xred | 0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd.msi
Size

1.7MB
MD5

251eff52580900a708bc33aa5ac20707
SHA1

ff2848350a329b3fd9d460e40d898962899e5b4d
SHA256

0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd
SHA512

f0d4501af1d323347aab94eb35c94980fdbade725e7f3e061835cd322ae6333877fb6e0d0ecf73cdebeab40c4fdf1e9acf0c6b5ce85afd51d0a37ddcaf4c7d94
SSDEEP

49152:xERnsHyjtk2MYC5GDIhloJfAAR/sTEsiwg6gpWacS:knsmtk2aFhlZUETE9wg5

Score

10^/10

xred backdoor discovery persistence privilege_escalation

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MSIC69D.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MSIC69D.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\._cache_MSIC69D.tmp	MSIC69D.tmp
File created	C:\Windows\SysWOW64\._cache_MSIC69D.tmp	MSIC69D.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC69D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c563.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c563.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC62E.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	MSIC69D.tmp
3664	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3744	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC69D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSIC69D.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4336	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3648	msiexec.exe
3648	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3744	msiexec.exe
Token: SeSecurityPrivilege	3648	msiexec.exe
Token: SeCreateTokenPrivilege	3744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3744	msiexec.exe
Token: SeLockMemoryPrivilege	3744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3744	msiexec.exe
Token: SeMachineAccountPrivilege	3744	msiexec.exe
Token: SeTcbPrivilege	3744	msiexec.exe
Token: SeSecurityPrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeLoadDriverPrivilege	3744	msiexec.exe
Token: SeSystemProfilePrivilege	3744	msiexec.exe
Token: SeSystemtimePrivilege	3744	msiexec.exe
Token: SeProfSingleProcessPrivilege	3744	msiexec.exe
Token: SeIncBasePriorityPrivilege	3744	msiexec.exe
Token: SeCreatePagefilePrivilege	3744	msiexec.exe
Token: SeCreatePermanentPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeShutdownPrivilege	3744	msiexec.exe
Token: SeDebugPrivilege	3744	msiexec.exe
Token: SeAuditPrivilege	3744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3744	msiexec.exe
Token: SeChangeNotifyPrivilege	3744	msiexec.exe
Token: SeRemoteShutdownPrivilege	3744	msiexec.exe
Token: SeUndockPrivilege	3744	msiexec.exe
Token: SeSyncAgentPrivilege	3744	msiexec.exe
Token: SeEnableDelegationPrivilege	3744	msiexec.exe
Token: SeManageVolumePrivilege	3744	msiexec.exe
Token: SeImpersonatePrivilege	3744	msiexec.exe
Token: SeCreateGlobalPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeBackupPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeBackupPrivilege	980	srtasks.exe
Token: SeRestorePrivilege	980	srtasks.exe
Token: SeSecurityPrivilege	980	srtasks.exe
Token: SeTakeOwnershipPrivilege	980	srtasks.exe
Token: SeBackupPrivilege	980	srtasks.exe
Token: SeRestorePrivilege	980	srtasks.exe
Token: SeSecurityPrivilege	980	srtasks.exe
Token: SeTakeOwnershipPrivilege	980	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3744	msiexec.exe
3744	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE
4336	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 980	3648	msiexec.exe	94
PID 3648 wrote to memory of 980	3648	msiexec.exe	94
PID 3648 wrote to memory of 2744	3648	msiexec.exe	96
PID 3648 wrote to memory of 2744	3648	msiexec.exe	96
PID 3648 wrote to memory of 2744	3648	msiexec.exe	96
PID 2744 wrote to memory of 3664	2744	MSIC69D.tmp	99
PID 2744 wrote to memory of 3664	2744	MSIC69D.tmp	99
PID 2744 wrote to memory of 3664	2744	MSIC69D.tmp	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\Installer\MSIC69D.tmp
  "C:\Windows\Installer\MSIC69D.tmp"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Drops file in System32 directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c566.rbs

Filesize
681B

MD5
fa01650308e9876063cb5a59ea22ef9f

SHA1
590bf84c3eac592331769a1f91130b90185d4fa8

SHA256
5200163231e3b09e285752fda93a855d2b593e006ef9ff922d1542cf6beba638

SHA512
118207cdfe2be7e080008cd7f9e0516aeb144579d6bb91ce56901def41371674e21e315227dfc81c09b4a8f4377ce4165c49a3c53d299ebc9d6339dab4a02b59

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
aca4d70521de30563f4f2501d4d686a5

SHA1
6c2baa72ea5d08b6583893b01001e540213f4aaf

SHA256
449b6a3e32ceb8fc953eaf031b3e0d6ec9f2e59521570383d08dc57e5ffa3e19

SHA512
da806bd4ac02c45c17ed5d050428b3e7b15e8f148acb156cfb41eab3e27c35fa91ab1a55d18c6ef488a82d3379abf45421432e2efaf2fae4968c760d42215a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eCwtXfi.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\92E75E00

Filesize
21KB

MD5
26e60de209776e7bfadabfcb8aeb56b2

SHA1
8a43b99830b8aeb25a22c9a8db2ba0d7fc2b4aff

SHA256
2ad8ecc0dd753cccdb1b60f9e164c589ee2d40c1c1871689927b95e12d06db2f

SHA512
73b9c0bd6cb8f0cfb46eb11c6da79ea0c2c5fe1a343e7bee67764d0a5a342c094f554eba06a8a68e23ce4ab8b6986e6ce8fd96fdb304193d4f5982b9bbe9faa9

Download Submit
C:\Windows\Installer\MSIC69D.tmp

Filesize
1.6MB

MD5
6ae1479d38c7cb94c69b68d6f8678129

SHA1
0be3abad5d5f32440715b33052ce7df3059c5281

SHA256
87e0b788c004b6a9c0796fc7d60c61f10070025440e34725d1519e6b76a99f1f

SHA512
e55d621b2c49333cf980764c5d03c50d7cb9af3742b4f7b6801240461c275988ac4e9815c9ccd8606364de5d8efd94c08f9da6f6cb182955dda3ff49a21d31e3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
8a46cb60e8abad6bc662b31276c75b27

SHA1
b236ae7fa0ee675d851356eceab724c661dcc3b3

SHA256
58181b7814f4448d5234cbd01aee5a15aeb1c6e3f87567c740906ef8da10c91f

SHA512
d9086d198178e73697e67938bec61d3bb8c33a2575065a94d708ed8a97100a57fb6eb79d2c5755622180f5361999b6e83f1810c3c0430c5ea0d5795c255087fa

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6887d21b-9f79-46c8-af2a-6207776b4015}_OnDiskSnapshotProp

Filesize
6KB

MD5
143bee9d202a8f64cb9d67dbfa1dd7ea

SHA1
ecc88aa967759597f14b2d76594e41823d60d171

SHA256
1e120d6229221df24089c01fbd02bafd21a53709c56f32bdab3de7745fe0c0c6

SHA512
69edecdf54fa96d4af165cee4266d1d85f7b97ff58f62f95009a72b77c5159776ffa7bc42e85ec2cfa4343fa55bdae2263537f08deb1bea13e477fca6e422527

Download Submit
memory/2744-80-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/3664-177-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3664-146-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4336-91-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4336-97-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/4336-96-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/4336-95-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4336-94-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4336-92-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4336-93-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download