xred | 45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
Size

5.6MB
MD5

8c0620caca03f0d3e587d2259beaa902
SHA1

245fc23d0ea9ead68c55d0dd3eb2f9ed8014b500
SHA256

45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2
SHA512

3dc69cae634c8737e9bf80cb5cf726130a0ca22daf9babf30fb54ad86536b1334be05545b691cafdd4b8b8aec4e7770e5f73ae5262bafca13cf6f9f9d6648e4c
SSDEEP

98304:NKNOFADb/dvWGXKNOFADb/dvWGtKNOFADb/dvWGXKjKWQckVgtev5mnlNL:NKNOOXKNOOtKNOOcKWQc0gEYnvL

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

issues-tgp.gl.at.ply.gg:42158

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/memory/2700-28-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2700-27-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2700-26-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/files/0x000c000000015d51-33.dat	family_xworm
behavioral1/memory/2660-51-0x0000000000240000-0x00000000002B2000-memory.dmp	family_xworm
behavioral1/memory/1232-80-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2292-89-0x0000000000CE0000-0x0000000000D52000-memory.dmp	family_xworm
behavioral1/memory/1232-145-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1232-144-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1232-147-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1232-177-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
1560	Synaptics.exe
1232	Synaptics.exe
2292	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
1232	Synaptics.exe
1232	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 1560 set thread context of 1232	1560	Synaptics.exe	37

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2688	Powershell.exe
2140	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2660	._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
1864	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	Powershell.exe
2140	Powershell.exe
2660	._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	Powershell.exe
Token: SeDebugPrivilege	2140	Powershell.exe
Token: SeDebugPrivilege	2660	._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
Token: SeDebugPrivilege	2292	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2660	._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
1864	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2688	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	30
PID 2632 wrote to memory of 2688	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	30
PID 2632 wrote to memory of 2688	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	30
PID 2632 wrote to memory of 2688	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	30
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2632 wrote to memory of 2700	2632	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	32
PID 2700 wrote to memory of 2660	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	33
PID 2700 wrote to memory of 2660	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	33
PID 2700 wrote to memory of 2660	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	33
PID 2700 wrote to memory of 2660	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	33
PID 2700 wrote to memory of 1560	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	34
PID 2700 wrote to memory of 1560	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	34
PID 2700 wrote to memory of 1560	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	34
PID 2700 wrote to memory of 1560	2700	45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe	34
PID 1560 wrote to memory of 2140	1560	Synaptics.exe	35
PID 1560 wrote to memory of 2140	1560	Synaptics.exe	35
PID 1560 wrote to memory of 2140	1560	Synaptics.exe	35
PID 1560 wrote to memory of 2140	1560	Synaptics.exe	35
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1560 wrote to memory of 1232	1560	Synaptics.exe	37
PID 1232 wrote to memory of 2292	1232	Synaptics.exe	38
PID 1232 wrote to memory of 2292	1232	Synaptics.exe	38
PID 1232 wrote to memory of 2292	1232	Synaptics.exe	38
PID 1232 wrote to memory of 2292	1232	Synaptics.exe	38

C:\Users\Admin\AppData\Local\Temp\45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
"C:\Users\Admin\AppData\Local\Temp\45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
  "C:\Users\Admin\AppData\Local\Temp\45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\ProgramData\Synaptics\Synaptics.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
      4⤵
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.6MB

MD5
8c0620caca03f0d3e587d2259beaa902

SHA1
245fc23d0ea9ead68c55d0dd3eb2f9ed8014b500

SHA256
45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2

SHA512
3dc69cae634c8737e9bf80cb5cf726130a0ca22daf9babf30fb54ad86536b1334be05545b691cafdd4b8b8aec4e7770e5f73ae5262bafca13cf6f9f9d6648e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rCUvXuk.xlsm

Filesize
21KB

MD5
433105abd3f60aeadce56ba15a5ae31c

SHA1
beb098caa4fd217805527476f1ba8b4774e77bf3

SHA256
5609541b43cd51b628f24186017cc2fce64db9f62f8f56fc27e472acbe59f9f7

SHA512
7f338606759b74e38947e5b4fc119ac3931f1447bcb7abd47bef56322c0b9ce49bc3004b202fc14abee602d8a90ffcf77eb86c862bcd90fa2af2168f7769e0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rCUvXuk.xlsm

Filesize
26KB

MD5
db1e3ec97d5d3ab98753af06207c7a29

SHA1
9590531818ed190361eda3e22dcd4dccc6e5af70

SHA256
0c4cb797a2871d3a41a387ec10701b6747934b642ad3ab654cc313c6b7db2f42

SHA512
a8eb18ea9fe788988750c597ad8bb8313a436ada28d888a9b7d18e38de74b2485273cdd3e6cc9a39354c88a3b9053d06b84b08a3f65b70551eea2097eff27e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rCUvXuk.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
11ab2808f28e6145351881e85f28bdd7

SHA1
96355c81654319af48bb052d9ca6d92664713b4b

SHA256
fce28bedf27d29aaab0182b7346007eafd4ed57ce0c6fcd543ba27f6fa57a7dd

SHA512
e2483dc6535a56bf24b2082cd1d0a47107e46bebd9c9df1978af301be0342d0be80922816afadea51ab9c1e2bb60a5d35cf4b227fa8aea932019a5c6c0d83722

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_45900ccea0bcf76e534024db64efe46c18403955cc49d73928e3ee0c86dac9a2.exe

Filesize
434KB

MD5
c8d371d5f37793d6437cdecefce8d1e9

SHA1
c344fcdeb8b8c7fd02d4038fbac4df57af2a5366

SHA256
f2f39f6812a7535788e413d48e36f950f9f03673ca3b01297cba81414c388d01

SHA512
1e34c91a581db0ad7fa619ea2881bdf776f26a21db59ef56af6e84117bf7ad40e623211b2b8294eded5dc136ca434fee59b891ac0cc9aaadd85e5c0eeb476976

Download Submit
memory/1232-147-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1232-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1232-177-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1232-80-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1232-144-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1232-145-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1560-53-0x0000000000EA0000-0x0000000001436000-memory.dmp

Filesize
5.6MB

Download
memory/1864-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1864-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2292-89-0x0000000000CE0000-0x0000000000D52000-memory.dmp

Filesize
456KB

Download
memory/2632-31-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2632-11-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2632-3-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-2-0x0000000004C90000-0x0000000004DD6000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1-0x0000000000A20000-0x0000000000FB6000-memory.dmp

Filesize
5.6MB

Download
memory/2660-51-0x0000000000240000-0x00000000002B2000-memory.dmp

Filesize
456KB

Download
memory/2688-10-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-8-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-9-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-7-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-6-0x000000006FB41000-0x000000006FB42000-memory.dmp

Filesize
4KB

Download
memory/2688-55-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-12-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-20-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-14-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-17-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-18-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-26-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-27-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-28-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-22-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2700-13-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download