3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm RAT V2.1.exe
Size

335KB
MD5

2e01c152b22c13fb946c204b6875a2d8
SHA1

20f7a049f779623a11b4fbfb300c1f7a380fb33b
SHA256

3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5
SHA512

80dc80d22ecb90d3c58c40e112de882548a1d933937d851993af4e6a92746900283770bd09d88047bd79fa053600113d1f9bb42a6af5beefe00b3ee15d4e7310
SSDEEP

6144:MEbVUO1x/5bTgVziHzZnSKrCbYMJAbB8+q:lr/5/gVziHlBrCbYx83

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1476	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	5cnlvye2.qfe.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	XWorm RAT V2.1.exe
1728	XWorm RAT V2.1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Tasks\MasonXWorm RAT V2.1.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MasonXWorm RAT V2.1.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	SCHTASKS.exe
832	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe
2880	5cnlvye2.qfe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	XWorm RAT V2.1.exe
Token: SeDebugPrivilege	2880	5cnlvye2.qfe.exe
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: SeAuditPrivilege	844	svchost.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: 33	1728	XWorm RAT V2.1.exe
Token: SeIncBasePriorityPrivilege	1728	XWorm RAT V2.1.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1156	Explorer.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2880	1728	XWorm RAT V2.1.exe	30
PID 1728 wrote to memory of 2880	1728	XWorm RAT V2.1.exe	30
PID 1728 wrote to memory of 2880	1728	XWorm RAT V2.1.exe	30
PID 1728 wrote to memory of 2692	1728	XWorm RAT V2.1.exe	31
PID 1728 wrote to memory of 2692	1728	XWorm RAT V2.1.exe	31
PID 1728 wrote to memory of 2692	1728	XWorm RAT V2.1.exe	31
PID 2880 wrote to memory of 428	2880	5cnlvye2.qfe.exe	5
PID 2880 wrote to memory of 472	2880	5cnlvye2.qfe.exe	6
PID 2880 wrote to memory of 488	2880	5cnlvye2.qfe.exe	7
PID 2880 wrote to memory of 496	2880	5cnlvye2.qfe.exe	8
PID 2880 wrote to memory of 604	2880	5cnlvye2.qfe.exe	9
PID 2880 wrote to memory of 680	2880	5cnlvye2.qfe.exe	10
PID 2880 wrote to memory of 764	2880	5cnlvye2.qfe.exe	11
PID 2880 wrote to memory of 816	2880	5cnlvye2.qfe.exe	12
PID 2880 wrote to memory of 844	2880	5cnlvye2.qfe.exe	13
PID 2880 wrote to memory of 972	2880	5cnlvye2.qfe.exe	15
PID 2880 wrote to memory of 268	2880	5cnlvye2.qfe.exe	16
PID 2880 wrote to memory of 1056	2880	5cnlvye2.qfe.exe	17
PID 2880 wrote to memory of 1064	2880	5cnlvye2.qfe.exe	18
PID 2880 wrote to memory of 1076	2880	5cnlvye2.qfe.exe	19
PID 2880 wrote to memory of 1132	2880	5cnlvye2.qfe.exe	20
PID 2880 wrote to memory of 1156	2880	5cnlvye2.qfe.exe	21
PID 2880 wrote to memory of 1460	2880	5cnlvye2.qfe.exe	23
PID 2880 wrote to memory of 756	2880	5cnlvye2.qfe.exe	24
PID 2880 wrote to memory of 1636	2880	5cnlvye2.qfe.exe	25
PID 2880 wrote to memory of 1348	2880	5cnlvye2.qfe.exe	26
PID 2880 wrote to memory of 1336	2880	5cnlvye2.qfe.exe	27
PID 2880 wrote to memory of 1728	2880	5cnlvye2.qfe.exe	29
PID 2880 wrote to memory of 2692	2880	5cnlvye2.qfe.exe	31
PID 2880 wrote to memory of 2944	2880	5cnlvye2.qfe.exe	32
PID 1728 wrote to memory of 832	1728	XWorm RAT V2.1.exe	33
PID 1728 wrote to memory of 832	1728	XWorm RAT V2.1.exe	33
PID 1728 wrote to memory of 832	1728	XWorm RAT V2.1.exe	33
PID 2880 wrote to memory of 832	2880	5cnlvye2.qfe.exe	33
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 488 wrote to memory of 1728	488	lsass.exe	29
PID 1728 wrote to memory of 1476	1728	XWorm RAT V2.1.exe	35
PID 1728 wrote to memory of 1476	1728	XWorm RAT V2.1.exe	35
PID 1728 wrote to memory of 1476	1728	XWorm RAT V2.1.exe	35
PID 2880 wrote to memory of 1476	2880	5cnlvye2.qfe.exe	35
PID 2880 wrote to memory of 1476	2880	5cnlvye2.qfe.exe	35
PID 2880 wrote to memory of 2412	2880	5cnlvye2.qfe.exe	36
PID 604 wrote to memory of 2904	604	svchost.exe	37
PID 604 wrote to memory of 2904	604	svchost.exe	37
PID 604 wrote to memory of 2904	604	svchost.exe	37
PID 2880 wrote to memory of 2904	2880	5cnlvye2.qfe.exe	37
PID 2880 wrote to memory of 2904	2880	5cnlvye2.qfe.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1460
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1636
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2904
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:764
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:268
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1056
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1132
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1348
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1156
- C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\5cnlvye2.qfe.exe
    "C:\Users\Admin\AppData\Local\Temp\5cnlvye2.qfe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
- - C:\Windows\system32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXWorm RAT V2.1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2692
- - C:\Windows\system32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXWorm RAT V2.1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:832
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe" "XWorm RAT V2.1.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "167330616110470542747751242852138961389-576144245-9305128211927009174-546250813"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12403077031490306382-270776768-1609568627-1765432269-50893739519625901111912000183"
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cnlvye2.qfe.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
memory/268-65-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/268-63-0x0000000000DA0000-0x0000000000DCB000-memory.dmp

Filesize
172KB

Download
memory/268-64-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/428-14-0x00000000002E0000-0x0000000000305000-memory.dmp

Filesize
148KB

Download
memory/428-18-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/428-81-0x00000000772D1000-0x00000000772D2000-memory.dmp

Filesize
4KB

Download
memory/428-21-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/428-19-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/428-73-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/472-205-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/472-79-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/472-67-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/472-20-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/472-23-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/472-24-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/488-30-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/488-206-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/488-29-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/488-90-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/488-28-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/680-207-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/680-51-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/680-50-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/680-52-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/680-100-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/816-107-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/816-55-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/816-56-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/816-57-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/816-208-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/844-60-0x000007FEBEFA0000-0x000007FEBEFB0000-memory.dmp

Filesize
64KB

Download
memory/844-59-0x0000000000C70000-0x0000000000C9B000-memory.dmp

Filesize
172KB

Download
memory/844-61-0x00000000372C0000-0x00000000372D0000-memory.dmp

Filesize
64KB

Download
memory/844-117-0x0000000000C70000-0x0000000000C9B000-memory.dmp

Filesize
172KB

Download
memory/844-209-0x0000000000C70000-0x0000000000C9B000-memory.dmp

Filesize
172KB

Download
memory/1728-202-0x000000001A740000-0x000000001A74E000-memory.dmp

Filesize
56KB

Download
memory/1728-203-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/1728-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x0000000000940000-0x000000000099A000-memory.dmp

Filesize
360KB

Download
memory/1728-2-0x0000000000560000-0x000000000058C000-memory.dmp

Filesize
176KB

Download
memory/1728-232-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/2880-11-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2880-54-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2880-204-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2880-12-0x0000000077060000-0x000000007717F000-memory.dmp

Filesize
1.1MB

Download
memory/2880-13-0x0000000077281000-0x0000000077382000-memory.dmp

Filesize
1.0MB

Download