Analysis

  • max time kernel
    112s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 22:56

General

  • Target

    b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe

  • Size

    2.4MB

  • MD5

    4a3d911453118d58a4bc16043c726142

  • SHA1

    30755f517d05c784ef5857b3d5fa665cea91b438

  • SHA256

    b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2

  • SHA512

    ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3

  • SSDEEP

    49152:snsHyjtk2MYC5GDvxdth7VaHBIW2Y4XxChF6Hq2BIetbWr:snsmtk2a8F6fT4XAhIH+eVWr

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\Setup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
          "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4376
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\Setup.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3704
          • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
            "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:1480
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3620
  • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
    C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:532
  • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
    C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:912
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4964
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
      PID:4376
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini

      Filesize

      27KB

      MD5

      62d5f9827d867eb3e4ab9e6b338348a1

      SHA1

      828e72f9c845b1c0865badaef40d63fb36447293

      SHA256

      5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5

      SHA512

      b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

    • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

      Filesize

      600KB

      MD5

      b3fd01873bd5fd163ab465779271c58f

      SHA1

      e1ff9981a09ab025d69ac891bfc931a776294d4d

      SHA256

      985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

      SHA512

      6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

    • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

      Filesize

      76KB

      MD5

      003a6c011aac993bcde8c860988ce49b

      SHA1

      6d39d650dfa5ded45c4e0cb17b986893061104a7

      SHA256

      590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

      SHA512

      032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

    • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

      Filesize

      172KB

      MD5

      377765fd4de3912c0f814ee9f182feda

      SHA1

      a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

      SHA256

      8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

      SHA512

      31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

    • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

      Filesize

      32KB

      MD5

      8f02b204853939f8aefe6b07b283be9a

      SHA1

      c161b9374e67d5fa3066ea03fc861cc0023eb3cc

      SHA256

      32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

      SHA512

      8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

    • C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

      Filesize

      220KB

      MD5

      b2f7e6dc7e4aae3147fbfc74a2ddb365

      SHA1

      716301112706e93f85977d79f0e8f18f17fb32a7

      SHA256

      4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

      SHA512

      e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

    • C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.ini

      Filesize

      200B

      MD5

      2faaf3e9574a06e5fd06128832059804

      SHA1

      bd674c3d5d52bc77aad7151ec41faff98d9ffe3f

      SHA256

      e564cdc2a8560d1307340c94006227e4d59c443514d2ddd1c6086af57a6d46ad

      SHA512

      11896122d14862617b92e2917753d880298a126826013bf8c8d1b4bf90153ecf3c8dc09accbc355e49f9be162c5193fcd12e28dcab1a9e87aa59793c40cb5b3c

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      2.4MB

      MD5

      4a3d911453118d58a4bc16043c726142

      SHA1

      30755f517d05c784ef5857b3d5fa665cea91b438

      SHA256

      b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2

      SHA512

      ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3

    • C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe

      Filesize

      1.6MB

      MD5

      06c21d83808efc7c0348753acff24e1e

      SHA1

      a5fcbd6893610e89ed924f4d27d740ad6f462a2a

      SHA256

      c503d2caad26da47dc01712b5fbad62980f7150facf0511e21d452ac64d13b6e

      SHA512

      a939d05a45282233b41c98ac992b74542df2a4146155e2bdc86f3a934be67b92d8fd336d7265e54ec477691a94697d303643597f1d4a636207f1b80d798abc96

    • C:\Users\Admin\AppData\Local\Temp\exe3z93V.xlsm

      Filesize

      17KB

      MD5

      af4d37aad8b34471da588360a43e768a

      SHA1

      83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

      SHA256

      e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

      SHA512

      74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

    • C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\IKernel.ex_

      Filesize

      338KB

      MD5

      93b63f516482715a784bbec3a0bf5f3a

      SHA1

      2478feca446576c33e96e708256d4c6c33e3fa68

      SHA256

      fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

      SHA512

      2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

    • C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\Setup.exe

      Filesize

      164KB

      MD5

      fb6674a519505cc93e28cf600bbc23a3

      SHA1

      d5dbd3dabc4872710d5bdabfb3829f976efe92c6

      SHA256

      fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde

      SHA512

      fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912

    • C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\setup.ini

      Filesize

      172B

      MD5

      f538540e2cfc9a49e1d1a19d7db8234f

      SHA1

      4ccc89fe6709a2b58d675e70e1150af32a399d4d

      SHA256

      2f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81

      SHA512

      d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044

    • C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\pftw1.pkg

      Filesize

      1.3MB

      MD5

      fc1dc50af3c04a4504005db443b047be

      SHA1

      df5b171c45b10d3ca7c9a30285f6bb3b5b9f8ea5

      SHA256

      96a8733706b182b10c60c509c0cca9e1da329385b78a7fe5bbe1655168c966f7

      SHA512

      f418e0d9fcd7935fd43f9928d86d16266ae896ddd72cc5e3a8235bc4ee365253b6fe4bfec31c217414b60a72a9ef1b4e790c4bbd78d29678a01304be23a090cd

    • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\data1.cab

      Filesize

      586KB

      MD5

      7a6a7bed57891197746b6f32344c75f5

      SHA1

      83a0d2d72052f86cc6fce776490189317684764e

      SHA256

      52e8bfd8231b9fc5fa91541a7b73e9a378bff912d73f260f9697395e13934fb3

      SHA512

      6396266d4f8e1b986d0f3d6814999caa38832116e84a752ee29a853d7753d162e1586970cc87f138820a2a3644899864f1cd1835be6d9a759842087f20b0a8b8

    • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\data1.hdr

      Filesize

      14KB

      MD5

      b2caa6c179bd67968e7828e9005a07f7

      SHA1

      6dc8d77254cb32b73047ca6310e2bb7c3953bdd7

      SHA256

      d2f967c808f13b3d64d99f2109a735dd759a5814f8a1fa72aa1751035904499b

      SHA512

      07a7c517e379ab5821867fadaa5e2c75245745d2c8b029849de0b468a9f5a0f3777ea02e2999f3d8ccc7ae969d020efba3e800ba01e30fb584de153c77f44a0b

    • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\data2.cab

      Filesize

      380KB

      MD5

      3f665a0e2eb71ca283522916c3519dd6

      SHA1

      c0bfef9824b40c1e29adc0c81f8c15d1d0ec984b

      SHA256

      1c479ea42ad6188db660d39726c7a8b7072ad6ae4805475c96ec6dc39ec92655

      SHA512

      7ce361dc93f9e852e4df2158a8cab2436a5ffdd0f936dbcbb869cafe43b3ce54a042737ef84a1fddaca4c40bf1dc870eaf72144733cd6049886e710356a6b7a6

    • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\layout.bin

      Filesize

      417B

      MD5

      879bd0a51200b47312d8c4b78f740858

      SHA1

      acdaec259f2b4587dadf0d7d0f1b90442224c017

      SHA256

      b2c060f31e0db36f18874ec85c55f1e0966c1dbaf2a132398d0f8bfa7a0a84a8

      SHA512

      6df263d03f5796b522425514eacebf7110f6e73ae4cbd004c7757e6ce1e1e755ae79071366ed64f153b77556a4a239fab4222edfd7bf6e9061989a2e1247f1e1

    • C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\setup.inx

      Filesize

      134KB

      MD5

      65c7eed62975bee4c118e332110daabf

      SHA1

      89dbf17bdb0992026d6a9b98c39cdc7c30351d73

      SHA256

      1f5689560acf38d2a08eb546bedb8854337fd5961a44e28cc937db57c70c28e5

      SHA512

      09cc634b42c9bdd21323d69d387fc5b67862fc2e2e83d7a37051d2aeb08b7b6fc17ae2cc15b5217e0af3f729e210731ed6733ce5fd1123057fcfd2ad32156640

    • C:\Users\Admin\AppData\Local\Temp\plfB17D.tmp

      Filesize

      5KB

      MD5

      9efcc61a0baa38a6d7c67a05a97c7b87

      SHA1

      72b713a72ef7e972dfd5be5f79da8e9aacedb296

      SHA256

      7ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf

      SHA512

      ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238

    • C:\Users\Admin\AppData\Local\Temp\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll

      Filesize

      252KB

      MD5

      48ea604d4fa7d9af5b121c04db6a2fec

      SHA1

      dc3c04977106bc1fbf1776a6b27899d7b81fb937

      SHA256

      cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

      SHA512

      9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

    • C:\Users\Admin\AppData\Local\Temp\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll

      Filesize

      324KB

      MD5

      61c056d2df7ab769d6fd801869b828a9

      SHA1

      4213d0395692fa4181483ffb04eef4bda22cceee

      SHA256

      148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

      SHA512

      a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

    • memory/1312-115-0x0000000000400000-0x0000000000662000-memory.dmp

      Filesize

      2.4MB

    • memory/1312-0-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

    • memory/1920-418-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/2724-396-0x0000000003400000-0x000000000342C000-memory.dmp

      Filesize

      176KB

    • memory/2724-378-0x0000000003340000-0x0000000003353000-memory.dmp

      Filesize

      76KB

    • memory/2724-382-0x0000000003360000-0x0000000003398000-memory.dmp

      Filesize

      224KB

    • memory/2724-390-0x00000000033A0000-0x00000000033F3000-memory.dmp

      Filesize

      332KB

    • memory/2860-449-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/2860-60-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/3620-294-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-295-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-291-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-301-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-293-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-292-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

      Filesize

      64KB

    • memory/3620-305-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

      Filesize

      64KB

    • memory/3744-117-0x0000000000710000-0x0000000000711000-memory.dmp

      Filesize

      4KB

    • memory/3744-410-0x0000000000710000-0x0000000000711000-memory.dmp

      Filesize

      4KB

    • memory/3744-411-0x0000000000400000-0x0000000000662000-memory.dmp

      Filesize

      2.4MB

    • memory/3744-476-0x0000000000400000-0x0000000000662000-memory.dmp

      Filesize

      2.4MB