskeng.exe	44
PID 1712 wrote to memory of 2328	1712	taskeng.exe	45
PID 1712 wrote to memory of 2328	1712	taskeng.exe	45
PID 1712 wrote to memory of 2328	1712	taskeng.exe	45
PID 1712 wrote to memory of 1752	1712	taskeng.exe	46
PID 1712 wrote to memory of 1752	1712	taskeng.exe	46
PID 1712 wrote to memory of 1752	1712	taskeng.exe	46
PID 1620 wrote to memory of 3044	1620	XClient.exe	47
PID 1620 wrote to memory of 3044	1620	XClient.exe	47
PID 1620 wrote to memory of 3044	1620	XClient.exe	47
PID 1620 wrote to memory of 872	1620	XClient.exe	49
PID 1620 wrote to memory of 872	1620	XClient.exe	49
PID 1620 wrote to memory of 872	1620	XClient.exe	49
PID 872 wrote to memory of 2152	872	cmd.exe	51
PID 872 wrote to memory of 2152	872	cmd.exe	51
PID 872 wrote to memory of 2152	872	cmd.exe	51
PID 1752 wrote to memory of 280	1752	XClient.exe	53
PID 1752 wrote to memory of 280	1752	XClient.exe	53
PID 1752 wrote to memory of 280	1752	XClient.exe	53
PID 1752 wrote to memory of 1924	1752	XClient.exe	56
PID 1752 wrote to memory of 1924	1752	XClient.exe	56
PID 1752 wrote to memory of 1924	1752	XClient.exe	56
PID 1752 wrote to memory of 2440	1752	XClient.exe	57
PID 1752 wrote to memory of 2440	1752	XClient.exe	57
PID 1752 wrote to memory of 2440	1752	XClient.exe	57
PID 1752 wrote to memory of 1964	1752	XClient.exe	59
PID 1752 wrote to memory of 1964	1752	XClient.exe	59
PID 1752 wrote to memory of 1964	1752	XClient.exe	59
PID 1752 wrote to memory of 648	1752	XClient.exe	61
PID 1752 wrote to memory of 648	1752	XClient.exe	61
PID 1752 wrote to memory of 648	1752	XClient.exe	61
PID 1752 wrote to memory of 2244	1752	XClient.exe	63
PID 1752 wrote to memory of 2244	1752	XClient.exe	63
PID 1752 wrote to memory of 2244	1752	XClient.exe	63
PID 1752 wrote to memory of 2628	1752	XClient.exe	65
PID 1752 wrote to memory of 2628	1752	XClient.exe	65
PID 1752 wrote to memory of 2628	1752	XClient.exe	65
PID 2628 wrote to memory of 2648	2628	cmd.exe	67
PID 2628 wrote to memory of 2648	2628	cmd.exe	67
PID 2628 wrote to memory of 2648	2628	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:320
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
  2⤵
  PID:3044
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB03C.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {D32D9604-0967-4DDC-B715-C39614BE12E8} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:648
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp.bat

Filesize
156B

MD5
7afcfbeccb1675d21d936460e7f29377

SHA1
c20798393c23bbb32c1aaa7cf98c08042ed30f78

SHA256
a9ec223e8152a0ace1cff8691bd6a59d0aa5bbd15537a7c118fedc81c57ef87b

SHA512
5ef39a09c0b13e73e4b00a73356f835dbd237cbc3d21e630f665aaa96f27a7d2e574c3d872f5468334a2e2e13fd0e9112e3b41eaa1639df8b11d55585977dea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB03C.tmp.bat

Filesize
159B

MD5
5cf0b3aa0f4c74dda2a4be278f7f6c76

SHA1
d3a62e782af47b56490199607caecd12b33ae64d

SHA256
dbdbe77b30a8d54868304467d964b5c216fc1efe2f84bd2d6381f37381ff59e5

SHA512
234ae4b96efe505f68f6e74f97a9e39290e0eeec2c4e46daf38c78a347dbcdba57d0070ad44123a4cebf4a28add81a4e05b1b0466e7776981a887d5e5f5757c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f61ab250ea2efc10bfe53cf76b4f55e

SHA1
892a5ebb647a3e0738f15d277fbdfd847ec557d5

SHA256
fdce0fac205bd437ba2882f2c695d698136b86fcfe04ae83e8d142ea4006d4cc

SHA512
1dc5dacd4ce60516b8daf00c7e1d06a726608f2a6c8d474fbadcdd7966601045a76aec81df93edece9a7b42ac6c2e9d64e5cffcbb113c1c5ff3e3cf655e31f28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c337fb96086dac01ef8a790563780e62

SHA1
687b8fb067b07957c37335185851f89b907c3c4e

SHA256
e209839a92885cb0b8cc698905a08b57b39918741657ea22c51aa093b76c469c

SHA512
06e16afdabc036f476329dbd184a20eb0fa32cf83cee2282b840f3b9a7959929ab3c9d960e03f2d11bb592ed2bd6c65ca8ba857bbea5ee2b8437a4060ae27e75

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
76KB

MD5
d3953f8988cf3b75478a3c8d103d1e1e

SHA1
19a8d8f0c06902af448800faf29761a5dba7344c

SHA256
8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

SHA512
cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11

Download Submit
memory/280-102-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/280-101-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/280-100-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/280-99-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/280-98-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/1012-10-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1012-14-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-13-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1012-12-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1012-11-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-8-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1012-9-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1620-38-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-52-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/1620-1-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-2-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/1620-90-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-0-0x0000000000F30000-0x0000000000F4A000-memory.dmp

Filesize
104KB

Download
memory/1700-67-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-68-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-79-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-113-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-78-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/1752-91-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/1924-114-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1924-109-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1924-110-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-111-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1924-115-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-112-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1924-108-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-25-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2288-28-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-20-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-21-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-22-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2288-23-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2288-24-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-26-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2288-27-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2328-74-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/2328-75-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-76-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-48-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2560-50-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2560-53-0x0000000002A74000-0x0000000002A77000-memory.dmp

Filesize
12KB

Download
memory/2560-47-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-51-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2560-54-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-49-0x000007FEEE040000-0x000007FEEE9DD000-memory.dmp

Filesize
9.6MB

Download
memory/2604-63-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-64-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-62-0x0000000001070000-0x000000000108A000-memory.dmp

Filesize
104KB

Download
memory/2788-41-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-34-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-35-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2788-36-0x000007FEEE9E0000-0x000007FEEF37D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-37-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2788-39-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/2788-40-0x00000000029DB000-0x0000000002A42000-memory.dmp

Filesize
412KB

Download
memory/2988-72-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-71-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-70-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download