Overview

overview

10

Static

static

10

d4f7e0c033...35.exe

windows7-x64

10

d4f7e0c033...35.exe

windows10-2004-x64

10

d57a15943a...b8.exe

windows7-x64

10

d57a15943a...b8.exe

windows10-2004-x64

10

d5b7e88e91...31.exe

windows7-x64

5

d5b7e88e91...31.exe

windows10-2004-x64

5

d5b9cbc990...bf.exe

windows7-x64

7

d5b9cbc990...bf.exe

windows10-2004-x64

7

d5bce0b9b1...56.exe

windows7-x64

10

d5bce0b9b1...56.exe

windows10-2004-x64

10

d5fc43e4e1...1f.exe

windows7-x64

1

d5fc43e4e1...1f.exe

windows10-2004-x64

1

d61876dded...d3.exe

windows7-x64

10

d61876dded...d3.exe

windows10-2004-x64

10

d61b23d4ac...e0.exe

windows7-x64

10

d61b23d4ac...e0.exe

windows10-2004-x64

10

d690267038...3a.exe

windows7-x64

8

d690267038...3a.exe

windows10-2004-x64

8

d6995ab53a...3c.exe

windows7-x64

10

d6995ab53a...3c.exe

windows10-2004-x64

10

d6a9816b0d...9f.exe

windows7-x64

1

d6a9816b0d...9f.exe

windows10-2004-x64

1

d6e2e28870...ca.exe

windows7-x64

10

d6e2e28870...ca.exe

windows10-2004-x64

10

d70550d5d4...cd.exe

windows7-x64

10

d70550d5d4...cd.exe

windows10-2004-x64

10

d72c4b8c14...db.exe

windows7-x64

7

d72c4b8c14...db.exe

windows10-2004-x64

7

d735d6b2f3...86.exe

windows7-x64

10

d735d6b2f3...86.exe

windows10-2004-x64

10

d7508b0790...b3.exe

windows7-x64

10

d7508b0790...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe

  • Size

    12.4MB

  • MD5

    8da54daf75efab1bd1c80477c3920e05

  • SHA1

    54a4db78f9c0c0fd7b6826033f145365a912b979

  • SHA256

    d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556

  • SHA512

    b5903307029bfee87b2a302a5d07f9972491ed4ed7055b8b17b41579f0d00924b8ac188fb89b73a7397fab1a22009b851e5cb87a2b424f920f34946cd7ceca11

  • SSDEEP

    393216:xGg4aeGg4alGg4anGg4aPGg4aLGg4aYGg4aWGg4aEGg4au:5cNXPr2kyu

Score
10/10
xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
    "C:\Users\Admin\AppData\Local\Temp\d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6056
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp683.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
      "C:\Users\Admin\AppData\Local\Temp\d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5128
      • C:\Users\Admin\AppData\Local\Temp\._cache_d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5368
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AD6.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4968
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:4932
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    12.4MB

    MD5

    8da54daf75efab1bd1c80477c3920e05

    SHA1

    54a4db78f9c0c0fd7b6826033f145365a912b979

    SHA256

    d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556

    SHA512

    b5903307029bfee87b2a302a5d07f9972491ed4ed7055b8b17b41579f0d00924b8ac188fb89b73a7397fab1a22009b851e5cb87a2b424f920f34946cd7ceca11

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    311df13f8e6705e6a0efd4befdfd84d6

    SHA1

    30041002261cabf929591889f2e7d260ac427c50

    SHA256

    6993a01ee2c2b1d14d20e1e3d55846e77aca72caba64a4cc027fa7cc5d4627ee

    SHA512

    4f867ade3f33c34227e1e641e0db764d51556063a19e13c20064bbbef2d03bc78655520d06c9861be857793b713b3a6c84700ae6b2379eb059695d1765cce6ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    d0ed27ed85734d01cbc1d1440de6e8b2

    SHA1

    c6f35bc86b32f8dea5068cf3d55bfacc182f9a38

    SHA256

    feacfdcb47926e8b0645b551476f76ccac18f9c656cf037dafd56b7ec1ceddf3

    SHA512

    75bc686b89ae83564bf4c2c6cd602d2bbbed521a940c93a5e0bba7ed129a8c9d52fe49e98baacf24d5d6746e61098b165456ebd3e6efb4e76e9627374298f4a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
    Filesize

    91KB

    MD5

    b45e3c4c10da3da0c69e2f90dc3dfb10

    SHA1

    61a36473ced38978793a9af1aea1fc528eebe457

    SHA256

    b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

    SHA512

    44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hpk4noh.bm1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\m9HAyQdv.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp683.tmp
    Filesize

    1KB

    MD5

    b8d0c9983df15bb6461ab648d8a3941e

    SHA1

    497df7a240408c9fb891f69ddb54b924632357ee

    SHA256

    31d53aa920c37251d34f6b5173f53f0d6beda6e5515f9cd1050a4517f539b1cb

    SHA512

    38228490f35efb2c3b839109c9c5d274516b507ba7e074626a809bb1faa395c4b4ef527481cf49483e20086a4a1b78f4761dde235d1fcbfc4cc6da09f1b40b82

    Download Submit

  • memory/1080-6-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-3-0x0000000005790000-0x0000000005822000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1080-10-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-11-0x00000000075B0000-0x00000000076CE000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1080-12-0x0000000007770000-0x000000000780C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1080-52-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-8-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1080-7-0x0000000006D60000-0x0000000006EBC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1080-1-0x0000000000100000-0x0000000000D78000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/1080-0-0x000000007473E000-0x000000007473F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1080-5-0x0000000005CC0000-0x0000000005CCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1080-4-0x0000000005830000-0x0000000005B84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1080-2-0x0000000005D40000-0x00000000062E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1080-9-0x000000007473E000-0x000000007473F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-218-0x00000000062D0000-0x0000000006492000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1436-122-0x0000000000390000-0x00000000003AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1436-217-0x0000000005F10000-0x0000000005F60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2560-345-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2560-233-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2560-344-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2560-357-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2560-375-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2692-295-0x0000000005D70000-0x0000000005DBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2692-323-0x000000006F7A0000-0x000000006F7EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2692-334-0x0000000007210000-0x0000000007221000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2692-337-0x0000000007250000-0x0000000007264000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3332-21-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-26-0x0000000006030000-0x0000000006096000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3332-189-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3332-179-0x000000006EEE0000-0x000000006EF2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3332-17-0x0000000002E00000-0x0000000002E36000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3332-19-0x00000000057D0000-0x0000000005DF8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3332-18-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-20-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-207-0x0000000007CC0000-0x0000000007D56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3332-208-0x0000000007C40000-0x0000000007C51000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3332-202-0x0000000007940000-0x00000000079E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3332-210-0x0000000007C80000-0x0000000007C94000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3332-211-0x0000000007D80000-0x0000000007D9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3332-212-0x0000000007D60000-0x0000000007D68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3332-216-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-27-0x00000000060A0000-0x0000000006106000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3332-178-0x0000000007700000-0x0000000007732000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3332-53-0x0000000006720000-0x000000000673E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3332-54-0x0000000006C90000-0x0000000006CDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3332-25-0x0000000005760000-0x0000000005782000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4256-308-0x00007FF958490000-0x00007FF9584A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-307-0x00007FF958490000-0x00007FF9584A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-310-0x00007FF958490000-0x00007FF9584A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-309-0x00007FF958490000-0x00007FF9584A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-306-0x00007FF958490000-0x00007FF9584A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-311-0x00007FF955FF0000-0x00007FF956000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-333-0x00007FF955FF0000-0x00007FF956000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5128-49-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/5128-34-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/5368-312-0x000000006F7A0000-0x000000006F7EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5368-322-0x00000000078A0000-0x0000000007943000-memory.dmp

    Filesize

    652KB

    Download

  • memory/6056-209-0x0000000007940000-0x000000000794E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/6056-24-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6056-28-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6056-215-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6056-23-0x0000000074730000-0x0000000074EE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6056-206-0x0000000007780000-0x000000000778A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/6056-205-0x0000000007710000-0x000000000772A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/6056-204-0x0000000007D50000-0x00000000083CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/6056-190-0x000000006EEE0000-0x000000006EF2C000-memory.dmp

    Filesize

    304KB

    Download