xred | c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

Analysis

max time kernel
112s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Size

3.5MB
MD5

419261a8cdf19560d4a39ab434ee5270
SHA1

dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5
SHA256

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da
SHA512

6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878
SSDEEP

49152:insHyjtk2MYC5GDrzKT4qsEEXJeHuvokx7vDKo80wkSu2l/qtSupzeB/:insmtk2a+K1rOvoqa/Vr/uteB/

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
4296	Synaptics.exe
1560	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3384	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Token: SeDebugPrivilege	1560	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe._cache_Synaptics.exe

pid	Process
3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
1560	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid	Process
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe._cache_Synaptics.exe._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 3572	1340	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	86
PID 1340 wrote to memory of 3572	1340	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	86
PID 1340 wrote to memory of 4296	1340	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	88
PID 1340 wrote to memory of 4296	1340	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	88
PID 1340 wrote to memory of 4296	1340	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	88
PID 4296 wrote to memory of 1560	4296	Synaptics.exe	89
PID 4296 wrote to memory of 1560	4296	Synaptics.exe	89
PID 1560 wrote to memory of 1740	1560	._cache_Synaptics.exe	92
PID 1560 wrote to memory of 1740	1560	._cache_Synaptics.exe	92
PID 1560 wrote to memory of 884	1560	._cache_Synaptics.exe	93
PID 1560 wrote to memory of 884	1560	._cache_Synaptics.exe	93
PID 3572 wrote to memory of 3516	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	97
PID 3572 wrote to memory of 3516	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	97
PID 3572 wrote to memory of 3016	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	98
PID 3572 wrote to memory of 3016	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	98
PID 3572 wrote to memory of 2748	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	99
PID 3572 wrote to memory of 2748	3572	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	99
PID 1560 wrote to memory of 4436	1560	._cache_Synaptics.exe	94
PID 1560 wrote to memory of 4436	1560	._cache_Synaptics.exe	94

C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
"C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -version
    3⤵
    PID:3516
- - C:\Program Files\Java\jdk-1.8\jre\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\jre\bin\java.exe" -version
    3⤵
    PID:3016
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -version
    3⤵
    PID:2748
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Program Files\Java\jdk-1.8\bin\java.exe
      "C:\Program Files\Java\jdk-1.8\bin\java.exe" -version
      4⤵
      PID:1740
  - - C:\Program Files\Java\jdk-1.8\jre\bin\java.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\java.exe" -version
      4⤵
      PID:884
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -version
      4⤵
      PID:4436

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b789bb8b172bdee520e6ddb93ce8beee

SHA1
2f2272042f2ce047dabf416bbf1d1ca6dfc6434a

SHA256
4c957d7b46399ade4c83b63222020c50b88516b8275a2c8ffd13fdf64fc9ba20

SHA512
aa92e70eab1b042743e3cd8deea32562060a0f4922b9a97d4f40e52982af45ab8342bff13de80df04f6a9c950b9e7f005aad708f642a2dac6dd8821b9344f7e5

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
a831c9d175374bea8d4588cc85c38f68

SHA1
9a73ca201cad3bac0d2754ed6b70fcffe6c72e7a

SHA256
a44511ed989496c76ff165aa36de90b56c3fd37d964b8d85559c7632b99304e5

SHA512
5a2395541ad095773c9df459905221789ba7c31bce332ef90eff6c7692ec31824a14e10a63d44defa59dac3d36e108316c8c1506ec4c1045a6c7bc328bb35632

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
0e1d2056d64541d3074bff230f849990

SHA1
4e4d179b6b75c08b8b787b1846f30ef99ba5488c

SHA256
f5261516693331a5c54bf21419c429f747775b8fe259a10d2c589661f7fdcce5

SHA512
265163029cadc1ac9f6073648fe84adac4a7199e601164473421ecaaa95a1a45d33e0ece95fef2c750b6cd2fbc298a78fcd39d55d7b43a46c60160b7562f7220

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
419261a8cdf19560d4a39ab434ee5270

SHA1
dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5

SHA256
c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

SHA512
6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Filesize
2.8MB

MD5
e9580249182c0d7e81ee1c30154731b4

SHA1
7a9ca8f420d59b3cd45c188ce0f87bcae91e8d20

SHA256
03342485feb128ab14e35d84d9f48d428c9d8774b145dcd8d520baacd4aef92b

SHA512
c29d7947b07bbc03b66709257e9509761abba992a30bb1a60e09c31eca764314b95dca11a28e0ffc1b93c62548c06660fa05821ab6a74137cbed8185581a19a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.minecraft\PCL.ini

Filesize
31B

MD5
67bfcfc208d787e99ca8ea4801117538

SHA1
f7b82fe95f72e953e2d2b7fe4aa879a7e4eba2b7

SHA256
9a64e96548ed95ab1e5d69f36cc0313ab399e517ce2ef6dbad8e56ba47090d46

SHA512
8311a07b8f17de515e4917b109cce69569bc136ae1456acd7d6f9a069823e3bd0466282db53a4dfc0b88507772bfb6521fe5179fbd759d2bf8d3c692d370440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\73B75E00

Filesize
21KB

MD5
231d76d3fd1be833f1248f78f7b525e5

SHA1
4e96c444637f6bae07d00125a23678824b89490a

SHA256
4251323465be552c9b9fc20db64c6452668385e2f2d186c41630a94367d9ce49

SHA512
1a4ecbce1ccb06d0dfe1442a326e79c5679d52311923213e47d9ee801cfe28d6c04dd2a681be15b4a69ed45077b162f8ad71a33b83534c2556ec4b860fe4c497

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
29B

MD5
a068737344ad1e4bcde127bc215d3f4c

SHA1
7e0df815a4bffea2bfe76e1099053b335dd66e66

SHA256
9832e053464d410f8d185eec8bf0d07edba9c04745913c56145db541855d2c99

SHA512
25c7cf162cc15d32c0be8ced9de163da93c7a3251d35747e4547bef5c46d60d87f0a91db92aeee1f650feab9410e81d9aba4503ec5ec120599964bd8edb79512

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
64B

MD5
4360c9f933de34fd6797628b25617595

SHA1
ab19b2d0d60ba2609dfd4651692776d66dc843b5

SHA256
172ecdf122b4d744cd73607cf0c043bac9d47978cd8671ab86eb25d43e23bb3f

SHA512
efa1bb2f9aa6748e2a2b88664c87553572b9614f19809fa74196cbc00420ca1cf562e2192b4e887cec29719fa95ec5cb8a3d134e6273ce9cf9089c27c3f70d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
88B

MD5
36d7b4a54a5545e673c2a155032f1bae

SHA1
73a1a440bbdaed38fae625fcf35fabfa5344903d

SHA256
d1b8b1e3a1be908136b18d5b3aff5f62cb8feea0db5131c9f66362195cd7c6f6

SHA512
f1837f9e7055beec745022cbd05019456f9e14e0d9be80f0ee3fd8b19713d2172a1eca0efba14dc005f7ff0fe5ebb95dc5ef3aa7969a46d6ce08debd26c22937

Download Submit
C:\Users\Admin\AppData\Local\Temp\YH2LjJEa.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/884-280-0x00000258EB760000-0x00000258EB761000-memory.dmp

Filesize
4KB

Download
memory/1340-130-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1340-0-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1560-208-0x0000028A6A550000-0x0000028A6A588000-memory.dmp

Filesize
224KB

Download
memory/1560-210-0x0000028A6DC90000-0x0000028A6DD38000-memory.dmp

Filesize
672KB

Download
memory/1560-209-0x0000028A6A520000-0x0000028A6A52E000-memory.dmp

Filesize
56KB

Download
memory/1740-279-0x0000015C20380000-0x0000015C20381000-memory.dmp

Filesize
4KB

Download
memory/2748-299-0x000001C552370000-0x000001C552371000-memory.dmp

Filesize
4KB

Download
memory/3016-267-0x000001D939880000-0x000001D939881000-memory.dmp

Filesize
4KB

Download
memory/3384-197-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

Filesize
64KB

Download
memory/3384-199-0x00007FF8F8CB0000-0x00007FF8F8CC0000-memory.dmp

Filesize
64KB

Download
memory/3384-195-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

Filesize
64KB

Download
memory/3384-200-0x00007FF8F8CB0000-0x00007FF8F8CC0000-memory.dmp

Filesize
64KB

Download
memory/3384-196-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

Filesize
64KB

Download
memory/3384-194-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

Filesize
64KB

Download
memory/3384-198-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp

Filesize
64KB

Download
memory/3516-272-0x0000010F08410000-0x0000010F08411000-memory.dmp

Filesize
4KB

Download
memory/3572-345-0x00007FF91CDF3000-0x00007FF91CDF5000-memory.dmp

Filesize
8KB

Download
memory/3572-134-0x000001FDEF5A0000-0x000001FDEF5B0000-memory.dmp

Filesize
64KB

Download
memory/3572-183-0x000001FDF1520000-0x000001FDF1780000-memory.dmp

Filesize
2.4MB

Download
memory/3572-348-0x000001FDEF5A0000-0x000001FDEF5B0000-memory.dmp

Filesize
64KB

Download
memory/3572-71-0x000001FDED540000-0x000001FDED808000-memory.dmp

Filesize
2.8MB

Download
memory/3572-211-0x000001FDF64E0000-0x000001FDF6502000-memory.dmp

Filesize
136KB

Download
memory/3572-70-0x00007FF91CDF3000-0x00007FF91CDF5000-memory.dmp

Filesize
8KB

Download
memory/4296-133-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4296-346-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4296-347-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4296-379-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/4436-291-0x0000011F889B0000-0x0000011F889B1000-memory.dmp

Filesize
4KB

Download