Analysis

  • max time kernel
    43s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-02-2025 18:17

General

  • Target

    adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe

  • Size

    760KB

  • MD5

    79549e64dc118988e997a209ef99567d

  • SHA1

    48948a955e0266ac2d5fb7c61e3f48aca97a829c

  • SHA256

    adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

  • SHA512

    3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

  • SSDEEP

    12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9KmKj:WnsJ39LyjbJkQFMhmC+6GD9c

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Modifies Windows Firewall 2 TTPs 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 43 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
    "C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:5032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:3220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\System32\Conhost.exe
          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          4⤵
            PID:2260
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:4468
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84FF.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4108
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1564
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:4128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:3408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4204
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3608
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2156
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FC.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 2
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3360
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:968
    • C:\Windows\system32\control.exe
      "C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5084
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1100
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        2⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2628
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4268

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe

        Filesize

        760KB

        MD5

        79549e64dc118988e997a209ef99567d

        SHA1

        48948a955e0266ac2d5fb7c61e3f48aca97a829c

        SHA256

        adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

        SHA512

        3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        0384058137c9cab33ce6ceb677fd200c

        SHA1

        b33f68bc26ba8b74c8c8b43cefdba3776f9e3c95

        SHA256

        961f8955d148572052738e9eaca16b818dc43d971446c6e70bf554f91ce5d034

        SHA512

        ef2b43e095a5d18ba1b0d034a8038ead8c371a65c3a92e03fd714cefa05f9a4978ec1bdad0a10389d79934ac441ce06202846276ff47ac3412333f2ea205755d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        446dd1cf97eaba21cf14d03aebc79f27

        SHA1

        36e4cc7367e0c7b40f4a8ace272941ea46373799

        SHA256

        a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

        SHA512

        a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      • C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe

        Filesize

        7KB

        MD5

        4f335528745cc617396c5c7107e84dff

        SHA1

        e90b4e0e888c43dde82662df49c7c054207a2961

        SHA256

        50e64c6fb2a0fb6898a792d192c35b3f43996c6dea24d5f94c0e90e2be238671

        SHA512

        0bb11a0577108a13ebd98323ea094d05205a07686ab355e9c6bf8976398be0a327306206c64a4d41109fbf2f47f8af0925a605023ea308109d7c80540129138c

      • C:\Users\Admin\AppData\Local\Temp\00875E00

        Filesize

        21KB

        MD5

        c37874b2232541a896d57e02b9a8c984

        SHA1

        95a259bc122bc25886e63b138caa28eecdbf00a1

        SHA256

        4faf85aff5ff77fbfbcf957ceadb6da9a45023e46bc4f5558d09bf09872cfccc

        SHA512

        2dc4fe94df5197b95f0185587d568c6157061f69de3b99a67eab113da08cae102d421584f5bd21a6ed6c624ef38c6df23670e04795f7106915f28e64afd5da1a

      • C:\Users\Admin\AppData\Local\Temp\49TViA8z.xlsm

        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maptydar.cal.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\tmp84FF.tmp.bat

        Filesize

        213B

        MD5

        a5adee0e51dca1359bb4013e967cbcda

        SHA1

        1b6316ceceb3e5db574984bc42cca03ab1bd13b2

        SHA256

        08fc38691fe411b468d0df5f289ee88a62129eb3d82dbd17a29cce901b5c48eb

        SHA512

        b70f5b60f5d341593dd4238ae5141cf6de47b159b6b82144a012d9af5cc84e87baeec8786ed872b77f5b8317942e640cb163273b4226ad846ac3b3c7e2d17d08

      • C:\Users\Admin\AppData\Local\Temp\tmp87FC.tmp.bat

        Filesize

        158B

        MD5

        f5b7d73f09d210ec9a00c6a92807fb31

        SHA1

        a7de5a3f5189103d94072b333e5c2076d2c9c4ac

        SHA256

        c2d463b7aea30c6691ee3d207cbe81c77ea414ab527f1b1016bac46cf69dccee

        SHA512

        e55958ed63c5ec7a35a5f758fafe09afed32f21a2becae1dbc71e7930062f04bfe52700e977c9c9a13ee4a804afb49be7620ecd6a22a025fac64a051248066bd

      • memory/968-206-0x00007FFD34D70000-0x00007FFD34D80000-memory.dmp

        Filesize

        64KB

      • memory/968-217-0x00007FFD32330000-0x00007FFD32340000-memory.dmp

        Filesize

        64KB

      • memory/968-205-0x00007FFD34D70000-0x00007FFD34D80000-memory.dmp

        Filesize

        64KB

      • memory/968-207-0x00007FFD34D70000-0x00007FFD34D80000-memory.dmp

        Filesize

        64KB

      • memory/968-203-0x00007FFD34D70000-0x00007FFD34D80000-memory.dmp

        Filesize

        64KB

      • memory/968-204-0x00007FFD34D70000-0x00007FFD34D80000-memory.dmp

        Filesize

        64KB

      • memory/968-208-0x00007FFD32330000-0x00007FFD32340000-memory.dmp

        Filesize

        64KB

      • memory/2628-341-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-334-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-344-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-342-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-343-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-340-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-339-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-335-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-345-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2628-333-0x0000019640300000-0x0000019640301000-memory.dmp

        Filesize

        4KB

      • memory/2916-129-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

      • memory/2916-0-0x0000000002340000-0x0000000002341000-memory.dmp

        Filesize

        4KB

      • memory/3240-355-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

      • memory/3240-348-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

      • memory/3788-191-0x00007FFD65780000-0x00007FFD66242000-memory.dmp

        Filesize

        10.8MB

      • memory/3788-220-0x00007FFD65780000-0x00007FFD66242000-memory.dmp

        Filesize

        10.8MB

      • memory/3788-192-0x00007FFD65780000-0x00007FFD66242000-memory.dmp

        Filesize

        10.8MB

      • memory/3788-142-0x00007FFD65780000-0x00007FFD66242000-memory.dmp

        Filesize

        10.8MB

      • memory/3788-139-0x0000027C6C510000-0x0000027C6C532000-memory.dmp

        Filesize

        136KB

      • memory/3840-71-0x0000018852B30000-0x0000018852B38000-memory.dmp

        Filesize

        32KB

      • memory/3840-70-0x00007FFD65783000-0x00007FFD65785000-memory.dmp

        Filesize

        8KB