isrstealer | 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
Size

1.2MB
MD5

fe5175560342c0936f33072bc5f125c2
SHA1

12f3bb5a0822e8317cf0444a215322f5bed9e6dd
SHA256

5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b
SHA512

8ae02d9e6e44db218f99e84b6b945d228646ea4bb5e1dae5621d03f1a09a043e729723dbb1ee463a4ce15507d1cd21f30f64ebd1a09ef4266fa770fd78c0960d
SSDEEP

24576:di4FmmfgFuk/3OtOZHcgxW7NbQkGt4ST69cv20euBXaXlSJitbxSrYFnDzh/hvEe:di4FmmfgUk/etOZHcgY7NbQkGqST69w+

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/4816-139-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/4816-143-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/4816-180-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 7 IoCs

pid	Process
3768	xqhfr.exe
4816	cvtres.exe
4376	WzK.exe
1928	cvtres.exe
5028	cvtres.exe
3476	cvtres.exe
428	cvtres.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/428-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3476-166-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3476-160-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/428-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	xqhfr.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 4816	3768	xqhfr.exe	82
PID 4816 set thread context of 1928	4816	cvtres.exe	84
PID 1928 set thread context of 5028	1928	cvtres.exe	85
PID 1928 set thread context of 3476	1928	cvtres.exe	86
PID 1928 set thread context of 428	1928	cvtres.exe	87

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3768	xqhfr.exe
3768	xqhfr.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
4816	cvtres.exe
3476	cvtres.exe
3476	cvtres.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
Token: SeDebugPrivilege	3768	xqhfr.exe
Token: SeRestorePrivilege	1172	dw20.exe
Token: SeBackupPrivilege	1172	dw20.exe
Token: SeBackupPrivilege	1172	dw20.exe
Token: SeBackupPrivilege	1172	dw20.exe
Token: SeBackupPrivilege	1172	dw20.exe
Token: SeDebugPrivilege	3476	cvtres.exe
Token: 33	4500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4500	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	cvtres.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3768	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	80
PID 4264 wrote to memory of 3768	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	80
PID 4264 wrote to memory of 3768	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	80
PID 4264 wrote to memory of 1172	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	81
PID 4264 wrote to memory of 1172	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	81
PID 4264 wrote to memory of 1172	4264	5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe	81
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4816	3768	xqhfr.exe	82
PID 3768 wrote to memory of 4376	3768	xqhfr.exe	83
PID 3768 wrote to memory of 4376	3768	xqhfr.exe	83
PID 3768 wrote to memory of 4376	3768	xqhfr.exe	83
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 4816 wrote to memory of 1928	4816	cvtres.exe	84
PID 1928 wrote to memory of 5028	1928	cvtres.exe	85
PID 1928 wrote to memory of 5028	1928	cvtres.exe	85
PID 1928 wrote to memory of 5028	1928	cvtres.exe	85
PID 1928 wrote to memory of 5028	1928	cvtres.exe	85
PID 1928 wrote to memory of 5028	1928	cvtres.exe	85
PID 1928 wrote to memory of 3476	1928	cvtres.exe	86
PID 1928 wrote to memory of 3476	1928	cvtres.exe	86
PID 1928 wrote to memory of 3476	1928	cvtres.exe	86
PID 1928 wrote to memory of 3476	1928	cvtres.exe	86
PID 1928 wrote to memory of 3476	1928	cvtres.exe	86
PID 1928 wrote to memory of 428	1928	cvtres.exe	87
PID 1928 wrote to memory of 428	1928	cvtres.exe	87
PID 1928 wrote to memory of 428	1928	cvtres.exe	87
PID 1928 wrote to memory of 428	1928	cvtres.exe	87
PID 1928 wrote to memory of 428	1928	cvtres.exe	87

C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
"C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\xqhfr.exe
  "C:\Users\Admin\AppData\Local\Temp\xqhfr.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        5⤵
        Executes dropped EXE
        
        PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:428
- - C:\Users\Admin\AppData\Local\Temp\WzK.exe
    "C:\Users\Admin\AppData\Local\Temp\WzK.exe"
    3⤵
    - Executes dropped EXE
    PID:4376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1556
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WzK.exe

Filesize
255KB

MD5
8f064640da380d34a0485de34d03388c

SHA1
488e5da5a955aaed1848c026ced220b0fbeb1190

SHA256
b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

SHA512
34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzK.exe

Filesize
255KB

MD5
8f064640da380d34a0485de34d03388c

SHA1
488e5da5a955aaed1848c026ced220b0fbeb1190

SHA256
b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

SHA512
34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

Filesize
818KB

MD5
259d1c6bd3ae9af95fbb0a0f73f0c8e2

SHA1
c5892add06d8c3de974f37ff1055ec2a7cea284a

SHA256
421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

SHA512
552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

Filesize
818KB

MD5
259d1c6bd3ae9af95fbb0a0f73f0c8e2

SHA1
c5892add06d8c3de974f37ff1055ec2a7cea284a

SHA256
421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

SHA512
552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

Download Submit
memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-151-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1928-167-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1928-154-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1928-173-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1928-153-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3476-160-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3476-166-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3768-150-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3768-136-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4264-179-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4264-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4264-164-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4816-143-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4816-139-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4816-180-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download