xworm | 4a643c8ac145763b7e4a9b410a5dcc3562faf0f2204ec0d2613833923628f419

Analysis

max time kernel
2315s
max time network
2336s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Krampus/Krampus/B1OdUv8CBH.exe
Size

18.8MB
MD5

c5df5afb4679cbea28de24ff9ed306a2
SHA1

fe968a913c1377f0e85cc4c95afa3129a2f9ae22
SHA256

a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478
SHA512

a4ddb32c744da55829823feb140c2c48612d442459ec76daf7ec0459327e8422222a380c53802c15b298cf122f1f86fe2891b2bf04732ef764d62fb182cd7e70
SSDEEP

196608:EXi2sOT7HnJ+7CBgHcyCkaIH2kkoyhr5QXNDe6JaCPU8rblcRHrdcKZ5CRO2HACB:ci07we4+TB6zxJcRBdCrHxwwR

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/a1kmrNub

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001ab4f-6.dat	family_xworm
behavioral1/memory/4348-8-0x0000000000AB0000-0x0000000000AC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
2200	powershell.exe
3736	powershell.exe
4652	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	clientlol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	clientlol.exe

Executes dropped EXE 41 IoCs

pid	Process
4348	clientlol.exe
4384	KrampUI.exe
4620	svchost
2528	svchost
1484	svchost
4888	svchost
2576	svchost
4124	svchost
1020	svchost
3664	svchost
712	svchost
2408	svchost
4772	svchost
4108	svchost
3720	svchost
4924	svchost
4560	svchost
1056	svchost
4292	svchost
2212	svchost
1496	svchost
1112	svchost
2972	svchost
4696	svchost
4776	svchost
1548	svchost
2288	svchost
2716	svchost
4300	svchost
212	svchost
4576	svchost
1836	svchost
292	svchost
3220	svchost
3476	svchost
1884	svchost
4420	svchost
1280	svchost
2220	svchost
1288	svchost
3504	svchost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost"	clientlol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4348	clientlol.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe
4348	clientlol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4348	clientlol.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	clientlol.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeIncreaseQuotaPrivilege	1624	powershell.exe
Token: SeSecurityPrivilege	1624	powershell.exe
Token: SeTakeOwnershipPrivilege	1624	powershell.exe
Token: SeLoadDriverPrivilege	1624	powershell.exe
Token: SeSystemProfilePrivilege	1624	powershell.exe
Token: SeSystemtimePrivilege	1624	powershell.exe
Token: SeProfSingleProcessPrivilege	1624	powershell.exe
Token: SeIncBasePriorityPrivilege	1624	powershell.exe
Token: SeCreatePagefilePrivilege	1624	powershell.exe
Token: SeBackupPrivilege	1624	powershell.exe
Token: SeRestorePrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeSystemEnvironmentPrivilege	1624	powershell.exe
Token: SeRemoteShutdownPrivilege	1624	powershell.exe
Token: SeUndockPrivilege	1624	powershell.exe
Token: SeManageVolumePrivilege	1624	powershell.exe
Token: 33	1624	powershell.exe
Token: 34	1624	powershell.exe
Token: 35	1624	powershell.exe
Token: 36	1624	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4384	KrampUI.exe
4384	KrampUI.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4384	KrampUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	clientlol.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 4348	360	B1OdUv8CBH.exe	75
PID 360 wrote to memory of 4348	360	B1OdUv8CBH.exe	75
PID 360 wrote to memory of 4384	360	B1OdUv8CBH.exe	76
PID 360 wrote to memory of 4384	360	B1OdUv8CBH.exe	76
PID 4348 wrote to memory of 4652	4348	clientlol.exe	78
PID 4348 wrote to memory of 4652	4348	clientlol.exe	78
PID 4348 wrote to memory of 1624	4348	clientlol.exe	81
PID 4348 wrote to memory of 1624	4348	clientlol.exe	81
PID 4348 wrote to memory of 2200	4348	clientlol.exe	83
PID 4348 wrote to memory of 2200	4348	clientlol.exe	83
PID 4348 wrote to memory of 3736	4348	clientlol.exe	85
PID 4348 wrote to memory of 3736	4348	clientlol.exe	85
PID 4348 wrote to memory of 2516	4348	clientlol.exe	87
PID 4348 wrote to memory of 2516	4348	clientlol.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360
- C:\ProgramData\clientlol.exe
  "C:\ProgramData\clientlol.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3736
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
    3⤵
    - Creates scheduled task(s)
    PID:2516
- C:\ProgramData\KrampUI.exe
  "C:\ProgramData\KrampUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4384

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4620

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2820

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1484

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4888

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2576

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4124

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1020

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:3664

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:712

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2408

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4772

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4108

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:3720

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4924

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4560

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1056

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4292

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2212

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1496

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1112

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2972

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4696

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4776

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1548

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2288

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2716

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4300

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:212

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4576

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1836

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:292

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:3220

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:3476

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1884

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:4420

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1280

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:2220

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:1288

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KrampUI.exe

Filesize
17.3MB

MD5
ec02c6962ff0994f0dbc06133cb32f28

SHA1
1084bbf4c67fea18b2dd0232ad196f97ea17438c

SHA256
9663260edf06c3b9116a649af4c9fffa22f1bb3811f3e73e0f8fd6e3ba997565

SHA512
8d00d5f21209bb7ffa24ee7717db4e9294c720a62d50ee416ab6e6e6520afde1d9cacc3c364c2c4d81d3eb565efba29f9e815d384774ba0de0671496952418f6

Download Submit
C:\ProgramData\clientlol.exe

Filesize
1.5MB

MD5
da4f713eda91ee257714127d761852a3

SHA1
5901870facef99c9c850b141e8f8339721e932e4

SHA256
9d27a2b70745480a42b83777ea3aa0399c63a55c6d9b699d67f1e95f7605ebe1

SHA512
9964eca29700aefa97febdbca4e829a64ec6fd050d49c720f04963fab831b528319c9b3b054f36093ef9dc7236a681fba02f1f988ec19194f124d7a75abcddf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d7ecaced85fb6e04bc6e6ec9a09ed922

SHA1
6683cce580d4dda55246bc1bded4104976fbaa76

SHA256
5f2580bb429041d723feda0004c907ffcc80b642ee506949c572b3ca1c7a8108

SHA512
49ffa8d08add58effd4dd2ec26e06cf98bcef2aa0b259e8e90eab4ad6eb8d1ffe9183f46341af939864fba14c1ae1e1d9436c280a2bc8f72e4c2637b35ddbc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddfc0ceb075e9ec86df50720f766e943

SHA1
a3daec5da65c9ef14a75da80333a76da905e42f7

SHA256
dd99890b994a34df0f4b1871ac4b72b94db25954e78a384965a59b873c6b6169

SHA512
5ade39621efa9f03783e23a7ed7bcb63723e370a24f1fb1041cf461c06cc75447163d7e450f0ce29b3054aaa41366b3e31a6a728efcd5b106a3a434836d5bc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd3a8e3ccae2deffde7225f70a42e798

SHA1
f529a8ddd5921cbba263a9c16078fb8b490c6c2c

SHA256
3a03993a68659fcde8670d72599ce1b9cb6667953ef7f3a08930aaeb6602807a

SHA512
dfa3158f3dae7790cbb31b6ed4ad8d831be20cde7d6e48fe1cf4feedab3c4a24253d76fbc3729f79829f846eac29c95151d3ff27706abad6bbdb0264eb814b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uete5bj3.4nz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/360-1-0x0000000000920000-0x0000000001BEE000-memory.dmp

Filesize
18.8MB

Download
memory/360-0-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/360-15-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-8-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

Filesize
96KB

Download
memory/4348-16-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-195-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-196-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-7-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4652-24-0x0000021E59890000-0x0000021E59906000-memory.dmp

Filesize
472KB

Download
memory/4652-21-0x0000021E59310000-0x0000021E59332000-memory.dmp

Filesize
136KB

Download