xred | ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zhuzhu.exe
Size

5.8MB
MD5

675f03db23d403573a3a6f708a0e4369
SHA1

78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f
SHA256

ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8
SHA512

c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240
SSDEEP

98304:unsmtk2asgF0ET9HlrxRVwJMACNiREvBvlvwvCvxvD:wL8Z9HhxRVwJMAqoetRqA9D

Score

10^/10

xred backdoor discovery execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2812	._cache_zhuzhu.exe
2816	Synaptics.exe
1624	._cache_Synaptics.exe
2888	._cache_zhuzhu.exe

Loads dropped DLL 11 IoCs

pid	Process
2640	zhuzhu.exe
2640	zhuzhu.exe
2640	zhuzhu.exe
2816	Synaptics.exe
2816	Synaptics.exe
2812	._cache_zhuzhu.exe
1292	WerFault.exe
1292	WerFault.exe
1292	WerFault.exe
1292	WerFault.exe
1292	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	zhuzhu.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1612	powershell.exe
2216	powershell.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	._cache_zhuzhu.exe
File opened (read-only)	\??\E:	._cache_zhuzhu.exe
File opened (read-only)	\??\N:	._cache_zhuzhu.exe
File opened (read-only)	\??\M:	._cache_zhuzhu.exe
File opened (read-only)	\??\P:	._cache_zhuzhu.exe
File opened (read-only)	\??\S:	._cache_zhuzhu.exe
File opened (read-only)	\??\X:	._cache_zhuzhu.exe
File opened (read-only)	\??\H:	._cache_zhuzhu.exe
File opened (read-only)	\??\L:	._cache_zhuzhu.exe
File opened (read-only)	\??\J:	._cache_zhuzhu.exe
File opened (read-only)	\??\K:	._cache_zhuzhu.exe
File opened (read-only)	\??\Q:	._cache_zhuzhu.exe
File opened (read-only)	\??\U:	._cache_zhuzhu.exe
File opened (read-only)	\??\W:	._cache_zhuzhu.exe
File opened (read-only)	\??\Y:	._cache_zhuzhu.exe
File opened (read-only)	\??\B:	._cache_zhuzhu.exe
File opened (read-only)	\??\I:	._cache_zhuzhu.exe
File opened (read-only)	\??\T:	._cache_zhuzhu.exe
File opened (read-only)	\??\V:	._cache_zhuzhu.exe
File opened (read-only)	\??\Z:	._cache_zhuzhu.exe
File opened (read-only)	\??\G:	._cache_zhuzhu.exe
File opened (read-only)	\??\O:	._cache_zhuzhu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1292	2812	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_zhuzhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhuzhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_zhuzhu.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1296	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1612	powershell.exe
2216	powershell.exe
1612	powershell.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe
2888	._cache_zhuzhu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	._cache_zhuzhu.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1296	EXCEL.EXE
2888	._cache_zhuzhu.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2812	2640	zhuzhu.exe	30
PID 2640 wrote to memory of 2812	2640	zhuzhu.exe	30
PID 2640 wrote to memory of 2812	2640	zhuzhu.exe	30
PID 2640 wrote to memory of 2812	2640	zhuzhu.exe	30
PID 2640 wrote to memory of 2816	2640	zhuzhu.exe	31
PID 2640 wrote to memory of 2816	2640	zhuzhu.exe	31
PID 2640 wrote to memory of 2816	2640	zhuzhu.exe	31
PID 2640 wrote to memory of 2816	2640	zhuzhu.exe	31
PID 2816 wrote to memory of 1624	2816	Synaptics.exe	32
PID 2816 wrote to memory of 1624	2816	Synaptics.exe	32
PID 2816 wrote to memory of 1624	2816	Synaptics.exe	32
PID 2816 wrote to memory of 1624	2816	Synaptics.exe	32
PID 2812 wrote to memory of 2888	2812	._cache_zhuzhu.exe	34
PID 2812 wrote to memory of 2888	2812	._cache_zhuzhu.exe	34
PID 2812 wrote to memory of 2888	2812	._cache_zhuzhu.exe	34
PID 2812 wrote to memory of 2888	2812	._cache_zhuzhu.exe	34
PID 2812 wrote to memory of 1292	2812	._cache_zhuzhu.exe	37
PID 2812 wrote to memory of 1292	2812	._cache_zhuzhu.exe	37
PID 2812 wrote to memory of 1292	2812	._cache_zhuzhu.exe	37
PID 2812 wrote to memory of 1292	2812	._cache_zhuzhu.exe	37
PID 2888 wrote to memory of 1256	2888	._cache_zhuzhu.exe	38
PID 2888 wrote to memory of 1256	2888	._cache_zhuzhu.exe	38
PID 2888 wrote to memory of 1256	2888	._cache_zhuzhu.exe	38
PID 2888 wrote to memory of 1256	2888	._cache_zhuzhu.exe	38
PID 2888 wrote to memory of 1812	2888	._cache_zhuzhu.exe	39
PID 2888 wrote to memory of 1812	2888	._cache_zhuzhu.exe	39
PID 2888 wrote to memory of 1812	2888	._cache_zhuzhu.exe	39
PID 2888 wrote to memory of 1812	2888	._cache_zhuzhu.exe	39
PID 1256 wrote to memory of 1612	1256	cmd.exe	42
PID 1256 wrote to memory of 1612	1256	cmd.exe	42
PID 1256 wrote to memory of 1612	1256	cmd.exe	42
PID 1256 wrote to memory of 1612	1256	cmd.exe	42
PID 1812 wrote to memory of 2216	1812	cmd.exe	43
PID 1812 wrote to memory of 2216	1812	cmd.exe	43
PID 1812 wrote to memory of 2216	1812	cmd.exe	43
PID 1812 wrote to memory of 2216	1812	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\zhuzhu.exe
"C:\Users\Admin\AppData\Local\Temp\zhuzhu.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\._cache_zhuzhu.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_zhuzhu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\._cache_zhuzhu.exe
    "C:\Users\Admin\AppData\Roaming\._cache_zhuzhu.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1068
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1292
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1624

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.8MB

MD5
675f03db23d403573a3a6f708a0e4369

SHA1
78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f

SHA256
ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

SHA512
c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db75b1ade3a03ce8362320166fb6f7b6

SHA1
d6a990343e017102adc6c2f3a430604853a63aa9

SHA256
c13e9e40c747a3ceb01a5e55eae9de9d50b692e6f4acea435f5bb65a3f4f0b37

SHA512
9e95d406ffd32067e87580d476704c8424abd69b6e760bd12c0d0cc0ad40594ab4147a7b38c860cbff066fde900795a6219d5613279eab3ee40727c1b1697377

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMTEkiR.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMTEkiR.xlsm

Filesize
25KB

MD5
fffedf9373f82582afadc806dbe6ef59

SHA1
5da62e1f6d8b521b41d148d9e641f82c4bdd15df

SHA256
6285d7d790523b2a25554a4fa64727f954a67ed9acf5532c121e7e69d27935cc

SHA512
2b80824b8d62cb9113db4ed1e9dc628886983338053836ebaed4381905e82d3d29f703fe5d6d6e01330028be76f7cf99fa17367359d4dd0e1aaa055ade97b551

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMTEkiR.xlsm

Filesize
30KB

MD5
32e7ad1bae0b97892e617d2ea6f3d98e

SHA1
cd5b0abe0abd38cc9a33e516cbecff9da0e42241

SHA256
76553b4e30ff2bdc8847c7e3a5e0260a15e8b664810bfd78fcabef2542265c03

SHA512
aa53b810a0ae7717b1e7d5b2ef981721f187223e7be8ce7b81584f0f7e5642708bed4faf9d26ad4e88ef0920b5d9410e0b58530c3731b099fe795568f59330f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMTEkiR.xlsm

Filesize
29KB

MD5
938eead6ab7fc703b3e842315decedaf

SHA1
ca6daa7f37672dcdfc36683c5410cdab6fab1618

SHA256
abf29bbe961f710d338e2b6bcad5e82cde69f9b88bcad87d9c1867f7c86fd8f6

SHA512
8842cfa44e02a588d16b481b94c3c5a26137dc1e835c37193622e5a25520ebe6918969cd06c80ad49d00a49007658757e0fada2a811150496eebd512b0e9b11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMTEkiR.xlsm

Filesize
29KB

MD5
dc8dbd755f9b6f5d0121e2464513a572

SHA1
795a3fa526490378cabe17662b82d3be49bc7bba

SHA256
7359b214e24058050b2d70be2f853afcde986c51803efed0339cce1b96c369a9

SHA512
483a209a67d5954bb0bd22d3ea4862dc535397d4c23d3058cc1822f8a28cf3599f3b6cc10a4bddbe5f873251a0d3e8b52ecc459699641af6fed3db29bdd3360f

Download Submit
C:\Users\Admin\AppData\Local\updated.ps1

Filesize
151B

MD5
aa0e1012d3b7c24fad1be4806756c2cf

SHA1
fe0d130af9105d9044ff3d657d1abeaf0b750516

SHA256
fc47e1fa89397c3139d9047dc667531a9153a339f8e29ac713e518d51a995897

SHA512
15fae192951747a0c71059f608700f88548f3e60bb5c708b206bf793a7e3d059a278f2058d4ac86b86781b202037401a29602ee4d6c0cbaaff532cef311975f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8d9b8791512f53b65443774023893a4b

SHA1
f8e2a522aeb6481fe6aba32f455291f2010c40d3

SHA256
fa83ee49fcc6ad65a6fd48d8ab05fa6e047787a0c1b732976d18392eca4f4935

SHA512
1162794ae1049c696b193050d98937f83ccbb0ba7f94b50a7cdc1f62a6544a74ebb11e3db053c2d44f1ffe31403973ae69d23c3d049ed66c455dbf4fcc9049b4

Download Submit
C:\Users\Admin\Desktop\~$SplitConfirm.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_zhuzhu.exe

Filesize
5.0MB

MD5
b4f00fba3327488d4cb6fd36b2d567c6

SHA1
4f0548a2f6bf73a85ff17f40f420098019ac05ff

SHA256
d6a84954e038ddf4a0026705e0942fc003cfdc04e58f658a6bd9e89c37c57d18

SHA512
c573147adfeba7d313cc79498a1c107679f0e69805e3aa8260b3e57dba282088bca082536d7866d4708529bf8c3bef56b2005bd9d59a870e3d29132f6fd3d897

Download Submit
memory/1296-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-174-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1624-189-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2640-25-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2640-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2812-47-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2812-31-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2812-172-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2812-175-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2812-176-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2816-236-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2816-188-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2816-173-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2888-178-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-180-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-181-0x0000000003940000-0x0000000003978000-memory.dmp

Filesize
224KB

Download
memory/2888-182-0x0000000003940000-0x0000000003978000-memory.dmp

Filesize
224KB

Download
memory/2888-183-0x0000000003940000-0x0000000003978000-memory.dmp

Filesize
224KB

Download
memory/2888-184-0x0000000003940000-0x0000000003978000-memory.dmp

Filesize
224KB

Download
memory/2888-185-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-186-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-179-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-177-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-190-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-193-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-196-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2888-199-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-202-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-206-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-171-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-165-0x0000000002AD0000-0x0000000002AF4000-memory.dmp

Filesize
144KB

Download
memory/2888-152-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2888-238-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-241-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-244-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2888-247-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download