xworm | 67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 23:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Krampus_V1.0.3.exe
Size

7.6MB
MD5

8720aba46da0b8648491f6d074647618
SHA1

ab1e7f51c8dd4e686d498a394c184339fefc10cc
SHA256

67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3
SHA512

095596fcfdca3f9141c13e41a39ed0e59486d1d3824b14de6639af6ed32e634ef0fad6f4d50fc5a184059d5897d440e86a082d9b944b7b01a9a6bdbde9f066ac
SSDEEP

196608:NMt+dnIdHWxdKHoYOeXRihlWu8YgoPIM:NMt+uoxmomX8hlzgOIM

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

north-untitled.gl.at.ply.gg:29298

Attributes

Install_directory
%Userprofile%
install_file
discord.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012328-44.dat	family_xworm
behavioral1/memory/2180-46-0x0000000000210000-0x0000000000252000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe

Executes dropped EXE 7 IoCs

pid	Process
2180	XClient.exe
800	Built.exe
1676	Built.exe
1200	Process not Found
1724	discord.exe
2460	discord.exe
1960	discord.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	Krampus_V1.0.3.exe
1676	Built.exe
1200	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001565d-92.dat	upx
behavioral1/memory/1676-94-0x000007FEF1C70000-0x000007FEF2260000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\System32\\test.bat"	Krampus_V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Windows\\System32\\XClient.exe"	Krampus_V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe"	Krampus_V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\discord.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\Built.exe	Krampus_V1.0.3.exe
File opened for modification	C:\Windows\System32\Built.exe	Krampus_V1.0.3.exe
File created	C:\Windows\System32\test.bat	Krampus_V1.0.3.exe
File opened for modification	C:\Windows\System32\test.bat	Krampus_V1.0.3.exe
File created	C:\Windows\System32\XClient.exe	Krampus_V1.0.3.exe
File opened for modification	C:\Windows\System32\XClient.exe	Krampus_V1.0.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1220	schtasks.exe
1284	schtasks.exe
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2956	powershell.exe
2728	powershell.exe
2948	powershell.exe
1512	powershell.exe
3008	powershell.exe
2036	powershell.exe
2124	powershell.exe
2180	XClient.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2180	XClient.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2180	XClient.exe
Token: SeDebugPrivilege	1724	discord.exe
Token: SeDebugPrivilege	2460	discord.exe
Token: SeDebugPrivilege	1960	discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	XClient.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2956	2100	Krampus_V1.0.3.exe	28
PID 2100 wrote to memory of 2956	2100	Krampus_V1.0.3.exe	28
PID 2100 wrote to memory of 2956	2100	Krampus_V1.0.3.exe	28
PID 2100 wrote to memory of 2260	2100	Krampus_V1.0.3.exe	30
PID 2100 wrote to memory of 2260	2100	Krampus_V1.0.3.exe	30
PID 2100 wrote to memory of 2260	2100	Krampus_V1.0.3.exe	30
PID 2100 wrote to memory of 2728	2100	Krampus_V1.0.3.exe	32
PID 2100 wrote to memory of 2728	2100	Krampus_V1.0.3.exe	32
PID 2100 wrote to memory of 2728	2100	Krampus_V1.0.3.exe	32
PID 2100 wrote to memory of 2376	2100	Krampus_V1.0.3.exe	34
PID 2100 wrote to memory of 2376	2100	Krampus_V1.0.3.exe	34
PID 2100 wrote to memory of 2376	2100	Krampus_V1.0.3.exe	34
PID 2100 wrote to memory of 2180	2100	Krampus_V1.0.3.exe	36
PID 2100 wrote to memory of 2180	2100	Krampus_V1.0.3.exe	36
PID 2100 wrote to memory of 2180	2100	Krampus_V1.0.3.exe	36
PID 2100 wrote to memory of 2948	2100	Krampus_V1.0.3.exe	37
PID 2100 wrote to memory of 2948	2100	Krampus_V1.0.3.exe	37
PID 2100 wrote to memory of 2948	2100	Krampus_V1.0.3.exe	37
PID 2100 wrote to memory of 1220	2100	Krampus_V1.0.3.exe	39
PID 2100 wrote to memory of 1220	2100	Krampus_V1.0.3.exe	39
PID 2100 wrote to memory of 1220	2100	Krampus_V1.0.3.exe	39
PID 2100 wrote to memory of 800	2100	Krampus_V1.0.3.exe	41
PID 2100 wrote to memory of 800	2100	Krampus_V1.0.3.exe	41
PID 2100 wrote to memory of 800	2100	Krampus_V1.0.3.exe	41
PID 800 wrote to memory of 1676	800	Built.exe	42
PID 800 wrote to memory of 1676	800	Built.exe	42
PID 800 wrote to memory of 1676	800	Built.exe	42
PID 2180 wrote to memory of 1512	2180	XClient.exe	44
PID 2180 wrote to memory of 1512	2180	XClient.exe	44
PID 2180 wrote to memory of 1512	2180	XClient.exe	44
PID 2180 wrote to memory of 3008	2180	XClient.exe	46
PID 2180 wrote to memory of 3008	2180	XClient.exe	46
PID 2180 wrote to memory of 3008	2180	XClient.exe	46
PID 2180 wrote to memory of 2036	2180	XClient.exe	48
PID 2180 wrote to memory of 2036	2180	XClient.exe	48
PID 2180 wrote to memory of 2036	2180	XClient.exe	48
PID 2180 wrote to memory of 2124	2180	XClient.exe	50
PID 2180 wrote to memory of 2124	2180	XClient.exe	50
PID 2180 wrote to memory of 2124	2180	XClient.exe	50
PID 2180 wrote to memory of 1284	2180	XClient.exe	52
PID 2180 wrote to memory of 1284	2180	XClient.exe	52
PID 2180 wrote to memory of 1284	2180	XClient.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Krampus_V1.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus_V1.0.3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Windows\System32\test.bat" "
  2⤵
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "XClient" /SC ONLOGON /TR "C:\Windows\System32\XClient.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2376
- C:\Windows\System32\XClient.exe
  "C:\Windows\System32\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1220
- C:\Windows\System32\Built.exe
  "C:\Windows\System32\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\System32\Built.exe
    "C:\Windows\System32\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {8AB5856C-1356-4782-A6F6-6AC7480DBBE5} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:1340
- C:\Users\Admin\discord.exe
  C:\Users\Admin\discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Users\Admin\discord.exe
  C:\Users\Admin\discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Users\Admin\discord.exe
  C:\Users\Admin\discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8002\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c45d3096621a44718c479fb930176970

SHA1
8ac666c2723eb6f5e2da94f8ee72a38a410a62bf

SHA256
7dde0895711c914560c5cc81c39ff6af830c20635f39a5f8d5ae6f8a8cac5402

SHA512
764252eabda572d7287d63d380ce743cfa3ea59155326355b43f32dad93424c7c291dba5ff7974bb6f9985b01bb09277b657541d1ba33ebbe212aaea27e82406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GMS5GFTD4VDUCYT0ITE7.temp

Filesize
7KB

MD5
af19e046f1336421b54224ee21f45e35

SHA1
7511a75358774e9a7881623532d129775c3b3a8e

SHA256
f11554652231aa442cf0822f1cd444cb71fa7920c9b7cf9f0762d7f204700cad

SHA512
e7ffc1c2ac368a405fe010aaba4054878bbf3998594da24c142978cb4dc76af828104922059b0e7110f797d0f617ddf0dc400e25869f91a61382df99b767aa8c

Download Submit
C:\Windows\System32\XClient.exe

Filesize
242KB

MD5
7bd5abbfcd57e7565e7778bf1157b816

SHA1
a5785d5dae2bb92978f277a4f68e7e682ac4834b

SHA256
6b7bfe55c3d4223bb868889fd56c5518fbc3784f6f1d96605c38943cfe004a85

SHA512
d8ad281a2e8a8c4d84d90f2b7d57846733889c280ceccfa20c2a0053e7dfc16a1783621942b0e1032e5b273fe4bec1a0627c52831128eff878a15f2b84eddfdf

Download Submit
C:\Windows\System32\test.bat

Filesize
435B

MD5
40f36b839af3aad8887e3cfe758efab8

SHA1
2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

SHA256
c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

SHA512
13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

Download Submit
\Windows\System32\Built.exe

Filesize
7.4MB

MD5
7e312ac869e50b5847ff56eab59567d2

SHA1
3bcefc87de994260931ac94760e6b478696048be

SHA256
5a77b59bd2f5486fbb176fe7c7e8cc478419247c142e5ea7db8d14966bccb5af

SHA512
fb9a3658a636644d2df12c2ca1d6f399c84e571491a0dab888d798e5b9ccfb648e077cb90dfbffd5ad24f85441fafc1bb887b160263a2d53577c5db1adf892ee

Download Submit
memory/1512-128-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/1512-126-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/1512-129-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/1512-130-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-127-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-124-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1512-125-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/1676-94-0x000007FEF1C70000-0x000007FEF2260000-memory.dmp

Filesize
5.9MB

Download
memory/2036-156-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/2036-153-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2036-150-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/2036-151-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2036-152-0x000007FEED230000-0x000007FEEDBCD000-memory.dmp

Filesize
9.6MB

Download
memory/2036-154-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2036-155-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2100-1-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-60-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-0-0x0000000000EA0000-0x0000000001638000-memory.dmp

Filesize
7.6MB

Download
memory/2100-82-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-15-0x000000001C3F0000-0x000000001C470000-memory.dmp

Filesize
512KB

Download
memory/2124-164-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2124-167-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2124-162-0x000007FEEC890000-0x000007FEED22D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-165-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2124-163-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2124-166-0x000007FEEC890000-0x000007FEED22D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-118-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-136-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2180-95-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2180-53-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-46-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/2728-35-0x000007FEEDAC0000-0x000007FEEE45D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-31-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2728-32-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2728-34-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2728-33-0x000007FEEDAC0000-0x000007FEEE45D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-39-0x000007FEEDAC0000-0x000007FEEE45D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-36-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2728-38-0x0000000002C8B000-0x0000000002CF2000-memory.dmp

Filesize
412KB

Download
memory/2728-37-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2948-59-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/2948-57-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/2948-58-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-61-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-54-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/2948-55-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-56-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/2956-13-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2956-11-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2956-6-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2956-7-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2956-8-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-9-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2956-10-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-12-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/2956-14-0x000007FEF18C0000-0x000007FEF225D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-141-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/3008-137-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/3008-138-0x000007FEEC890000-0x000007FEED22D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-139-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/3008-143-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/3008-142-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/3008-144-0x000007FEEC890000-0x000007FEED22D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-140-0x000007FEEC890000-0x000007FEED22D000-memory.dmp

Filesize
9.6MB

Download