xworm | 67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Krampus V1.0.3.exe
Size

7.6MB
MD5

8720aba46da0b8648491f6d074647618
SHA1

ab1e7f51c8dd4e686d498a394c184339fefc10cc
SHA256

67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3
SHA512

095596fcfdca3f9141c13e41a39ed0e59486d1d3824b14de6639af6ed32e634ef0fad6f4d50fc5a184059d5897d440e86a082d9b944b7b01a9a6bdbde9f066ac
SSDEEP

196608:NMt+dnIdHWxdKHoYOeXRihlWu8YgoPIM:NMt+uoxmomX8hlzgOIM

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

north-untitled.gl.at.ply.gg:29298

Attributes

Install_directory
%Userprofile%
install_file
discord.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014a94-43.dat	family_xworm
behavioral1/memory/2764-45-0x0000000000870000-0x00000000008B2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2764	XClient.exe
1252	Built.exe
1832	Built.exe
1396	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2804	Krampus V1.0.3.exe
1832	Built.exe
1396	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016c90-87.dat	upx
behavioral1/memory/1832-90-0x000007FEF1E70000-0x000007FEF2460000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\System32\\test.bat"	Krampus V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Windows\\System32\\XClient.exe"	Krampus V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe"	Krampus V1.0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\discord.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.bat	Krampus V1.0.3.exe
File opened for modification	C:\Windows\System32\test.bat	Krampus V1.0.3.exe
File created	C:\Windows\System32\XClient.exe	Krampus V1.0.3.exe
File opened for modification	C:\Windows\System32\XClient.exe	Krampus V1.0.3.exe
File created	C:\Windows\System32\Built.exe	Krampus V1.0.3.exe
File opened for modification	C:\Windows\System32\Built.exe	Krampus V1.0.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2552	schtasks.exe
1412	schtasks.exe
1536	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2496	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1896	powershell.exe
2460	powershell.exe
2388	powershell.exe
800	powershell.exe
2420	powershell.exe
2596	powershell.exe
1072	powershell.exe
2764	XClient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2764	XClient.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2764	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	XClient.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1896	2804	Krampus V1.0.3.exe	28
PID 2804 wrote to memory of 1896	2804	Krampus V1.0.3.exe	28
PID 2804 wrote to memory of 1896	2804	Krampus V1.0.3.exe	28
PID 2804 wrote to memory of 2528	2804	Krampus V1.0.3.exe	30
PID 2804 wrote to memory of 2528	2804	Krampus V1.0.3.exe	30
PID 2804 wrote to memory of 2528	2804	Krampus V1.0.3.exe	30
PID 2804 wrote to memory of 2460	2804	Krampus V1.0.3.exe	31
PID 2804 wrote to memory of 2460	2804	Krampus V1.0.3.exe	31
PID 2804 wrote to memory of 2460	2804	Krampus V1.0.3.exe	31
PID 2804 wrote to memory of 2552	2804	Krampus V1.0.3.exe	34
PID 2804 wrote to memory of 2552	2804	Krampus V1.0.3.exe	34
PID 2804 wrote to memory of 2552	2804	Krampus V1.0.3.exe	34
PID 2804 wrote to memory of 2764	2804	Krampus V1.0.3.exe	36
PID 2804 wrote to memory of 2764	2804	Krampus V1.0.3.exe	36
PID 2804 wrote to memory of 2764	2804	Krampus V1.0.3.exe	36
PID 2804 wrote to memory of 2388	2804	Krampus V1.0.3.exe	37
PID 2804 wrote to memory of 2388	2804	Krampus V1.0.3.exe	37
PID 2804 wrote to memory of 2388	2804	Krampus V1.0.3.exe	37
PID 2804 wrote to memory of 1412	2804	Krampus V1.0.3.exe	39
PID 2804 wrote to memory of 1412	2804	Krampus V1.0.3.exe	39
PID 2804 wrote to memory of 1412	2804	Krampus V1.0.3.exe	39
PID 2804 wrote to memory of 1252	2804	Krampus V1.0.3.exe	41
PID 2804 wrote to memory of 1252	2804	Krampus V1.0.3.exe	41
PID 2804 wrote to memory of 1252	2804	Krampus V1.0.3.exe	41
PID 1252 wrote to memory of 1832	1252	Built.exe	42
PID 1252 wrote to memory of 1832	1252	Built.exe	42
PID 1252 wrote to memory of 1832	1252	Built.exe	42
PID 2764 wrote to memory of 800	2764	XClient.exe	44
PID 2764 wrote to memory of 800	2764	XClient.exe	44
PID 2764 wrote to memory of 800	2764	XClient.exe	44
PID 2764 wrote to memory of 2420	2764	XClient.exe	46
PID 2764 wrote to memory of 2420	2764	XClient.exe	46
PID 2764 wrote to memory of 2420	2764	XClient.exe	46
PID 2764 wrote to memory of 2596	2764	XClient.exe	48
PID 2764 wrote to memory of 2596	2764	XClient.exe	48
PID 2764 wrote to memory of 2596	2764	XClient.exe	48
PID 2764 wrote to memory of 1072	2764	XClient.exe	50
PID 2764 wrote to memory of 1072	2764	XClient.exe	50
PID 2764 wrote to memory of 1072	2764	XClient.exe	50
PID 2764 wrote to memory of 1536	2764	XClient.exe	52
PID 2764 wrote to memory of 1536	2764	XClient.exe	52
PID 2764 wrote to memory of 1536	2764	XClient.exe	52
PID 2764 wrote to memory of 2616	2764	XClient.exe	56
PID 2764 wrote to memory of 2616	2764	XClient.exe	56
PID 2764 wrote to memory of 2616	2764	XClient.exe	56
PID 2764 wrote to memory of 2564	2764	XClient.exe	58
PID 2764 wrote to memory of 2564	2764	XClient.exe	58
PID 2764 wrote to memory of 2564	2764	XClient.exe	58
PID 2564 wrote to memory of 2496	2564	cmd.exe	60
PID 2564 wrote to memory of 2496	2564	cmd.exe	60
PID 2564 wrote to memory of 2496	2564	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Windows\System32\test.bat" "
  2⤵
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "XClient" /SC ONLOGON /TR "C:\Windows\System32\XClient.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2552
- C:\Windows\System32\XClient.exe
  "C:\Windows\System32\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1536
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "discord"
    3⤵
    PID:2616
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3208.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1412
- C:\Windows\System32\Built.exe
  "C:\Windows\System32\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\System32\Built.exe
    "C:\Windows\System32\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12522\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3208.tmp.bat

Filesize
145B

MD5
a69732b479e547dcae9a109db86c9448

SHA1
f4e0c91914c743b5e5ad7bffbb54e60e71b9694b

SHA256
8267252e6aa97d053e92df26f9bdf85c8f80c4d8e29ed8c876aa5cf7521e5c07

SHA512
06fd4e3b4d64ee3d0ab4c9a00e895b200897491dd6d47f23be1d1040e1fbbf9e7329dafb583e4266eb639c75532fbd4f351b9a1ec53487b3fd93c25eccc7e8d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
403d0994778c1db58c3b94abff86a194

SHA1
2bc1468f1d03eb0347d9874495509f6851ea3dbf

SHA256
f47dab29042763776c288650c407d071291259c3bc99785390db64f53be0ec31

SHA512
1ea790863017f131ba224b203cff9b1d4a281e8a5bff87e903db8ff0d505586b290ee3c3db0cef5956e6d02804855deaf40e1326db4b1e1d94d38a1af1ed0da1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c8714b23ab109867eb11bfa5c7567e03

SHA1
cb4dfd9d8f1809df91c5579eb0a069cefcc1c2e7

SHA256
999275f7792f1118c63afda79239752ad85218333b334e5c6e38f3ca5a67f9d7

SHA512
91ef29f76430def39dbb28d51d3c0fc8a683c9e35955ab2bfc0c4010c5ead12d43e21fd6636c824422c72642349052beb203123017b44e5387626b131e845a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aa123fb5605d4fd562f0863d1d943d6e

SHA1
3eccb2567d69e5c19c6d79b490ae17b0db1b16ac

SHA256
66e9954a94214b377c2d7333383016ff97bb68fc7bf9e024d562fb87ac2a9af3

SHA512
934fc6457fa67780f54c5eda8d5934b6a1171a7c05b9b0f28d0ffc1671b87bc401c9bd51f3747994706b6c070cd40df671da8151040c9382e337a5bda758f00a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YTDYGSK7VDOBKY2YX82W.temp

Filesize
7KB

MD5
7fc6e8ee5116e04a71ceb06e462615b8

SHA1
f5e3593b03aedb8ea7862a9f7f9278ff57fd3369

SHA256
0f5390f7400e393a7580260f57b2950e12b79bc5dd4f9c30a4cbde22353672e1

SHA512
045426f26efb208326446a17ef6d9f7cb0d4f9b9a54f3eae1766b30e9dea2cd1f48c5837155b67e40210f79b0e0a5295c602c1bc7cab2b73d508bed6575e56c1

Download Submit
C:\Windows\System32\Built.exe

Filesize
5.9MB

MD5
467f008fa75fa239d1ccc9d1e3e7b867

SHA1
f339ecb9972da4b71146f9cd672025725bef4d53

SHA256
0707f66c17bd5ea314704d35bf1f85f3dfbedc4821d963739cd25227e11f7e39

SHA512
cb73f1b7073df084c86831bc6cc5ee9ee621152fc405907c9530d1f3801624b24f471671076e24741e42fa0095799b20507dc52589237eac6f2d341700264cff

Download Submit
C:\Windows\System32\Built.exe

Filesize
5.8MB

MD5
65e2de6c7fba98b7a145c5f5e7018eaa

SHA1
8d3722f1fe79eaf55b4a5624143da0d317be4488

SHA256
5ad044d72cece9f78282d6b26f96f3505dc64601d5d6256165cdf7a9bbae9b8c

SHA512
265e801ed35535f3919b18bf490ed080a26a13468422308445ba7ae5db1042b5f1da3809fb38d849aeead9dbf689494a8b7332c465d37855a2968ef143105925

Download Submit
C:\Windows\System32\XClient.exe

Filesize
242KB

MD5
7bd5abbfcd57e7565e7778bf1157b816

SHA1
a5785d5dae2bb92978f277a4f68e7e682ac4834b

SHA256
6b7bfe55c3d4223bb868889fd56c5518fbc3784f6f1d96605c38943cfe004a85

SHA512
d8ad281a2e8a8c4d84d90f2b7d57846733889c280ceccfa20c2a0053e7dfc16a1783621942b0e1032e5b273fe4bec1a0627c52831128eff878a15f2b84eddfdf

Download Submit
C:\Windows\System32\test.bat

Filesize
435B

MD5
40f36b839af3aad8887e3cfe758efab8

SHA1
2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

SHA256
c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

SHA512
13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

Download Submit
\Windows\System32\Built.exe

Filesize
6.4MB

MD5
5e3dc58f3e6fdefed0067cd28e489e9a

SHA1
a056293c89509016cb599dd613141b6a4ef971dd

SHA256
839f8f85fb4b8fcbe14745c625b26113fc01bf1a6566369f86c0242c1b149239

SHA512
89e359fe91f2c19bf995f5c6cd131c46f72a346d8f7bfc9ce9eb3f70c7db165376258f6fa3cd097f520cd3b2d9b209ac40cfa04c00562b9f0e00090bb2a01c49

Download Submit
memory/800-104-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/800-100-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/800-103-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/800-101-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/800-99-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/800-105-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/800-106-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/800-102-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/1072-165-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1072-160-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1072-162-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/1072-164-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1072-163-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1072-159-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/1072-166-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/1832-90-0x000007FEF1E70000-0x000007FEF2460000-memory.dmp

Filesize
5.9MB

Download
memory/1896-14-0x000007FEF1AC0000-0x000007FEF245D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-8-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1896-6-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1896-7-0x000007FEF1AC0000-0x000007FEF245D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-9-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1896-10-0x000007FEF1AC0000-0x000007FEF245D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-13-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1896-11-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1896-12-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2388-52-0x000007FEF1AC0000-0x000007FEF245D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-56-0x0000000002B3B000-0x0000000002BA2000-memory.dmp

Filesize
412KB

Download
memory/2388-53-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2388-55-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2388-57-0x000007FEF1AC0000-0x000007FEF245D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-140-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-114-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2420-119-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2420-115-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-118-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2420-116-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2420-112-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2420-113-0x000007FEED0E0000-0x000007FEEDA7D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-37-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2460-38-0x000007FEEE310000-0x000007FEEECAD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-31-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2460-33-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2460-32-0x000007FEEE310000-0x000007FEEECAD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-34-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2460-36-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2460-35-0x000007FEEE310000-0x000007FEEECAD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-151-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2596-147-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2596-148-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-149-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2596-150-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2596-146-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-152-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-91-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2764-161-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2764-117-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-46-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-45-0x0000000000870000-0x00000000008B2000-memory.dmp

Filesize
264KB

Download
memory/2764-182-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-0-0x00000000003C0000-0x0000000000B58000-memory.dmp

Filesize
7.6MB

Download
memory/2804-88-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-54-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-15-0x000000001C1F0000-0x000000001C270000-memory.dmp

Filesize
512KB

Download
memory/2804-1-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download