xred | 3f564ce8dce5ce93f534ca109d38dad84d8b6f2da8a3bd4fabae0105e55ad4cc

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
Size

5.0MB
MD5

0754270a48c92159a5f6c3a2cf2c0e23
SHA1

e74d774e6f3774aa554c71721c8124c4902d6709
SHA256

3f564ce8dce5ce93f534ca109d38dad84d8b6f2da8a3bd4fabae0105e55ad4cc
SHA512

8f5426a09ec4d75401fee7be9033754acdb9be5783dc0a2e93158448a30d9a96a2a25bd227baeb03803fcafe96f9326b9333519ef7fe0aa768e606746b2d9ffe
SSDEEP

98304:mKNOFADb/dvWGhKNOFADb/dvWGkOU/jIEeQfoR/IuOFVjUu5:mKNOOhKNOOkFIF0wu

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

issues-tgp.gl.at.ply.gg:42158

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 13 IoCs

resource	yara_rule
behavioral1/memory/2320-27-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2320-26-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2320-25-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2320-28-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/files/0x0008000000014b3c-45.dat	family_xworm
behavioral1/memory/2588-52-0x00000000008A0000-0x0000000000912000-memory.dmp	family_xworm
behavioral1/memory/2320-53-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2840-79-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/1428-88-0x0000000001000000-0x0000000001072000-memory.dmp	family_xworm
behavioral1/memory/2840-154-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2840-155-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2840-157-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm
behavioral1/memory/2840-187-0x0000000000400000-0x000000000052D000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe	Powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2588	._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
1952	Synaptics.exe
2840	Synaptics.exe
1428	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
2840	Synaptics.exe
2840	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 1952 set thread context of 2840	1952	Synaptics.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2632	Powershell.exe
1396	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2588	._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
1852	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2632	Powershell.exe
1396	Powershell.exe
2588	._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	Powershell.exe
Token: SeDebugPrivilege	1396	Powershell.exe
Token: SeDebugPrivilege	2588	._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	1428	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2588	._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
1852	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2632	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	28
PID 2712 wrote to memory of 2632	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	28
PID 2712 wrote to memory of 2632	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	28
PID 2712 wrote to memory of 2632	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	28
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2712 wrote to memory of 2320	2712	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	30
PID 2320 wrote to memory of 2588	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	31
PID 2320 wrote to memory of 2588	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	31
PID 2320 wrote to memory of 2588	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	31
PID 2320 wrote to memory of 2588	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	31
PID 2320 wrote to memory of 1952	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	32
PID 2320 wrote to memory of 1952	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	32
PID 2320 wrote to memory of 1952	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	32
PID 2320 wrote to memory of 1952	2320	2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe	32
PID 1952 wrote to memory of 1396	1952	Synaptics.exe	33
PID 1952 wrote to memory of 1396	1952	Synaptics.exe	33
PID 1952 wrote to memory of 1396	1952	Synaptics.exe	33
PID 1952 wrote to memory of 1396	1952	Synaptics.exe	33
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 1952 wrote to memory of 2840	1952	Synaptics.exe	35
PID 2840 wrote to memory of 1428	2840	Synaptics.exe	36
PID 2840 wrote to memory of 1428	2840	Synaptics.exe	36
PID 2840 wrote to memory of 1428	2840	Synaptics.exe	36
PID 2840 wrote to memory of 1428	2840	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\ProgramData\Synaptics\Synaptics.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
      4⤵
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.0MB

MD5
0754270a48c92159a5f6c3a2cf2c0e23

SHA1
e74d774e6f3774aa554c71721c8124c4902d6709

SHA256
3f564ce8dce5ce93f534ca109d38dad84d8b6f2da8a3bd4fabae0105e55ad4cc

SHA512
8f5426a09ec4d75401fee7be9033754acdb9be5783dc0a2e93158448a30d9a96a2a25bd227baeb03803fcafe96f9326b9333519ef7fe0aa768e606746b2d9ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-31_0754270a48c92159a5f6c3a2cf2c0e23_avoslocker_hijackloader_luca-stealer.exe

Filesize
434KB

MD5
c8d371d5f37793d6437cdecefce8d1e9

SHA1
c344fcdeb8b8c7fd02d4038fbac4df57af2a5366

SHA256
f2f39f6812a7535788e413d48e36f950f9f03673ca3b01297cba81414c388d01

SHA512
1e34c91a581db0ad7fa619ea2881bdf776f26a21db59ef56af6e84117bf7ad40e623211b2b8294eded5dc136ca434fee59b891ac0cc9aaadd85e5c0eeb476976

Download Submit
C:\Users\Admin\AppData\Local\Temp\chFtumop.xlsm

Filesize
20KB

MD5
d799761ba6d5b6928104a9695fc558f6

SHA1
bf42d2018f9c51eb3af9f3f122960ff89084e2ef

SHA256
445552a5d875a24ea8c699c44a1af9c9362aecbda580c2aab21b8437d7aca8fc

SHA512
29c1cfa28f13f89cdba68b5883fde44f143c9aebf77bed9bbc68f6cd696d8b9bc4f9765555c840ef01d9331fc763b21ff3632b599b3b2bf00c5225ffe9a5ffaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\chFtumop.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\chFtumop.xlsm

Filesize
23KB

MD5
506356da35da2d5cf27ef349e63fc65f

SHA1
a3916a31269a6e2fe70680f4e0038ead97945855

SHA256
b48de7821ed42990df56c76d8c6b32574e02a1244a283baaff1b014101e18645

SHA512
978dd86b321cb11cb5bea1b1fb91aeea2e81a2ac37c164ae3730e32a07a4cec4d2d50a3385909668a097c3f6f0c2c32109cef65d929bec08e7f08dde7ac6fbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chFtumop.xlsm

Filesize
24KB

MD5
722f8eb57a795419ed72c2551dcd91b5

SHA1
eb7892c4e0354de5279f47507201bf77bbb7d118

SHA256
8d754418439c3727c59a4c008b760a939742e80cf763d77143d3a595a6b37805

SHA512
1efc1d6fe86fce617f101ad64f5900886f8d421eb2b44fcd139a27f49192190a7ffe756868f47c40dc64b2e1da31f4ff8988bad43ff01418b9f667017765ac7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f51ecf9ca3f3ede7d58cd0b0ba264215

SHA1
446561a7a809898ad28177cc6f73a761bca372bb

SHA256
f2b63422497f8536f94f9fc16263503935deefacd9a461dcd2cdc4e2eaed9dd9

SHA512
fddd2372fe57e718d07b84b7d38bbb6bdf3a1b6056512e227552d8894769812882a3d03d4cf84063dc5371211c15e203c3382083e002cebf491044f6eae4e4fc

Download Submit
memory/1428-88-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/1852-156-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1852-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1952-54-0x0000000000EC0000-0x00000000013CC000-memory.dmp

Filesize
5.0MB

Download
memory/2320-20-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-22-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-18-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-27-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-26-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-25-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-16-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-28-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-53-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-19-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2320-14-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2588-52-0x00000000008A0000-0x0000000000912000-memory.dmp

Filesize
456KB

Download
memory/2632-10-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-9-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-12-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-8-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-7-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-6-0x000000006FB41000-0x000000006FB42000-memory.dmp

Filesize
4KB

Download
memory/2712-13-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2712-29-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-0-0x00000000741DE000-0x00000000741DF000-memory.dmp

Filesize
4KB

Download
memory/2712-3-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-2-0x0000000004C30000-0x0000000004D76000-memory.dmp

Filesize
1.3MB

Download
memory/2712-1-0x0000000000980000-0x0000000000E8C000-memory.dmp

Filesize
5.0MB

Download
memory/2840-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-79-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2840-154-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2840-155-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2840-157-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2840-187-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download