redline | 5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Size

821KB
MD5

7c36f1554bb662abddb2fafb5db3037d
SHA1

4d2b146919805242a1699139d2937bae4fddfd4b
SHA256

5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
SHA512

caa4b4b05fdd1a5b68979ed0c2388c727dd3d89d34a2351e7e392e1dd1764a87a0af1106e7beaa65a287cd625088daeb9ccfcad4fed8ca39b273fa7142c53665
SSDEEP

24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu

Score

10^/10

redline xworm foz collection discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

redline

Botnet

FOZ

212.162.149.53:36014

Extracted

Family

xworm

Version

5.0

212.162.149.53:7071

Mutex

9GNxvcpH1EHQrLdj

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca4-42.dat	family_xworm
behavioral2/memory/3136-57-0x0000000000FE0000-0x0000000000FF0000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca7-61.dat	family_redline
behavioral2/memory/3972-65-0x0000000000080000-0x00000000000D2000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
3884	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	apihost.exe

Executes dropped EXE 3 IoCs

pid	Process
3136	XClient.exe
3972	build.exe
4672	apihost.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	apihost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
688	schtasks.exe
3880	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3136	XClient.exe
4672	apihost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
1536	powershell.exe
2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
1536	powershell.exe
3136	XClient.exe
3972	build.exe
3972	build.exe
3972	build.exe
3136	XClient.exe
3884	powershell.exe
3884	powershell.exe
4672	apihost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	3136	XClient.exe
Token: SeDebugPrivilege	3972	build.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4672	apihost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3136	XClient.exe
3136	XClient.exe
4672	apihost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1536	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	89
PID 2644 wrote to memory of 1536	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	89
PID 2644 wrote to memory of 1536	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	89
PID 2644 wrote to memory of 3880	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	91
PID 2644 wrote to memory of 3880	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	91
PID 2644 wrote to memory of 3880	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	91
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 2644 wrote to memory of 316	2644	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	93
PID 316 wrote to memory of 3136	316	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	94
PID 316 wrote to memory of 3136	316	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	94
PID 316 wrote to memory of 3972	316	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	95
PID 316 wrote to memory of 3972	316	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	95
PID 316 wrote to memory of 3972	316	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	95
PID 3136 wrote to memory of 3884	3136	XClient.exe	98
PID 3136 wrote to memory of 3884	3136	XClient.exe	98
PID 3136 wrote to memory of 688	3136	XClient.exe	99
PID 3136 wrote to memory of 688	3136	XClient.exe	99
PID 3136 wrote to memory of 4672	3136	XClient.exe	102
PID 3136 wrote to memory of 4672	3136	XClient.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YkxAHNcqEmoeLS.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:3136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 08:07 /du 23:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:688
  - - C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4672
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c7bac0105b8e08ec7d9e6ffe3cb6cfbb

SHA1
7a7eff82b31af4bc0f1d9519c660da49bfd15777

SHA256
fe3e7fb33e8acd7e50913befb567e331b8381986d3c4d206be395c6710b4c10d

SHA512
1bb875588ba21939490b151744f2714f0b7e4c9db06e80f63e01db26eabb8ea4dbaed00662957618c34a7fb057d9c04d26a3652d6944b609c105dbe5cf1b6c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
40KB

MD5
1c5cf825e29b63a62c3c8b1589d51a1e

SHA1
ea4f1dceeeea35b6bd17f4040511bbd0341246a8

SHA256
d868406f1fdc6a5c15a70f03f6279fb8a3fe190ea5a4911bf6839fc483c753b0

SHA512
c780aff70b930ea221ffd96081c02116f76d2c7b20590fff6ab04038e2aef50ad57eb8f28a67c4dfdb6a00e3fe393e1238d448c3f346585242ee18d180203fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1luubvyv.dj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
1ed2ecae05aaa1c505136f5252287cc7

SHA1
2c73c09437c4c1d5e90013a6ca7a65ac0a5fadc5

SHA256
d771f70ba342e5d4cd7f129a4a2b4a6c6c7293233135f266db33f356986a70f9

SHA512
ca82139310ea62ec8703f6fcb19d843644a5ce40323e8f7857c9fd3173bb0796eb20f9002209b9fcbfa7ce9858fe3b932e070f8449bc2736b6712d39515d9219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp

Filesize
1KB

MD5
b25ec9b1ea0a6d352fa497c2454cd4cd

SHA1
92bb2dfe89353d50eef038b16fd0da59f2c10ee2

SHA256
0ae217cc71c89f5269f01951a90dfbcff8ecfa68b8d1f68f454134cb361d2bb2

SHA512
77e72f3c7f737d694014f4a870562652a1f831772de3bd82567638c3b0025f18bd229456a59fc10a7e73e50c96434538b80acbae497e385d1bf0feed2885cb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
7a6f6e6cb345e2ab6f31a52227ce1f98

SHA1
b1a213f8dd7ab0bd24971d227957141536229874

SHA256
f6c7dff5bb39edb168398ebdd26533786fa16659c80163c9fae41add704d61f7

SHA512
80f01f6c5663f068b84fbd62174b905c7821a04f269d1d101fffa2c7bcfca104e8da2ca1e21a1df53e605c88d36751cdc53b171e4d095f218841b9814a7a74c6

Download Submit
memory/316-64-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/316-38-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/316-36-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/316-23-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1536-62-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/1536-71-0x0000000071600000-0x000000007164C000-memory.dmp

Filesize
304KB

Download
memory/1536-17-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-18-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/1536-15-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-21-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/1536-22-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1536-94-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-20-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/1536-25-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/1536-91-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/1536-90-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/1536-88-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

Filesize
56KB

Download
memory/1536-16-0x00000000051A0000-0x00000000051D6000-memory.dmp

Filesize
216KB

Download
memory/1536-89-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

Filesize
80KB

Download
memory/1536-87-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/1536-86-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/1536-85-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/1536-83-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/1536-84-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/1536-82-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/1536-59-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/1536-70-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/1536-81-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/2644-7-0x00000000052E0000-0x00000000052FC000-memory.dmp

Filesize
112KB

Download
memory/2644-37-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-1-0x0000000000560000-0x0000000000634000-memory.dmp

Filesize
848KB

Download
memory/2644-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/2644-10-0x0000000006AE0000-0x0000000006B82000-memory.dmp

Filesize
648KB

Download
memory/2644-9-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-0-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/2644-3-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/2644-5-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/2644-8-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/2644-4-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-6-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/3136-102-0x000000001BB80000-0x000000001BB9E000-memory.dmp

Filesize
120KB

Download
memory/3136-105-0x000000001DC80000-0x000000001DC98000-memory.dmp

Filesize
96KB

Download
memory/3136-57-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/3136-104-0x000000001DD00000-0x000000001DEC2000-memory.dmp

Filesize
1.8MB

Download
memory/3136-103-0x000000001C3E0000-0x000000001C430000-memory.dmp

Filesize
320KB

Download
memory/3884-108-0x000001CFDF2A0000-0x000001CFDF2C2000-memory.dmp

Filesize
136KB

Download
memory/3972-66-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/3972-101-0x0000000006490000-0x00000000064E0000-memory.dmp

Filesize
320KB

Download
memory/3972-100-0x0000000006C10000-0x000000000713C000-memory.dmp

Filesize
5.2MB

Download
memory/3972-99-0x0000000006510000-0x00000000066D2000-memory.dmp

Filesize
1.8MB

Download
memory/3972-65-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/3972-67-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/3972-68-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3972-69-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

Filesize
240KB

Download