privateloader | 5fb96191ad7394700966c0854e3f1225b8b2989f528ce6993a747ff7a9cf2552

Resubmissions

08/05/2024, 18:11

240508-wsqkwage4w 10

08/05/2024, 18:07

240508-wqltxaah47 10

Analysis

max time kernel
143s
max time network
133s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

67KB
MD5

c9cd80d55733208fc06b8b52cddb52dc
SHA1

6cc60302d90e7d7661b5b194fa954efacba19d49
SHA256

5fb96191ad7394700966c0854e3f1225b8b2989f528ce6993a747ff7a9cf2552
SHA512

befca56bfce924e50c11f9d702ab2d6a6e05d55cd4399c4ac37891c1d337a43d05060f5cb9a1600fc4c172f7816fad14bc02e0c8d44eb82b55f61da4812cd0aa
SSDEEP

1536:n5ydgkcoaOOTxMH/W0WybZYgmH2r2i6urYiZOenvefZ3:FVxMfwybZ4rYXZOewZ3

Score

10^/10

privateloader xworm execution loader rat trojan

Malware Config

Extracted

Family

xworm

silver-bowl.gl.at.ply.gg:29206

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1948-1-0x0000000000150000-0x0000000000168000-memory.dmp	family_xworm

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
2608	powershell.exe
2444	powershell.exe
2944	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\neglebase2003_2024-04-22-21-30-52_1713810652250.mp4	XClient.exe
File opened for modification	C:\Windows\neglebase2003_2024-04-22-21-30-52_1713810652250.mp4	vlc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2280	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	powershell.exe
2608	powershell.exe
2444	powershell.exe
2944	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	XClient.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1948	XClient.exe
Token: 33	2280	vlc.exe
Token: SeIncBasePriorityPrivilege	2280	vlc.exe
Token: SeShutdownPrivilege	2216	LogonUI.exe
Token: SeShutdownPrivilege	2216	LogonUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe
2280	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2280	vlc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2704	1948	XClient.exe	29
PID 1948 wrote to memory of 2704	1948	XClient.exe	29
PID 1948 wrote to memory of 2704	1948	XClient.exe	29
PID 1948 wrote to memory of 2608	1948	XClient.exe	31
PID 1948 wrote to memory of 2608	1948	XClient.exe	31
PID 1948 wrote to memory of 2608	1948	XClient.exe	31
PID 1948 wrote to memory of 2444	1948	XClient.exe	33
PID 1948 wrote to memory of 2444	1948	XClient.exe	33
PID 1948 wrote to memory of 2444	1948	XClient.exe	33
PID 1948 wrote to memory of 2944	1948	XClient.exe	35
PID 1948 wrote to memory of 2944	1948	XClient.exe	35
PID 1948 wrote to memory of 2944	1948	XClient.exe	35
PID 1948 wrote to memory of 1292	1948	XClient.exe	40
PID 1948 wrote to memory of 1292	1948	XClient.exe	40
PID 1948 wrote to memory of 1292	1948	XClient.exe	40
PID 1292 wrote to memory of 2280	1292	cmd.exe	42
PID 1292 wrote to memory of 2280	1292	cmd.exe	42
PID 1292 wrote to memory of 2280	1292	cmd.exe	42
PID 1948 wrote to memory of 1864	1948	XClient.exe	44
PID 1948 wrote to memory of 1864	1948	XClient.exe	44
PID 1948 wrote to memory of 1864	1948	XClient.exe	44
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2596 wrote to memory of 2216	2596	winlogon.exe	50
PID 2596 wrote to memory of 2216	2596	winlogon.exe	50
PID 2596 wrote to memory of 2216	2596	winlogon.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50
PID 2708 wrote to memory of 2216	2708	csrss.exe	50

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Windows\neglebase2003_2024-04-22-21-30-52_1713810652250.mp4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\neglebase2003_2024-04-22-21-30-52_1713810652250.mp4"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2280
- C:\Windows\system32\shutdown.exe
  shutdown.exe -L
  2⤵
  PID:1864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1628

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIOBV7WTGV5IMSML9U2B.temp

Filesize
7KB

MD5
0d65d1f96059a1a75418b30ce756317f

SHA1
552e3caaab94f85d5d2522d0dd7cbae98250236f

SHA256
ceb0620be4bb34fc797cb0797203dcd07103678e8c70cd99970817c5298adb72

SHA512
ea96f595792013a8ec2699481abfa04dc915b10dff873ca20f22131a87161a59ba41859e0f6978d12ec0e9bb2b0f614159bd5e857aece012c3c893621a2a936e

Download Submit
C:\Windows\neglebase2003_2024-04-22-21-30-52_1713810652250.mp4

Filesize
3.9MB

MD5
c9438e1e34c1d17b498118357d8bbf3b

SHA1
abe971743646b7b3dfcd838023625ca4ce65e250

SHA256
6cb9c3366de735f06857b2f9b61a42a8769f853bc26a30481c1e6251281a4d77

SHA512
432f7d23b91bab5ab5022ffb6da634ceffe82cf63460c08db4832e78aba772a6c359016710b83a5d542f5c088349b36dc1d9315918088fe7c1118c56261fa44f

Download Submit
memory/1948-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/1948-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-31-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/1948-32-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-33-0x000000001C630000-0x000000001C6E0000-memory.dmp

Filesize
704KB

Download
memory/1948-405-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-85-0x000007FEE8D30000-0x000007FEE8D87000-memory.dmp

Filesize
348KB

Download
memory/2280-71-0x000007FEF1040000-0x000007FEF1051000-memory.dmp

Filesize
68KB

Download
memory/2280-56-0x000007FEF1A40000-0x000007FEF1A57000-memory.dmp

Filesize
92KB

Download
memory/2280-54-0x000007FEEA4A0000-0x000007FEEA754000-memory.dmp

Filesize
2.7MB

Download
memory/2280-61-0x000007FEF11D0000-0x000007FEF11E1000-memory.dmp

Filesize
68KB

Download
memory/2280-60-0x000007FEF11F0000-0x000007FEF120D000-memory.dmp

Filesize
116KB

Download
memory/2280-59-0x000007FEF1220000-0x000007FEF1231000-memory.dmp

Filesize
68KB

Download
memory/2280-58-0x000007FEF1A00000-0x000007FEF1A17000-memory.dmp

Filesize
92KB

Download
memory/2280-57-0x000007FEF1A20000-0x000007FEF1A31000-memory.dmp

Filesize
68KB

Download
memory/2280-62-0x000007FEEA2A0000-0x000007FEEA4A0000-memory.dmp

Filesize
2.0MB

Download
memory/2280-64-0x000007FEF1190000-0x000007FEF11CF000-memory.dmp

Filesize
252KB

Download
memory/2280-67-0x000007FEF1120000-0x000007FEF1131000-memory.dmp

Filesize
68KB

Download
memory/2280-66-0x000007FEF1140000-0x000007FEF1158000-memory.dmp

Filesize
96KB

Download
memory/2280-68-0x000007FEF1100000-0x000007FEF1111000-memory.dmp

Filesize
68KB

Download
memory/2280-65-0x000007FEF1160000-0x000007FEF1181000-memory.dmp

Filesize
132KB

Download
memory/2280-69-0x000007FEF1080000-0x000007FEF1091000-memory.dmp

Filesize
68KB

Download
memory/2280-79-0x000007FEEFBD0000-0x000007FEEFBE7000-memory.dmp

Filesize
92KB

Download
memory/2280-82-0x000007FEEFB60000-0x000007FEEFBA2000-memory.dmp

Filesize
264KB

Download
memory/2280-81-0x000007FEEFBB0000-0x000007FEEFBC2000-memory.dmp

Filesize
72KB

Download
memory/2280-80-0x000007FEE8F00000-0x000007FEE9070000-memory.dmp

Filesize
1.4MB

Download
memory/2280-83-0x000007FEEFB10000-0x000007FEEFB5C000-memory.dmp

Filesize
304KB

Download
memory/2280-78-0x000007FEE9070000-0x000007FEE91E8000-memory.dmp

Filesize
1.5MB

Download
memory/2280-77-0x000007FEF0150000-0x000007FEF01A6000-memory.dmp

Filesize
344KB

Download
memory/2280-63-0x000007FEE91F0000-0x000007FEEA29B000-memory.dmp

Filesize
16.7MB

Download
memory/2280-84-0x000007FEE8D90000-0x000007FEE8EFB000-memory.dmp

Filesize
1.4MB

Download
memory/2280-76-0x000007FEF1000000-0x000007FEF1011000-memory.dmp

Filesize
68KB

Download
memory/2280-75-0x000007FEF01B0000-0x000007FEF021F000-memory.dmp

Filesize
444KB

Download
memory/2280-52-0x000000013F9A0000-0x000000013FA98000-memory.dmp

Filesize
992KB

Download
memory/2280-74-0x000007FEF0220000-0x000007FEF0287000-memory.dmp

Filesize
412KB

Download
memory/2280-73-0x000007FEF0290000-0x000007FEF02C0000-memory.dmp

Filesize
192KB

Download
memory/2280-72-0x000007FEF1020000-0x000007FEF1038000-memory.dmp

Filesize
96KB

Download
memory/2280-55-0x000007FEF7B70000-0x000007FEF7B88000-memory.dmp

Filesize
96KB

Download
memory/2280-70-0x000007FEF1060000-0x000007FEF107B000-memory.dmp

Filesize
108KB

Download
memory/2280-86-0x000007FEE8AE0000-0x000007FEE8D2B000-memory.dmp

Filesize
2.3MB

Download
memory/2280-91-0x000007FEE7150000-0x000007FEE7166000-memory.dmp

Filesize
88KB

Download
memory/2280-90-0x000007FEE72E0000-0x000007FEE72F1000-memory.dmp

Filesize
68KB

Download
memory/2280-89-0x000007FEE7300000-0x000007FEE732F000-memory.dmp

Filesize
188KB

Download
memory/2280-88-0x000007FEFC080000-0x000007FEFC090000-memory.dmp

Filesize
64KB

Download
memory/2280-94-0x000007FEE6F90000-0x000007FEE6FF2000-memory.dmp

Filesize
392KB

Download
memory/2280-95-0x000007FEE6ED0000-0x000007FEE6F3D000-memory.dmp

Filesize
436KB

Download
memory/2280-93-0x000007FEE7000000-0x000007FEE7075000-memory.dmp

Filesize
468KB

Download
memory/2280-92-0x000007FEE7080000-0x000007FEE7145000-memory.dmp

Filesize
788KB

Download
memory/2280-99-0x000007FEE6910000-0x000007FEE6922000-memory.dmp

Filesize
72KB

Download
memory/2280-98-0x000007FEE6950000-0x000007FEE6961000-memory.dmp

Filesize
68KB

Download
memory/2280-101-0x000007FEE6970000-0x000007FEE6985000-memory.dmp

Filesize
84KB

Download
memory/2280-107-0x000007FEE5FF0000-0x000007FEE603E000-memory.dmp

Filesize
312KB

Download
memory/2280-109-0x000007FEE5F60000-0x000007FEE5F94000-memory.dmp

Filesize
208KB

Download
memory/2280-108-0x000007FEE5FA0000-0x000007FEE5FE3000-memory.dmp

Filesize
268KB

Download
memory/2280-87-0x000007FEE7330000-0x000007FEE8AE0000-memory.dmp

Filesize
23.7MB

Download
memory/2280-106-0x000007FEE62F0000-0x000007FEE6301000-memory.dmp

Filesize
68KB

Download
memory/2280-105-0x000007FEE6460000-0x000007FEE64E1000-memory.dmp

Filesize
516KB

Download
memory/2280-104-0x000007FEE64F0000-0x000007FEE6537000-memory.dmp

Filesize
284KB

Download
memory/2280-103-0x000007FEE6540000-0x000007FEE659D000-memory.dmp

Filesize
372KB

Download
memory/2280-102-0x000007FEE65A0000-0x000007FEE65B1000-memory.dmp

Filesize
68KB

Download
memory/2280-100-0x000007FEE6990000-0x000007FEE6B0A000-memory.dmp

Filesize
1.5MB

Download
memory/2280-97-0x000007FEE6B10000-0x000007FEE6B25000-memory.dmp

Filesize
84KB

Download
memory/2280-96-0x000007FEE6B30000-0x000007FEE6D4D000-memory.dmp

Filesize
2.1MB

Download
memory/2280-112-0x000007FEEA4A0000-0x000007FEEA754000-memory.dmp

Filesize
2.7MB

Download
memory/2280-53-0x000007FEF7C80000-0x000007FEF7CB4000-memory.dmp

Filesize
208KB

Download
memory/2608-15-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2608-16-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2704-7-0x0000000002EE0000-0x0000000002F60000-memory.dmp

Filesize
512KB

Download
memory/2704-8-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-9-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download