Overview

overview

10

Static

static

10

adf64abb40...43.exe

windows7-x64

10

adf64abb40...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe

  • Size

    760KB

  • MD5

    79549e64dc118988e997a209ef99567d

  • SHA1

    48948a955e0266ac2d5fb7c61e3f48aca97a829c

  • SHA256

    adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

  • SHA512

    3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

  • SSDEEP

    12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9KmKj:WnsJ39LyjbJkQFMhmC+6GD9c

Score
10/10
xredbackdoordefense_evasiondiscoveryexecutionmacropersistenceprivilege_escalation

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Modifies Windows Firewall 2 TTPs 8 IoCs
    defense_evasion
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
    "C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2460
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2472
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF9CA.tmp.bat""
        3⤵
          PID:2660
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:896
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1132
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:1364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
              5⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:1964
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.bat""
            4⤵
              PID:1592
              • C:\Windows\system32\PING.EXE
                ping 127.0.0.1 -n 2
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2380
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2572

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        760KB

        MD5

        79549e64dc118988e997a209ef99567d

        SHA1

        48948a955e0266ac2d5fb7c61e3f48aca97a829c

        SHA256

        adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

        SHA512

        3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cFxSNMRL.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cFxSNMRL.xlsm
        Filesize

        20KB

        MD5

        a6a4353dccf32be9f5e3a1a12d1ba00d

        SHA1

        fd3b30a38cf644a5bb3bbf187ec05acdf0ffaa39

        SHA256

        faa0f443ee350efd3111baf48783c7041ef1fe98abfa65a83e6c9c5712746635

        SHA512

        c06035ba16b103bae214a2a907add5b1b1640e90d698d1284dc55eab0313e01c9c245ca62246cdf301a22192f3f478061d2ee22e5b5acec125f0f9256ecc052c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cFxSNMRL.xlsm
        Filesize

        24KB

        MD5

        7dad6a6d8fd154077d42370cc3fb0072

        SHA1

        f1a06937099b8ef6470a44eaddb39c6772723197

        SHA256

        a281eb0d2e24deb8efb1bb3c3ae5596cbcc17a06c1f9c584be0900f637603c9d

        SHA512

        475ffc0cd2c894c3dab6f118e578871b8f27772ef0129c77ab942073268eb410fe6d44ead7fe629dd59e0f276d18bccf0a5fdcc2f7f8e0a5cf89fac295408570

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cFxSNMRL.xlsm
        Filesize

        23KB

        MD5

        a364dffb57738df9a21e3991b5526a2d

        SHA1

        78bde2784a43b49856a78a041ca74d3502036d51

        SHA256

        89c320ac9c47957cbeb284e4cacd04d4a6eb2d4daaab967d3915c011066d8153

        SHA512

        d1ccb421db0ea99a537a64b16c730832d386a3ae0276d8a9b8f4adf177a9dcecae78eb0d4a2092f8313d4e3e44d42b647bfb7e4725ef34078c8974d825ffbc8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cFxSNMRL.xlsm
        Filesize

        28KB

        MD5

        469df927ce0c1676bcd352c71229b84f

        SHA1

        ef51980268550f9f4dc5bd4a8fe4f244fe3c6ede

        SHA256

        45ccb50020352e17b48da269a644e46783677d1a8799764265af40eb2832a2bf

        SHA512

        997fb347018931f53fc5c9e6a73d06d754d41558641c3e9f657b20075505e54110f25765f10237cac3a1ac25b0fecf6f8531dc66a1fb74de5306483fbd2c5fb0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.bat
        Filesize

        158B

        MD5

        afd2446103285a9e62713f2e9074e1b1

        SHA1

        5b7db3e432e068d90f0ac6600642a691daaf34d6

        SHA256

        a474bce1fc40911cc9de86ef6aff5e44b6d0a24041803abafb66787cea8283dc

        SHA512

        c055d0577145938cd12ce01792c3d32f99e083f2151fe4593643fb6bfd3fe406002be3eca2919c926aca44ec3f7ef3d31b520560437e9683e95086bba8f81d8f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF9CA.tmp.bat
        Filesize

        213B

        MD5

        85580ebc975626f152a5e6da059dc90e

        SHA1

        29577d84cf19ca75f43284aedb5e902d56900e0e

        SHA256

        de170adbb7f190e3c5c1f31a340abbc3aac1d532776c8d415252993771b14800

        SHA512

        d38be4ebef398f0f4028eb1af8290a4f24b329870b7fdf9abbad98ee450e82e8fed5a786e5ccaec9cb8a059a14f8afb09f11e463b686c12efef3e78d459ff653

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJHS5W68F6CQXR2ITA20.temp
        Filesize

        7KB

        MD5

        6a42652eae66d139af4ddec7baeb22d0

        SHA1

        17486a8c05314d21ee83455ab4ab733348da29de

        SHA256

        548f13d3c42b2a7383cd9e6662ff70d87d1c574bfc1faefb65b1cdfa7eac66e0

        SHA512

        dc400275482838e89f15566f59c9d96d3026e4c5a2f9150a3b922ba5485350bdcbb30b6f8bfa3033aeb1f266a2e0aa3f040ff79543722db69ad97219e3b7ed42

        Download Submit

      • C:\Users\Admin\Documents\~$UsePush.xlsx
        Filesize

        165B

        MD5

        ff09371174f7c701e75f357a187c06e8

        SHA1

        57f9a638fd652922d7eb23236c80055a91724503

        SHA256

        e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

        SHA512

        e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

        Download Submit

      • \Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
        Filesize

        7KB

        MD5

        4f335528745cc617396c5c7107e84dff

        SHA1

        e90b4e0e888c43dde82662df49c7c054207a2961

        SHA256

        50e64c6fb2a0fb6898a792d192c35b3f43996c6dea24d5f94c0e90e2be238671

        SHA512

        0bb11a0577108a13ebd98323ea094d05205a07686ab355e9c6bf8976398be0a327306206c64a4d41109fbf2f47f8af0925a605023ea308109d7c80540129138c

        Download Submit

      • memory/1132-86-0x0000000001F80000-0x0000000001F88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1132-85-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1912-47-0x000000001B6A0000-0x000000001B982000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1912-48-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2380-0-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2380-25-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2552-36-0x0000000001050000-0x0000000001058000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2572-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-173-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2792-174-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2792-208-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2804-28-0x00000000010B0000-0x00000000010B8000-memory.dmp

        Filesize

        32KB

        Download