ebb8f7dc8b7b63a38b4c99064870b5d8da6305f9b8d426c8c8f8b3e1bb1423c7

Analysis

max time kernel
186s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

搜狗导航增值机.exe
Size

532KB
MD5

74c6e0df472160ebb8482729aaa1baee
SHA1

6e1634bb00213a7e557591c3d451baf56291e9de
SHA256

2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3
SHA512

05e403abe730dbc7079e3e3cce5d9e6a797542aaec81c917ed84445e324421c725dc208d1af286234e72241a725b0e89e0e224cdfc67d813861422516835d345
SSDEEP

12288:+K2mhAMJ/cPlizen8lwBx7EshSpwreE+/8gfxsdjY9NhEi7D:v2O/Gliquw4P5E+/8gfxsFAEo

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

手机验证码接收系统.exeKINSTALLERS_66_4538.exe官方.exe淘宝客PID劫持器.exeKINSTALLERS_66_4538.exe

pid process

3260 手机验证码接收系统.exe
4944 KINSTALLERS_66_4538.exe
3600 官方.exe
224 淘宝客PID劫持器.exe
2896 KINSTALLERS_66_4538.exe

pid	process
3260	手机验证码接收系统.exe
4944	KINSTALLERS_66_4538.exe
3600	官方.exe
224	淘宝客PID劫持器.exe
2896	KINSTALLERS_66_4538.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\官方.exe	upx
C:\Users\Admin\AppData\Local\Temp\官方.exe	upx
behavioral2/memory/3600-146-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3600-153-0x0000000000400000-0x0000000000410000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe	upx
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe	upx
behavioral2/memory/2896-157-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral2/memory/2896-159-0x0000000000400000-0x0000000000575000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

官方.execmd.exe搜狗导航增值机.exe手机验证码接收系统.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	官方.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	搜狗导航增值机.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	手机验证码接收系统.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

KINSTALLERS_66_4538.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KINSTALLERS_66_4538.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

KINSTALLERS_66_4538.exe

description ioc process

File opened for modification \??\PhysicalDrive0 KINSTALLERS_66_4538.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KINSTALLERS_66_4538.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	KINSTALLERS_66_4538.exe

Modifies registry class 17 IoCs

Processes:

KINSTALLERS_66_4538.exe手机验证码接收系统.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	KINSTALLERS_66_4538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	KINSTALLERS_66_4538.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "9ynct9wsprhhst8c5hhlyn2xkgzw"	KINSTALLERS_66_4538.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "2269779082"	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	手机验证码接收系统.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "d2237461a2106a90ab08727c0cd4dbcf"	KINSTALLERS_66_4538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "9ynct9wsprhhst8c5hhlyn2xkgzw"	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	KINSTALLERS_66_4538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "2269779082"	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	KINSTALLERS_66_4538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0"	KINSTALLERS_66_4538.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3328 PING.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

淘宝客PID劫持器.exe

pid process

224 淘宝客PID劫持器.exe
224 淘宝客PID劫持器.exe

pid	process
3328	PING.EXE

pid	process
224	淘宝客PID劫持器.exe
224	淘宝客PID劫持器.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

搜狗导航增值机.exe手机验证码接收系统.exe官方.execmd.exeKINSTALLERS_66_4538.exe

description	pid	process	target process
PID 1492 wrote to memory of 3260	1492	搜狗导航增值机.exe	手机验证码接收系统.exe
PID 1492 wrote to memory of 3260	1492	搜狗导航增值机.exe	手机验证码接收系统.exe
PID 1492 wrote to memory of 3260	1492	搜狗导航增值机.exe	手机验证码接收系统.exe
PID 1492 wrote to memory of 4944	1492	搜狗导航增值机.exe	KINSTALLERS_66_4538.exe
PID 1492 wrote to memory of 4944	1492	搜狗导航增值机.exe	KINSTALLERS_66_4538.exe
PID 1492 wrote to memory of 4944	1492	搜狗导航增值机.exe	KINSTALLERS_66_4538.exe
PID 3260 wrote to memory of 3600	3260	手机验证码接收系统.exe	官方.exe
PID 3260 wrote to memory of 3600	3260	手机验证码接收系统.exe	官方.exe
PID 3260 wrote to memory of 3600	3260	手机验证码接收系统.exe	官方.exe
PID 3260 wrote to memory of 224	3260	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 3260 wrote to memory of 224	3260	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 3260 wrote to memory of 224	3260	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 3600 wrote to memory of 752	3600	官方.exe	cmd.exe
PID 3600 wrote to memory of 752	3600	官方.exe	cmd.exe
PID 3600 wrote to memory of 752	3600	官方.exe	cmd.exe
PID 3260 wrote to memory of 4376	3260	手机验证码接收系统.exe	WScript.exe
PID 3260 wrote to memory of 4376	3260	手机验证码接收系统.exe	WScript.exe
PID 3260 wrote to memory of 4376	3260	手机验证码接收系统.exe	WScript.exe
PID 752 wrote to memory of 3328	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 3328	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 3328	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 1244	752	cmd.exe	WScript.exe
PID 752 wrote to memory of 1244	752	cmd.exe	WScript.exe
PID 752 wrote to memory of 1244	752	cmd.exe	WScript.exe
PID 4944 wrote to memory of 2896	4944	KINSTALLERS_66_4538.exe	KINSTALLERS_66_4538.exe
PID 4944 wrote to memory of 2896	4944	KINSTALLERS_66_4538.exe	KINSTALLERS_66_4538.exe
PID 4944 wrote to memory of 2896	4944	KINSTALLERS_66_4538.exe	KINSTALLERS_66_4538.exe

C:\Users\Admin\AppData\Local\Temp\搜狗导航增值机.exe
"C:\Users\Admin\AppData\Local\Temp\搜狗导航增值机.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
"C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\官方.exe
"C:\Users\Admin\AppData\Local\Temp\官方.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\376B.tmp\setup.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.0.0.1
5⤵
- Runs ping.exe
PID:3328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"
5⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
"C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"
3⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
"C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe
"C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe" /s
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.VBS
Filesize
398B

MD5
b3515d5ceabbcf4ae352adf668e4aa26

SHA1
cef8001c51225008419dcf98553ce4c8e693bb48

SHA256
220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf

SHA512
59db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.VBS
Filesize
398B

MD5
b3515d5ceabbcf4ae352adf668e4aa26

SHA1
cef8001c51225008419dcf98553ce4c8e693bb48

SHA256
220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf

SHA512
59db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\376B.tmp\setup.bat
Filesize
34B

MD5
e1b9eb7f7d775d0d49d8ace123a88fc7

SHA1
a97bd323f7ba1d85fa53360e85137fc16a4de204

SHA256
11d81cc1aeebb5ef06dcf2b90bfdbec35d689a4776838882410f2aca3b00b101

SHA512
50ab4c7295ece4f6712bc488fffea83fa24a296c6d6538a554a4bedc2a90f54f359e304f3bf3975a27157c41cb45132b839e1efcb1e930e7fbd2fe16d21b65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
Filesize
58KB

MD5
f729d886356835c780a1ec4486f60576

SHA1
40fafe8a61965919a4cc32a079ec5747fdddcd3e

SHA256
7ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e

SHA512
fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
Filesize
58KB

MD5
f729d886356835c780a1ec4486f60576

SHA1
40fafe8a61965919a4cc32a079ec5747fdddcd3e

SHA256
7ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e

SHA512
fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe
Filesize
30.1MB

MD5
cc8ff25a6404a2a99af9c515850ab0d6

SHA1
9b1b235cf30cf848c257cb3a0199ae6be3f968c5

SHA256
336493f13f3b205c1ec7898a0393cfe2765305dfedf1e90366cef185be1d9d03

SHA512
2db0f4dada8fd8294ce12b9c795593a8da5a69507114650f5c8c2ec070c00b849bbb89e13976b8f52e544877b424c191cd87321ca7e31700d8e5471f571b6f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe
Filesize
30.1MB

MD5
cc8ff25a6404a2a99af9c515850ab0d6

SHA1
9b1b235cf30cf848c257cb3a0199ae6be3f968c5

SHA256
336493f13f3b205c1ec7898a0393cfe2765305dfedf1e90366cef185be1d9d03

SHA512
2db0f4dada8fd8294ce12b9c795593a8da5a69507114650f5c8c2ec070c00b849bbb89e13976b8f52e544877b424c191cd87321ca7e31700d8e5471f571b6f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\官方.exe
Filesize
21KB

MD5
5a76883d66f3d880ca3e6a69ad693013

SHA1
d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6

SHA256
68d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5

SHA512
dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02

Download Submit
C:\Users\Admin\AppData\Local\Temp\官方.exe
Filesize
21KB

MD5
5a76883d66f3d880ca3e6a69ad693013

SHA1
d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6

SHA256
68d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5

SHA512
dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02

Download Submit
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
Filesize
456KB

MD5
653564b090dac7f2896856c54dc17312

SHA1
7d1c31329d59ceb766e45c340b21985ea8d149b5

SHA256
d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc

SHA512
c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
Filesize
456KB

MD5
653564b090dac7f2896856c54dc17312

SHA1
7d1c31329d59ceb766e45c340b21985ea8d149b5

SHA256
d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc

SHA512
c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
Filesize
772KB

MD5
13e8c8ed061b041e160c496fe8eb4ff2

SHA1
cf65914ea3c6743b4d1c916c402c0f95f21498f4

SHA256
52a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25

SHA512
c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
Filesize
772KB

MD5
13e8c8ed061b041e160c496fe8eb4ff2

SHA1
cf65914ea3c6743b4d1c916c402c0f95f21498f4

SHA256
52a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25

SHA512
c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de

Download Submit
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/224-147-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/224-158-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/752-145-0x0000000000000000-mapping.dmp

Download
memory/1244-152-0x0000000000000000-mapping.dmp

Download
memory/2896-157-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2896-159-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2896-154-0x0000000000000000-mapping.dmp

Download
memory/3260-132-0x0000000000000000-mapping.dmp

Download
memory/3328-151-0x0000000000000000-mapping.dmp

Download
memory/3600-146-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3600-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3600-138-0x0000000000000000-mapping.dmp

Download
memory/4376-150-0x0000000000000000-mapping.dmp

Download
memory/4944-135-0x0000000000000000-mapping.dmp

Download