Overview

overview

10

Static

static

3

2025-01-01...er.exe

windows7-x64

10

2025-01-01...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe

  • Size

    14.4MB

  • MD5

    3bfb1de40b93d74b5641783224ebe3f8

  • SHA1

    f6c97b8a5565c6fa7f1345ce1c50f91ed70072c0

  • SHA256

    e3f866226c131e7ec52fa9e00c63b735e0aefcdd2cfb6f379347a6189e097e6f

  • SHA512

    b6fccadbbd8fd7f4310cfac192239e6e71347d15481be0b568b3d0f030cf69c77aaa9c14f457a78b4725ca73ae352bf5cf8824e973c309759ebaf9cbde7f4e13

  • SSDEEP

    196608:/R668aaELoR668aaELaR668aaELsR668aaELuR668aaELwR668aaELVFKzYN:/p8aa5p8aaDp8aa9p8aaXp8aahp8aa

Score
10/10
remcosxredbackdoordiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE649.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3332
    • C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe"
      2⤵
        PID:3148
      • C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:516
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4276
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3612
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4968.tmp"
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1012
          • C:\ProgramData\Synaptics\Synaptics.exe
            "C:\ProgramData\Synaptics\Synaptics.exe"
            4⤵
            • Executes dropped EXE
            PID:740
          • C:\ProgramData\Synaptics\Synaptics.exe
            "C:\ProgramData\Synaptics\Synaptics.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4828
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3184
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      14.4MB

      MD5

      3bfb1de40b93d74b5641783224ebe3f8

      SHA1

      f6c97b8a5565c6fa7f1345ce1c50f91ed70072c0

      SHA256

      e3f866226c131e7ec52fa9e00c63b735e0aefcdd2cfb6f379347a6189e097e6f

      SHA512

      b6fccadbbd8fd7f4310cfac192239e6e71347d15481be0b568b3d0f030cf69c77aaa9c14f457a78b4725ca73ae352bf5cf8824e973c309759ebaf9cbde7f4e13

      Download Submit

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      468e7b498525f6194a64e28e9a9cca7f

      SHA1

      c5d0cae2781075756b4d2864932798e551c21496

      SHA256

      bf07b6e304acf4c5ac5cb875fad3b9ab96abd46262f2d9a4e237fabfa14b3f31

      SHA512

      761bbd3119a80a842aae13953380889d4c927c7eced79f89d9474a6e9b5f60d0708e4fff33cfd468497229f1c4d4525a314d1024fe0ed88faa32d96be8fc1a20

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      952b8637ba6d699a06cb3b9141d1808b

      SHA1

      8d374b85272b3ca72210304c926b89d72c422eaa

      SHA256

      6f735459798eb105b787cb1a3faba209c0ab00a6366051ea5294e789f0d8eb62

      SHA512

      4bed7ba7fd02ae6e2259063900bf5e2e0e34d8fc212fe066dc96baf1e8acc69627828600544c4e780b8ac0884d902fb8e23b0733887ca007db5b517d19cc44fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      0b77ac8d8f2e4e3f29833c0a6e387614

      SHA1

      bca6e4002f1228f5fbef30054adb437ebb6400e3

      SHA256

      8bf713cd6ee630b90d046b68e567a70b632350a950a4c5e401e952a644e8d8ae

      SHA512

      d931ebcb5087b999b15f34b115e6705df501ce423dd15789eb91073be56ed3bf9df98f29fac36e28dedaba114710cbc517de8dc6adb53cb1d6e70a645c674838

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-01_3bfb1de40b93d74b5641783224ebe3f8_formbook_luca-stealer_magniber.exe
      Filesize

      483KB

      MD5

      f3b57ccad1c0a308635e17aa591e4038

      SHA1

      ca67ad3c74523b844fc23563f7b288f0389fd645

      SHA256

      5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

      SHA512

      5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0A585E00
      Filesize

      23KB

      MD5

      a50913be707c5ca0f3fa3dc259a18a25

      SHA1

      9863f8a34425dc4199fab608ea9397bf967182c0

      SHA256

      9a7369c658e65834f883d8bbb5d2d27b84970e47985f3c251f6fd61f4deebae5

      SHA512

      857c96431f3d33be9fe1d2078039e8f2480930d144c7d64c071b8f5e1de756c56c60a30ff5d0243b1301693bbdd2d0e60ded6e762847902f02e2a1913eece121

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7tnKMrF9.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdtw0yq2.3uu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE649.tmp
      Filesize

      1KB

      MD5

      c29f510ecd38a31ce966f6d6f4cfb528

      SHA1

      5a76093860adc2a323ac898bace9a4a9e1aa3cab

      SHA256

      f11bbc6373b5b7caa7c10d4b4cf652110c4fd5119ea08a483c2d5d02a549ed4f

      SHA512

      1a3dd33d7a66b641ba8166074d6e14caf9f5eaddd758d36f3c82f3f9ac3f2f1324bab89d01d6561ce9ada44f1a098aad4164d9237cc221d20c2e28c156ba68f3

      Download Submit

    • memory/700-268-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-270-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-267-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-269-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-271-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-284-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/700-272-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1188-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1188-50-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1188-10-0x000000000A5E0000-0x000000000A67C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1188-1-0x0000000000200000-0x0000000001066000-memory.dmp

      Filesize

      14.4MB

      Download

    • memory/1188-9-0x0000000006D50000-0x0000000006ECE000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1188-8-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1188-7-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1188-2-0x00000000060A0000-0x0000000006644000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1188-6-0x0000000006020000-0x0000000006038000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1188-5-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1188-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1188-4-0x0000000005B10000-0x0000000005B1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-190-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-22-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-179-0x0000000007740000-0x0000000007751000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2252-45-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-29-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-183-0x0000000007860000-0x0000000007868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-182-0x0000000007880000-0x000000000789A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2252-165-0x000000006FBB0000-0x000000006FBFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2252-181-0x0000000007780000-0x0000000007794000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2252-180-0x0000000007770000-0x000000000777E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3008-249-0x000000006FBE0000-0x000000006FC2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3008-210-0x0000000005CE0000-0x0000000006034000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3008-286-0x0000000007730000-0x0000000007744000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3008-283-0x0000000007700000-0x0000000007711000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3008-259-0x0000000007400000-0x00000000074A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3008-215-0x0000000006250000-0x000000000629C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3612-273-0x000000006FBE0000-0x000000006FC2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4516-46-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4516-47-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4760-189-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-175-0x0000000007730000-0x0000000007DAA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4760-15-0x00000000024A0000-0x00000000024D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4760-178-0x0000000007370000-0x0000000007406000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4760-153-0x000000006FBB0000-0x000000006FBFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4760-49-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4760-152-0x0000000006390000-0x00000000063C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4760-164-0x0000000006DB0000-0x0000000006E53000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4760-163-0x0000000006370000-0x000000000638E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4760-44-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-23-0x0000000005780000-0x0000000005AD4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4760-19-0x0000000004E00000-0x0000000004E22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4760-20-0x0000000005520000-0x0000000005586000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-53-0x0000000005FF0000-0x000000000603C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4760-176-0x00000000070F0000-0x000000000710A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4760-21-0x0000000005590000-0x00000000055F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-18-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-177-0x0000000007160000-0x000000000716A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-17-0x0000000004EF0000-0x0000000005518000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4760-16-0x0000000074BE0000-0x0000000075390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4828-209-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4828-331-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4828-330-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4828-339-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4828-374-0x0000000000400000-0x000000000053B000-memory.dmp

      Filesize

      1.2MB

      Download