xred | 9e7941617c8e7b5d263ed2162065068f42d8dc731e99414af86c98b3437280a8

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
Size

3.6MB
MD5

65148287e777ca29acce1801f8822bcf
SHA1

625ea171729a3a2508fb80175009b4c989b2d480
SHA256

9e7941617c8e7b5d263ed2162065068f42d8dc731e99414af86c98b3437280a8
SHA512

a22321b47f309909e37d318f3925068ed53abbbdfd06f70571f23ee8feaf32ea1016db32ebf04d0bd075cc199492bfc16249dc3405c14cf0321cfde0f27cda8b
SSDEEP

98304:DKNOFADb/dvWGkOU/jIEeQfoR/IuOFVjUu5:DKNOOkFIF0wu

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

issues-tgp.gl.at.ply.gg:42158

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/memory/1972-26-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1972-28-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1972-27-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/files/0x0008000000019261-35.dat	family_xworm
behavioral1/memory/2776-53-0x0000000000070000-0x00000000000E2000-memory.dmp	family_xworm
behavioral1/memory/1400-80-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/576-89-0x0000000000EE0000-0x0000000000F52000-memory.dmp	family_xworm
behavioral1/memory/1400-134-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1400-133-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1400-135-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1400-163-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2776	._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
2600	Synaptics.exe
1400	Synaptics.exe
576	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
1400	Synaptics.exe
1400	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2600 set thread context of 1400	2600	Synaptics.exe	37

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2104	Powershell.exe
2116	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2664	EXCEL.EXE
2776	._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2104	Powershell.exe
2116	Powershell.exe
2776	._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	Powershell.exe
Token: SeDebugPrivilege	2116	Powershell.exe
Token: SeDebugPrivilege	2776	._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	576	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	EXCEL.EXE
2776	._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2104	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	30
PID 2528 wrote to memory of 2104	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	30
PID 2528 wrote to memory of 2104	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	30
PID 2528 wrote to memory of 2104	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	30
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 2528 wrote to memory of 1972	2528	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	32
PID 1972 wrote to memory of 2776	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	33
PID 1972 wrote to memory of 2776	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	33
PID 1972 wrote to memory of 2776	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	33
PID 1972 wrote to memory of 2776	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	33
PID 1972 wrote to memory of 2600	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	34
PID 1972 wrote to memory of 2600	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	34
PID 1972 wrote to memory of 2600	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	34
PID 1972 wrote to memory of 2600	1972	2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe	34
PID 2600 wrote to memory of 2116	2600	Synaptics.exe	35
PID 2600 wrote to memory of 2116	2600	Synaptics.exe	35
PID 2600 wrote to memory of 2116	2600	Synaptics.exe	35
PID 2600 wrote to memory of 2116	2600	Synaptics.exe	35
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 2600 wrote to memory of 1400	2600	Synaptics.exe	37
PID 1400 wrote to memory of 576	1400	Synaptics.exe	38
PID 1400 wrote to memory of 576	1400	Synaptics.exe	38
PID 1400 wrote to memory of 576	1400	Synaptics.exe	38
PID 1400 wrote to memory of 576	1400	Synaptics.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\ProgramData\Synaptics\Synaptics.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
      4⤵
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:576

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.6MB

MD5
65148287e777ca29acce1801f8822bcf

SHA1
625ea171729a3a2508fb80175009b4c989b2d480

SHA256
9e7941617c8e7b5d263ed2162065068f42d8dc731e99414af86c98b3437280a8

SHA512
a22321b47f309909e37d318f3925068ed53abbbdfd06f70571f23ee8feaf32ea1016db32ebf04d0bd075cc199492bfc16249dc3405c14cf0321cfde0f27cda8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfkxwAib.xlsm

Filesize
25KB

MD5
384ca086a715bda5763a9ca6685eec25

SHA1
35672b9f56869f6b01b8b9d21e17c03b7470920d

SHA256
2173ea990bb18aa9c844ef11e3a9e163466c21759a3e2137673014079f5a06d6

SHA512
18d23eab9f20d0e18eb90f04c9ac44c896da03255810e9b64ad37732cf8178ade8b2a72d359a80864e7d32e397245c423bd04bf7e4021089a4a16c78c41ec063

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfkxwAib.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf06078f9fec1f313e48406d017aad10

SHA1
3fae878e377064172f2e026745c119813752fac9

SHA256
68544e191b4d64b70ace12340c481892cfa64b6891fca10e818ced524e08e1a7

SHA512
6e66e093b40c71a692ccea7fa94696c3a7e69a0ca8dead72c9cae241bf6874e0af7eff6a334d4f60b011ee9dbde0b1d7a24eba5782072785ef785c10099f620d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-11-06_65148287e777ca29acce1801f8822bcf_avoslocker_hijackloader_luca-stealer.exe

Filesize
434KB

MD5
c8d371d5f37793d6437cdecefce8d1e9

SHA1
c344fcdeb8b8c7fd02d4038fbac4df57af2a5366

SHA256
f2f39f6812a7535788e413d48e36f950f9f03673ca3b01297cba81414c388d01

SHA512
1e34c91a581db0ad7fa619ea2881bdf776f26a21db59ef56af6e84117bf7ad40e623211b2b8294eded5dc136ca434fee59b891ac0cc9aaadd85e5c0eeb476976

Download Submit
memory/576-89-0x0000000000EE0000-0x0000000000F52000-memory.dmp

Filesize
456KB

Download
memory/1400-163-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-135-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-133-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-134-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-80-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-14-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-28-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-23-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-20-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-18-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-12-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-27-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-13-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-16-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1972-26-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2104-10-0x000000006FB10000-0x00000000700BB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-8-0x000000006FB10000-0x00000000700BB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-6-0x000000006FB11000-0x000000006FB12000-memory.dmp

Filesize
4KB

Download
memory/2104-7-0x000000006FB10000-0x00000000700BB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-34-0x000000006FB10000-0x00000000700BB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-9-0x000000006FB10000-0x00000000700BB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

Filesize
4KB

Download
memory/2528-31-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-11-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2528-3-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-2-0x0000000005080000-0x00000000051C6000-memory.dmp

Filesize
1.3MB

Download
memory/2528-1-0x00000000009A0000-0x0000000000D46000-memory.dmp

Filesize
3.6MB

Download
memory/2600-55-0x0000000000CC0000-0x0000000001066000-memory.dmp

Filesize
3.6MB

Download
memory/2664-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2776-53-0x0000000000070000-0x00000000000E2000-memory.dmp

Filesize
456KB

Download