Overview

overview

10

Static

static

10

8177f4d116...67.exe

windows7-x64

10

8177f4d116...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe

  • Size

    2.9MB

  • MD5

    a9c45eef2508945daa77b877d1f33914

  • SHA1

    5b997d8928a08fcc31e1b36d06a8cfb9031455eb

  • SHA256

    8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67

  • SHA512

    0f8415d8418184ccfe8ff323d29dc2b518f7c5c408ad1c920d32c7242cd2e1487ed846573a9d809b534fb5f6aff048398a908132b597b94af9b5e0c5636f8802

  • SSDEEP

    49152:RnsHyjtk2MYC5GDiYBnsHyjtk2MYC5GDTYdnsHyjtk2MYC5GD6Y7:Rnsmtk2a0Bnsmtk2andnsmtk2ao7

Score
10/10
xredbackdoordiscoveryevasionpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe
    "C:\Users\Admin\AppData\Local\Temp\8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Local\Temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3896
      • \??\c:\users\admin\appdata\local\temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe 
        c:\users\admin\appdata\local\temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe 
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:5024
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2292
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2400
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:232
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2368
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3728
              • C:\Windows\SysWOW64\at.exe
                at 20:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:508
              • C:\Windows\SysWOW64\at.exe
                at 20:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2932
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4084
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\ProgramData\Synaptics\Synaptics.exe
            "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:312
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          C:\Users\Admin\AppData\Local\icsys.icn.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1892
          • \??\c:\windows\system\explorer.exe
            c:\windows\system\explorer.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3656
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3596
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    PID:3880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\RCXB3CF.tmp
    Filesize

    753KB

    MD5

    1cdbeea56a97090c2f052185c334f9b0

    SHA1

    4833d6b5b4930dc9645628bed2e9926c3bf4e1ed

    SHA256

    f154450a0fffcb44f0a5c5c7cafaff34d34ade7bf22c179fe8940c751c696bb4

    SHA512

    c53502086e0ba66029b754be2046d9a478cfd200b96aba529d33a539c59635f8bb339a9b0408b8829f2f9b67a2bc570048f7360e8f23ae49bc96a8b36a3beee3

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.9MB

    MD5

    a9c45eef2508945daa77b877d1f33914

    SHA1

    5b997d8928a08fcc31e1b36d06a8cfb9031455eb

    SHA256

    8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67

    SHA512

    0f8415d8418184ccfe8ff323d29dc2b518f7c5c408ad1c920d32c7242cd2e1487ed846573a9d809b534fb5f6aff048398a908132b597b94af9b5e0c5636f8802

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    471B

    MD5

    150a49d4365245495bdb10c42bdd2974

    SHA1

    af54b7baaafccfacb79153b02c72590da244f542

    SHA256

    b89b554b84ff49525300db443dc6531fa5f889f6c3824af550caa19ce59ffb4e

    SHA512

    02776d08b83d1d9d043b407c802271f3ab790af1c78749ca24951a84c35a09c7241c77b9bcb55162f3ff17834513e97f625b6263207542d3520ede5c3d6317a9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    420B

    MD5

    d43637c53b06123ded737617536462cc

    SHA1

    e0799b6f624f496077b7dc36dedd20717ddbf9ab

    SHA256

    25b483ba5c305413c0862d44cc2bd42f4a8e5a0d7ae0120af6b726ed4eb61ae9

    SHA512

    03457fea86b4807116db2a5f68f0b2ddcd6dcb14ea2ea7318432322a953062d8a281b9d1771e6af054e7096c4f90b0754049c47563fc5142da936f9d21de306c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
    Filesize

    8KB

    MD5

    669963c9fcebf623322f8e3ab04812c1

    SHA1

    61cf0149ba1fc411d64cd48bc825d48970429075

    SHA256

    09c33917dba94f696398a689f20b894b8b3aebae5390871d48525b95682f262b

    SHA512

    cadf9a5966c48a02ec36428c21095022888a4381736acdfc043782af92b1935170877cd1a7eb28a42e9b31071b52c3d5fd58cac231e0f740f2ad4ec8b461ea5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
    Filesize

    2KB

    MD5

    3839937eac806b6a1d5a1be027bd2127

    SHA1

    7199afb67fe64e5d011a582587667684ded7f406

    SHA256

    249483aefb298d78fbf04ee41f153f98489c3509b409f8bef1ae19cc6c20005c

    SHA512

    ce8cffee9a454aede0a37e6f6b9ef0ca89eb24958b59d828f80bb3a62451872331dc2b8cec7006ce828b2c6a9b9ce7168f07476572cf97e08169b600cc3c3f8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
    Filesize

    2KB

    MD5

    bd9794fafbf2dc4235b296e85bf1b456

    SHA1

    a828c30d932f426b15c26ed519de8762bbf6ae51

    SHA256

    17e6282e3bcb9b162e204a214cafc9d35537682da2c7a179c600a78a897fb232

    SHA512

    3dba7b0d60a3499d43f6238a6a2475531b7f6605d3a10ca626283a9bf3fff16acf7b2797602f23d4b746b257efb7529b6b73fdefe31417e3645acc19a90ce8cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe
    Filesize

    2.1MB

    MD5

    e3faeb35f56273ecce987a94379d3683

    SHA1

    7cb189451c6c4af1efee17453f90c1a6aae2fabb

    SHA256

    4f5f4b955e6659bcf44c5abab6d692f1adf2f9677751035bf422106af8442180

    SHA512

    7d316bad87a9f895311628a3abf7eebd77dd5774f8935044bd317e50961d2dc60983299acb7aff13f4285b141ab352991ba8ebba64fb9d28f60726a3f6e244cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_8177f4d116cee11788e921284b9f7a261b3f259bb9c70cfb24443c241e6eee67.exe 
    Filesize

    1.9MB

    MD5

    68dbfb2c9a0951dac513985e40e89d3a

    SHA1

    8083d2cea9e0bf96160b051f19860d2f6e06d65a

    SHA256

    94ca6644e8842c073b9b19ab260214cf9c89bbb4ff65e332d2104ec67b316093

    SHA512

    f7fd4efca17edc8771909b279554e57ed2451db8c41591e8c1dbef2583f24a5e90f9c43a1f16fe874e157b5604ce820cf8f88ee07e8a5ab2010245f18545bebc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1CB75E00
    Filesize

    21KB

    MD5

    4abc611b691d9e7c1aa689cc4ee8756f

    SHA1

    d05781f67f3e1883be19000f4335abc1d9f93bea

    SHA256

    10321b81f0eb28bbe69112a18d28abde63c940a8771d49e1a8a85a8fb8482032

    SHA512

    666ad5b0cbcfb1bb5c2f4ca62c8dc0325d93488c1ccc17394bf136cda7747ba2179c8678ba3db176f9a57ce0639d62b67fc25532e792d8d44356bc26d364545d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ht7bCSk7.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\icsys.icn.exe
    Filesize

    206KB

    MD5

    20602f77608fd2bdebecb54d6ddad08f

    SHA1

    bba0a2150a4fea15db48ea7d2398eb1344cf749f

    SHA256

    0b0ac637272ff103bcf0e0e79df4ab4f36307f1d4386dd2c49f39031969dce62

    SHA512

    82beb0f477c5c5eaa7dedd710ab883b377ce55c385aff0d40136ebc45db2e340664325cbffd52e5604fe0716f9cf91453b0e1b8e1ce0fa1f0291930e1f0e8a1b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    206KB

    MD5

    28c24107c548907151db1156782ad05a

    SHA1

    e737e505cf439d941bc1c3483f8dca664ce19adc

    SHA256

    20a14d0a947d9849201a343ebe4127b0c15081f6858b75aa9e74ab74db43273f

    SHA512

    812aabd96f99760e0be8f610cbc541f47d631e0159a19964bfe32705957686686783bca05c5862398967cb73428504146ce5225c810a785c72df77ffa004b52c

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    206KB

    MD5

    b5d4266046a117c73ad76b040702b789

    SHA1

    67a39670da0ba645a6374291685a0aa13f9f9b74

    SHA256

    c894630bc6b1abeedbd6e7ecf4d08542b2fe2193dac82bc75c74c1214292cd63

    SHA512

    7da36e32f50896a5f53aa7e6c5d19375539bb1e334bb9e539f7921901e3341383c1b1450647e0fbd41564b931c7e0e739196f32a3c07e02913bd59ab4201f218

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    206KB

    MD5

    256e42e6d534176f3b1a16b6c58db26d

    SHA1

    3e429d684598920f7e5a1bf1d289e133c05f33eb

    SHA256

    dfeec35cd6d19046bbe092354b1c35a46b894e81028295e3f38d989363c77d18

    SHA512

    d9088d2a5d5a6aee73dcd06ef7547f530178fe385f0044a500446d09488ed8527191858edd0d4c692b0dcdc382715c49929bf60f24e2ae9bae6eaee539d28ec7

    Download Submit

  • \??\c:\windows\system\spoolsv.exe
    Filesize

    207KB

    MD5

    4fb0a765b60dafb6f1870995f77aea94

    SHA1

    e60a92dc54e633fa0cbad1d3ce89eeca5b02f0dd

    SHA256

    dad8b56f7385e25dd00555dff36f96d8c49ee295638ebfa35e8f90103ab680a7

    SHA512

    14f3c64c0816bca4435d50a7b9d494e1b4f0eb38a2b4b518568738e14783d7c533473f9147de02b5284c83c09a9ce853e535d24db5d18121fccec7fd4b13e9a6

    Download Submit

  • memory/232-255-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/312-402-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/312-432-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/1084-137-0x0000000000400000-0x00000000006E0000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1084-0-0x0000000002450000-0x0000000002451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1728-238-0x0000000000400000-0x00000000005F0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1892-277-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2292-260-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2292-145-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2368-434-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2400-433-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3596-253-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-275-0x00007FF7CF520000-0x00007FF7CF530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-269-0x00007FF7CF520000-0x00007FF7CF530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-254-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-250-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-252-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-251-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-274-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3728-247-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3896-60-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3896-263-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3980-340-0x0000000000400000-0x00000000005F0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4084-276-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4408-278-0x0000000000400000-0x00000000006E0000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/5024-279-0x0000000000400000-0x00000000006E0000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/5024-261-0x00000000023E0000-0x0000000002421000-memory.dmp

    Filesize

    260KB

    Download

  • memory/5024-262-0x00000000023E0000-0x0000000002421000-memory.dmp

    Filesize

    260KB

    Download