xworm | ef5cb311599cd04871fa56f516e56af8da03d605013367021d99e1af0db876f1

Analysis

max time kernel
1565s
max time network
1564s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

41KB
MD5

4a85a8fd8d30e43227a2eeafb180b649
SHA1

89c5f32f587eaf749c6b8fc4eaaf890bc0ff6928
SHA256

ef5cb311599cd04871fa56f516e56af8da03d605013367021d99e1af0db876f1
SHA512

1a48b86c97ad617839169601cb149b7d823ebfe07b59537c46934a57cb74e067ee36f1365f8dd568364b8fd6c899eecb1023fcaeb4f38715a1e17dda9a8906a7
SSDEEP

768:nNreDweeLOoHdSgDder3XvggggQLJF5PG9pmOH6vOwhp3Euzl:n4DweQldSgDIjXvvggCFI9A46vOwLNp

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

maximum-meet.gl.at.ply.gg:1675

Mutex

9LQBHUPAUEJEhUPH

Attributes

Install_directory
%Temp%
install_file
blacked.exe

aes.plain

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000A90000-0x0000000000AA0000-memory.dmp	family_xworm
behavioral1/files/0x000c0000000122b8-59.dat	family_xworm
behavioral1/memory/1108-61-0x0000000000FF0000-0x0000000001000000-memory.dmp	family_xworm
behavioral1/memory/1660-71-0x0000000000030000-0x0000000000040000-memory.dmp	family_xworm
behavioral1/memory/1536-75-0x0000000000150000-0x0000000000160000-memory.dmp	family_xworm
behavioral1/memory/2076-79-0x0000000001090000-0x00000000010A0000-memory.dmp	family_xworm
behavioral1/memory/1808-84-0x00000000012C0000-0x00000000012D0000-memory.dmp	family_xworm
behavioral1/memory/2740-88-0x0000000001320000-0x0000000001330000-memory.dmp	family_xworm
behavioral1/memory/2852-92-0x0000000000260000-0x0000000000270000-memory.dmp	family_xworm
behavioral1/memory/1516-96-0x0000000001010000-0x0000000001020000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\blacked.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\blacked.lnk	XClient.exe

Executes dropped EXE 19 IoCs

pid	Process
1108	blacked.exe
992	blacked.exe
2648	blacked.exe
1660	blacked.exe
1536	blacked.exe
2076	blacked.exe
1808	blacked.exe
2740	blacked.exe
2852	blacked.exe
1516	blacked.exe
960	blacked.exe
2240	blacked.exe
2728	blacked.exe
1864	blacked.exe
2340	blacked.exe
1036	blacked.exe
1752	blacked.exe
2608	peioia.exe
2452	blacked.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\blacked = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blacked.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1968	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2412	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2716	powershell.exe
2468	powershell.exe
2484	powershell.exe
2840	powershell.exe
2752	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	XClient.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	XClient.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2752	XClient.exe
Token: SeDebugPrivilege	1108	blacked.exe
Token: SeDebugPrivilege	992	blacked.exe
Token: SeDebugPrivilege	2648	blacked.exe
Token: SeDebugPrivilege	1660	blacked.exe
Token: SeDebugPrivilege	1536	blacked.exe
Token: SeDebugPrivilege	2076	blacked.exe
Token: SeDebugPrivilege	1808	blacked.exe
Token: SeDebugPrivilege	2740	blacked.exe
Token: SeDebugPrivilege	2852	blacked.exe
Token: SeDebugPrivilege	1516	blacked.exe
Token: SeDebugPrivilege	960	blacked.exe
Token: SeDebugPrivilege	2240	blacked.exe
Token: SeDebugPrivilege	2728	blacked.exe
Token: SeDebugPrivilege	1864	blacked.exe
Token: SeDebugPrivilege	2340	blacked.exe
Token: SeDebugPrivilege	1036	blacked.exe
Token: SeDebugPrivilege	1752	blacked.exe
Token: 33	2600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2600	AUDIODG.EXE
Token: 33	2600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2600	AUDIODG.EXE
Token: SeDebugPrivilege	2452	blacked.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2716	2752	XClient.exe	29
PID 2752 wrote to memory of 2716	2752	XClient.exe	29
PID 2752 wrote to memory of 2716	2752	XClient.exe	29
PID 2752 wrote to memory of 2468	2752	XClient.exe	31
PID 2752 wrote to memory of 2468	2752	XClient.exe	31
PID 2752 wrote to memory of 2468	2752	XClient.exe	31
PID 2752 wrote to memory of 2484	2752	XClient.exe	33
PID 2752 wrote to memory of 2484	2752	XClient.exe	33
PID 2752 wrote to memory of 2484	2752	XClient.exe	33
PID 2752 wrote to memory of 2840	2752	XClient.exe	35
PID 2752 wrote to memory of 2840	2752	XClient.exe	35
PID 2752 wrote to memory of 2840	2752	XClient.exe	35
PID 2752 wrote to memory of 1968	2752	XClient.exe	37
PID 2752 wrote to memory of 1968	2752	XClient.exe	37
PID 2752 wrote to memory of 1968	2752	XClient.exe	37
PID 1364 wrote to memory of 1108	1364	taskeng.exe	42
PID 1364 wrote to memory of 1108	1364	taskeng.exe	42
PID 1364 wrote to memory of 1108	1364	taskeng.exe	42
PID 1364 wrote to memory of 992	1364	taskeng.exe	43
PID 1364 wrote to memory of 992	1364	taskeng.exe	43
PID 1364 wrote to memory of 992	1364	taskeng.exe	43
PID 1364 wrote to memory of 2648	1364	taskeng.exe	44
PID 1364 wrote to memory of 2648	1364	taskeng.exe	44
PID 1364 wrote to memory of 2648	1364	taskeng.exe	44
PID 1364 wrote to memory of 1660	1364	taskeng.exe	45
PID 1364 wrote to memory of 1660	1364	taskeng.exe	45
PID 1364 wrote to memory of 1660	1364	taskeng.exe	45
PID 1364 wrote to memory of 1536	1364	taskeng.exe	46
PID 1364 wrote to memory of 1536	1364	taskeng.exe	46
PID 1364 wrote to memory of 1536	1364	taskeng.exe	46
PID 1364 wrote to memory of 2076	1364	taskeng.exe	47
PID 1364 wrote to memory of 2076	1364	taskeng.exe	47
PID 1364 wrote to memory of 2076	1364	taskeng.exe	47
PID 1364 wrote to memory of 1808	1364	taskeng.exe	48
PID 1364 wrote to memory of 1808	1364	taskeng.exe	48
PID 1364 wrote to memory of 1808	1364	taskeng.exe	48
PID 1364 wrote to memory of 2740	1364	taskeng.exe	49
PID 1364 wrote to memory of 2740	1364	taskeng.exe	49
PID 1364 wrote to memory of 2740	1364	taskeng.exe	49
PID 1364 wrote to memory of 2852	1364	taskeng.exe	50
PID 1364 wrote to memory of 2852	1364	taskeng.exe	50
PID 1364 wrote to memory of 2852	1364	taskeng.exe	50
PID 1364 wrote to memory of 1516	1364	taskeng.exe	51
PID 1364 wrote to memory of 1516	1364	taskeng.exe	51
PID 1364 wrote to memory of 1516	1364	taskeng.exe	51
PID 1364 wrote to memory of 960	1364	taskeng.exe	52
PID 1364 wrote to memory of 960	1364	taskeng.exe	52
PID 1364 wrote to memory of 960	1364	taskeng.exe	52
PID 1364 wrote to memory of 2240	1364	taskeng.exe	54
PID 1364 wrote to memory of 2240	1364	taskeng.exe	54
PID 1364 wrote to memory of 2240	1364	taskeng.exe	54
PID 1364 wrote to memory of 2728	1364	taskeng.exe	55
PID 1364 wrote to memory of 2728	1364	taskeng.exe	55
PID 1364 wrote to memory of 2728	1364	taskeng.exe	55
PID 1364 wrote to memory of 1864	1364	taskeng.exe	56
PID 1364 wrote to memory of 1864	1364	taskeng.exe	56
PID 1364 wrote to memory of 1864	1364	taskeng.exe	56
PID 1364 wrote to memory of 2340	1364	taskeng.exe	57
PID 1364 wrote to memory of 2340	1364	taskeng.exe	57
PID 1364 wrote to memory of 2340	1364	taskeng.exe	57
PID 1364 wrote to memory of 1036	1364	taskeng.exe	58
PID 1364 wrote to memory of 1036	1364	taskeng.exe	58
PID 1364 wrote to memory of 1036	1364	taskeng.exe	58
PID 1364 wrote to memory of 1752	1364	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blacked.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'blacked.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "blacked" /tr "C:\Users\Admin\AppData\Local\Temp\blacked.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\peioia.exe
  "C:\Users\Admin\AppData\Local\Temp\peioia.exe"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "blacked"
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp99B1.tmp.bat""
  2⤵
  - Deletes itself
  PID:2496
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2412

C:\Windows\system32\taskeng.exe
taskeng.exe {46205943-EE33-4618-B6F2-B42D228376F0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\blacked.exe
  C:\Users\Admin\AppData\Local\Temp\blacked.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blacked.exe

Filesize
41KB

MD5
4a85a8fd8d30e43227a2eeafb180b649

SHA1
89c5f32f587eaf749c6b8fc4eaaf890bc0ff6928

SHA256
ef5cb311599cd04871fa56f516e56af8da03d605013367021d99e1af0db876f1

SHA512
1a48b86c97ad617839169601cb149b7d823ebfe07b59537c46934a57cb74e067ee36f1365f8dd568364b8fd6c899eecb1023fcaeb4f38715a1e17dda9a8906a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\peioia.exe

Filesize
131KB

MD5
bd65d387482def1fe00b50406f731763

SHA1
d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

SHA256
1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

SHA512
351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99B1.tmp.bat

Filesize
159B

MD5
6478aeed49a7bec6b3cda3d05da59c88

SHA1
04fd04f792a77dfc7e61372348e5131807d03ebf

SHA256
ef349acd4687a37ddd305afef584d4b3db0235dcf6141bd1079331a6ab524d45

SHA512
40846704a1f6200eafa0119595c429dbfe60a7c0123376fedecbfdde6b9314c9154d0c7598ded03f803c7a2399b52c3b0afd48b0bb831f5a8898c424150c198b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eee42946d3ffdb78256c34f66a0414e5

SHA1
70a1c3ece03328ef4628769d42eba9b5aa7c78b1

SHA256
e8a3509d57876b0c5924130058a14f4620487cd32ae16ea03639e34186c88030

SHA512
88907d49b55518bfe60788fd43776adc145c58ac2832eabbd592ab3661edb50f1504f3a6361e205e1c9638ef1ab7151a11226430dc12e1ea0549714d43aeca13

Download Submit
memory/992-65-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/992-66-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1108-61-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1108-62-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1108-63-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1516-96-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1516-97-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1516-98-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-75-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/1536-77-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-76-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-71-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/1660-73-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-72-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1808-85-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1808-84-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/1808-86-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-79-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/2076-80-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-81-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-25-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-29-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-21-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2468-24-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2468-23-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2468-22-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-26-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2468-27-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2468-28-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2484-37-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2484-38-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2484-36-0x000007FEEE970000-0x000007FEEF30D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-40-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2484-41-0x000007FEEE970000-0x000007FEEF30D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-68-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2648-69-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-14-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2716-12-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2716-7-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2716-10-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2716-9-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2716-8-0x000007FEEE970000-0x000007FEEF30D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-15-0x000007FEEE970000-0x000007FEEF30D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-11-0x000007FEEE970000-0x000007FEEF30D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-13-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2740-90-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-89-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-88-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/2752-35-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-0-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2752-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-39-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2752-82-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/2752-2-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2752-99-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/2840-49-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-48-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2840-51-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2840-47-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-50-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2840-52-0x000007FEEDFD0000-0x000007FEEE96D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-93-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-94-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-92-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download