Overview

overview

10

Static

static

10

2025-01-16...er.exe

windows7-x64

10

2025-01-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe

  • Size

    9.7MB

  • MD5

    13ea4eef9bf2474af62e91f23b997f22

  • SHA1

    1831e4456b4194153698a9456595a4334e375451

  • SHA256

    85b0329f81547c5ddcceb47048820f13e40361c9520fc4ae1cd52fd9de2b3af0

  • SHA512

    e3b634b4cb7a6018473a7cd45ba3575f4081e51f49e4633016f06ed7f3761a42f1c631ffe4b377dfa900c447be823b179bcd59a5659ae10a070d0a8b349a4aa7

  • SSDEEP

    196608:jLjLivur4OIag6AiQBhyQbEAkZQdnkW9AVSGfGIJXcaI6HMaJTtGbp:jHLiv6Iazyyu4JfdJXq

Score
10/10
xredbackdoordiscoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language
ps1
Source
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Blocklisted process makes network request 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','C:\Users\Admin\AppData\Local\Temp\files\ver.txt')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\files\v32.cab') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Windows\SysWOW64\expand.exe
        "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1232
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','C:\Users\Admin\AppData\Local\Temp\files\ver.txt')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\files\v32.cab') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\SysWOW64\expand.exe
        "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2736
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    9.7MB

    MD5

    13ea4eef9bf2474af62e91f23b997f22

    SHA1

    1831e4456b4194153698a9456595a4334e375451

    SHA256

    85b0329f81547c5ddcceb47048820f13e40361c9520fc4ae1cd52fd9de2b3af0

    SHA512

    e3b634b4cb7a6018473a7cd45ba3575f4081e51f49e4633016f06ed7f3761a42f1c631ffe4b377dfa900c447be823b179bcd59a5659ae10a070d0a8b349a4aa7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    21KB

    MD5

    995750f9e40bc9ef507f886e6f3c2112

    SHA1

    b623f0ecc216077d7438a613dade1c2f05d64a31

    SHA256

    b6f3c72c8c5af9ebe264e364415c84ef579d4503ffd53fe53ec1a371296095a6

    SHA512

    ddd88269bdcbfabfd507cf15bbdd66f85d40b9d84215f22950a70648be74fcddec0e15574714ee57d259adf2c4cc7ff52fbe802c64d5a6e7fbf997cd3276c349

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    25KB

    MD5

    0573517a4d9825276122b279434d24c5

    SHA1

    1c78ae588069fd8d825d62c6e42ba3610304b29d

    SHA256

    911c5593eeee733a562ca2b21aa0165e6a545c83ca7f02ed3cdc79a12fde23f2

    SHA512

    d280e73c199fda4a82ef4af45646fa6efa00674c969f5f55246eee3e2c606d6c04fa8de2af1df27faccebdb3599ab2b0b49d5cff7477f23485d88c659832e457

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    23KB

    MD5

    3b3ff01b3a3567c9f010c0433b712b44

    SHA1

    cbf9cd7fb7dda7eb7a4e7ce552f7eb4d7def08ba

    SHA256

    2ba3a8ae458a0915faf639def5a8636cc06163ec40d3bcaaf0773a6b329ebdc2

    SHA512

    ca139788186b9c95ce88ba07ad074698c30c803ba87ba64c165292b2eca7e9506c58e4ebca74ccb8c0b75020181868f477cf6c8bb753001bdf012775960df9ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    21KB

    MD5

    00355ea5968ab4ef2cecbd663ecc9619

    SHA1

    076c412cc297880b0009630c50d4a4970650ad42

    SHA256

    b8f1592628954fcf0964a88018f00c854d9cf05d3490ddc86df5a1281bf9a741

    SHA512

    a06a98e94c78d9391334532ccc6d386d33d3a1e6acd8f67bc86460c5cc3f51137cf61231842516a47187a8fdadfb65aecffb6a42c1333b19277e8f96bbeb7444

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UieTdrcO.xlsm
    Filesize

    26KB

    MD5

    aea44e614b409bd3ea18ab5f2ef1f0b6

    SHA1

    040e30b0ff0763ffc4852f8b5127a4ff402ad6cf

    SHA256

    39d1a1ed76234f143c483993c76d8ba9efe03588f50df73329bef70fa2bb9b34

    SHA512

    0ca9524ee500ad655d8e08939649a75660c9f5c50c6699fab2217c6c66e90064cac9f5d1b57b3df38f8b87811967109915efe73cd78dd2fb63b10fc8ae9d1ef4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml
    Filesize

    12KB

    MD5

    59f66213e30b1681bc462c7dd4c365e8

    SHA1

    18c1d5ff74dee42dc2cd96d23dabf1551929d9dc

    SHA256

    cae1ea66b8eb0d8a86c93688112bb9b67e9288d7bc97138cc30dd70b91727b78

    SHA512

    1943794bf27ca1a4a8cb45b580f555d064a800245c8ffffa641bfca11d5202e21b24ba7dcf85072f2af62b8ffe9aee03bab7d33b15ef4cefbbb7c3b27847fdba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml
    Filesize

    25KB

    MD5

    78ac1196c60e8f7fb1f8a890522bcef2

    SHA1

    1cd2730c3814d3e21286074e39637fea7546c901

    SHA256

    ff559a00c85cfa76c738485fb7a177153732f9d37f1ea2e89d144b3db1fa039e

    SHA512

    99174c89dfaed75d1d9f4448cb88a3a70a04677cb47432daff2b465ef1dc72d65b0ba12575af0ce966efb52b262e5322d256b0227eceee74219a6f3c518743a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.cab
    Filesize

    11KB

    MD5

    e824b52386bb17a4f135f5645dadc293

    SHA1

    89c31cb22f86db32cb006dfeb697a1fb4bc7df8a

    SHA256

    b771c767f0ecb93cb9a4d89724fcb97b8af1f7cf74bac59279b3f59e4e7ebfdd

    SHA512

    c4c74fd55e30655dc99a71d870646aff26637256d4e38becbec029ea955bfe35ea1eedcfbdfcccc4c4d67adb51d3bd4a103e97ee910f63c45dbc18a393ea9522

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.cab
    Filesize

    10KB

    MD5

    c8396c0cfb79601a14f62e40d677ef89

    SHA1

    a80a45bee058dc42635d3f72e8b34d683af122d1

    SHA256

    b7fe0edbe23f745b1864619c88d32809c5d3df8a0dcca5df6bfbb860767d81d8

    SHA512

    fab3fe1e7576c2a4485ce08226f3205b998f99cfc86654af750cc84224d6c61b7adfd377f60df2e354886bd65e46f3c687f9a399a91e463e289f33d867eab49e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.txt
    Filesize

    12KB

    MD5

    65e4eb494857b5826055446bb92ffe04

    SHA1

    e85f53cc10313ce48334cfd9449bc67592c91d31

    SHA256

    b86889541b154b6d76413fc79af5f15860dcf8679de86489970ee8fec1779b52

    SHA512

    27f4565d3bffd59c112fb7271155629d5421a51f1d7d7ac0b32db10b57f4b62cf1aa62a2c11c4ff7fa885a3784df5eb35b51530306c3718a8a842c7f9a6a6f9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.txt
    Filesize

    25KB

    MD5

    f44dd037ead72551d525805169988584

    SHA1

    746e36ec9fcb5a9e9238e1623a1d3bae979ccbf1

    SHA256

    c6cf577e28cdb1da8c75fdb63149ac08ca528f4303e6bfd2011965e463fcd242

    SHA512

    ae583b30d5ff8453a46e6404c3826e39f2383ffccff8346d825d01dd8071dd83371962738de1b635b73a2f1e8b27c0abdd037f25dbcdddbaccb2e4a89e5d80d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    bfcb81586a65df38ce3b82ec41ef2562

    SHA1

    a24f0a394dcea32003b523afc9354fb1bfe871e7

    SHA256

    3897aadd7bbcfad722290ea3b26bda6db9997947da42f7df13d2e26c40e0f699

    SHA512

    d947cae37db465f949c1b45fd3def1e2e6f3556ec1fa3dbc1133c0464b3eb7c2117a31dcb407862be38e25f968794285b4d0eed1c627f3f0f0d034b5f8fc862c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    b299ece03570ab5e823ff2bfb261898d

    SHA1

    56299612d6377f3cae7edbd129d7fc48cd764f6b

    SHA256

    91f1071a72090f7a00d6cad8a98c90a2e2a79ba46cafd90ae4cb1824347202a4

    SHA512

    84a0afaddae4ef17810b7e736a26c74febcc65e49ffa5a58c9076b183ce80b3c16f5922f267c04d314bcaa00cb55bfe4dc072b99f73b89c8b5c0a090ea80ebb4

    Download Submit

  • C:\Users\Admin\Desktop\~$OpenBackup.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • C:\Windows\Logs\DPX\setupact.log
    Filesize

    6KB

    MD5

    92552f827ab95bdd591f40740289cdce

    SHA1

    743c4abd8f4c2ee5af9ee1a9d279d1a5492eeced

    SHA256

    38dd73590cadd45c2e531d2d3fd1711af89e620b0d14850f5fa4d3347bed46df

    SHA512

    49747470bf404c58a3a88e7dae9c135f34cda7185030d299af3217d9a09e5f80cb5c5ab393205a6322eba591dd61301b804752f722dc3f1fc60503749975a39e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
    Filesize

    9.0MB

    MD5

    c2f8f016aa58b9a0be33378f911185df

    SHA1

    c043b1630742ce321fcff02946ca2e6e758c6325

    SHA256

    621bc8871ab00c23151a99f2ea4c2dbadd55b86eae623fc4370276e0897ae5b8

    SHA512

    4c431246f01b974e3ad2a06ed90d0ee824a3c9338246c99a13a0ec8dea9fbcd9da5aa65a991ea74f9359954ca9b0a0039bde95060c4831cefe05d920c8530419

    Download Submit

  • memory/2076-160-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2076-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2256-172-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2256-58-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2256-188-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2256-220-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2308-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2308-26-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download