xred | 5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xyxmml.msi
Size

1.7MB
MD5

51dd5767de678bb6359cbb175319f0ec
SHA1

76ae487dda6cf3651a9b2b30614c0fefd1f3149c
SHA256

5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314
SHA512

ffb798290e2f6840eb8f0587dc675e8654589bfd070b1c54e49c7984272aa94da3a493cbd28b1dddef1f6a44b09ad9fd8a14ec0d77b90f948dc85089f91cc8a0
SSDEEP

49152:+EJnsHyjtk2MYC5GDChloJfWJ255hpB14Rd:1nsmtk2arhlTJ23h

Score

10^/10

xred backdoor discovery persistence privilege_escalation

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MSIBE7E.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	MSIBE7E.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_MSIBE7E.tmp	MSIBE7E.tmp
File opened for modification	C:\Windows\SysWOW64\._cache_MSIBE7E.tmp	MSIBE7E.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57bd64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bd64.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE7E.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3604	MSIBE7E.tmp
4444	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
372	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBE7E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSIBE7E.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4324	msiexec.exe
4324	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	372	msiexec.exe
Token: SeSecurityPrivilege	4324	msiexec.exe
Token: SeCreateTokenPrivilege	372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	372	msiexec.exe
Token: SeLockMemoryPrivilege	372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	372	msiexec.exe
Token: SeMachineAccountPrivilege	372	msiexec.exe
Token: SeTcbPrivilege	372	msiexec.exe
Token: SeSecurityPrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeLoadDriverPrivilege	372	msiexec.exe
Token: SeSystemProfilePrivilege	372	msiexec.exe
Token: SeSystemtimePrivilege	372	msiexec.exe
Token: SeProfSingleProcessPrivilege	372	msiexec.exe
Token: SeIncBasePriorityPrivilege	372	msiexec.exe
Token: SeCreatePagefilePrivilege	372	msiexec.exe
Token: SeCreatePermanentPrivilege	372	msiexec.exe
Token: SeBackupPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeShutdownPrivilege	372	msiexec.exe
Token: SeDebugPrivilege	372	msiexec.exe
Token: SeAuditPrivilege	372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	372	msiexec.exe
Token: SeChangeNotifyPrivilege	372	msiexec.exe
Token: SeRemoteShutdownPrivilege	372	msiexec.exe
Token: SeUndockPrivilege	372	msiexec.exe
Token: SeSyncAgentPrivilege	372	msiexec.exe
Token: SeEnableDelegationPrivilege	372	msiexec.exe
Token: SeManageVolumePrivilege	372	msiexec.exe
Token: SeImpersonatePrivilege	372	msiexec.exe
Token: SeCreateGlobalPrivilege	372	msiexec.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeTakeOwnershipPrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeTakeOwnershipPrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeTakeOwnershipPrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeTakeOwnershipPrivilege	4324	msiexec.exe
Token: SeRestorePrivilege	4324	msiexec.exe
Token: SeTakeOwnershipPrivilege	4324	msiexec.exe
Token: SeBackupPrivilege	4932	srtasks.exe
Token: SeRestorePrivilege	4932	srtasks.exe
Token: SeSecurityPrivilege	4932	srtasks.exe
Token: SeTakeOwnershipPrivilege	4932	srtasks.exe
Token: SeBackupPrivilege	4932	srtasks.exe
Token: SeRestorePrivilege	4932	srtasks.exe
Token: SeSecurityPrivilege	4932	srtasks.exe
Token: SeTakeOwnershipPrivilege	4932	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
372	msiexec.exe
372	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4932	4324	msiexec.exe	95
PID 4324 wrote to memory of 4932	4324	msiexec.exe	95
PID 4324 wrote to memory of 3604	4324	msiexec.exe	97
PID 4324 wrote to memory of 3604	4324	msiexec.exe	97
PID 4324 wrote to memory of 3604	4324	msiexec.exe	97
PID 3604 wrote to memory of 4444	3604	MSIBE7E.tmp	100
PID 3604 wrote to memory of 4444	3604	MSIBE7E.tmp	100
PID 3604 wrote to memory of 4444	3604	MSIBE7E.tmp	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\xyxmml.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\Installer\MSIBE7E.tmp
  "C:\Windows\Installer\MSIBE7E.tmp"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Drops file in System32 directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bd67.rbs

Filesize
623B

MD5
37670388df915faa1bfd65ee47ebe2c9

SHA1
88c024788069845caa9c30db5ac57502548bcd49

SHA256
01d7f39efd8205d652ed82523aa4436828fa5123e90e3e52e5c0e7d4702ffee8

SHA512
5df525909cc9de0c579fb73f9f8eb0e902c0654f4aeece1664d17a02e9e43e39089bdf4190e08031ab7eb57e5b0ae6da869491cbced0d96fbfc7cfe92560c29b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
7103f3eec43bbabe34068295157f9f1c

SHA1
a35d73e54e4ba166ac30889f57fa58284881102a

SHA256
2b6db5563d77c827f5a662cb0a05359450db29948863f9a5556c19ce14d05305

SHA512
f8a257aba57a1eacf8f280651e74f97d2e14f326139282abb506764c95fb57db9c4708bafd1ac027b030c40a866be2bd04b3b0bfac82f748b147e8a17dbd7188

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AD75E00

Filesize
23KB

MD5
0cc7727d1d54d54f69e4d30c7096bb28

SHA1
c86515f0a1ddaa3e982391e80255b19acd1893c1

SHA256
4352aa6035c0eca2142cd9069eeeb59e7847bb0b086c91adfbc683d6d5c07354

SHA512
aaf342299496a816bff18aa2ac16fffdfb1916a84150c3fbc415460db6b4ffe996ebf0f05073e2db91a2e1e6da83bb8676026f800480d100c10cad03eb0e7fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir8cSvSf.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Installer\MSIBE7E.tmp

Filesize
1.6MB

MD5
1d2237faf8e6198625010cb580280901

SHA1
592449bddf763bb63c22f638cb42f71484f87f06

SHA256
78643b903379276085c5ef0092afc5c10dee821c5754e01bc8ef835907b16ac4

SHA512
8abe1ff967d92c663080caf54f315e534ea296c91474d66cd327dccc38a3aa8685101649bb120e28f1438011596dde4f2f83e8150c90d51529efce9906a5aa0b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
68a8498e3962de2a8cea3d4eaaeee41c

SHA1
7cbd0d311f8e3056c8d72ff46efd2f49e6c1d7ac

SHA256
c7cddddf9e0d86570e5851b56be9dad259828a4914405616af5317d8a1ab1af9

SHA512
5de86f947433aa00fddc8bdc372240a13469a14a709c79fdd22781fb114bc02b6bc741a3630eeb3f3032efe49d08db66ef9eb618af46d340f7d8557365582de3

Download Submit
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f4bb0147-5447-4148-94d2-2414c713458e}_OnDiskSnapshotProp

Filesize
6KB

MD5
e45c516c810ad835311206ae15c24f30

SHA1
b237962a9c1c3316fd316b54aa4c47247e01f708

SHA256
540ff07589c1f9fc15be22d8f750ea551884d7a68179d481c2e717a7a8de427d

SHA512
7161ed23fb0f2b0164eec5ea8fff5b36bf11148fe030dfebab3ffb6fe1dd367102b27a91201b5cfa5752875799db75f4828223572770f403edd011ffe1cab098

Download Submit
memory/3084-91-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3084-95-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3084-96-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

Filesize
64KB

Download
memory/3084-97-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

Filesize
64KB

Download
memory/3084-94-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3084-92-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3084-93-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3604-80-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/4444-148-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4444-179-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download