4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc

Analysis

max time kernel
104s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
Size

480KB
MD5

7a478a60432a2f6ba70d08f35316e281
SHA1

b6cf341f272c62643fc098c81f5bf29cb4b7dbc8
SHA256

4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc
SHA512

81553c0e54f420e137aadd472d8b15cc026d9db87726182591f090dcfe00d471a11881786b8e9173ae436877c14221637bcfd1d02f318a3b42fdc854abc2b250
SSDEEP

6144:x3iivPlrTo8JNYWfaWIjmyp+2z93DqvSG54AIH:UilJNYvLEE9WKAIH

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
920	explorer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3888	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	explorer.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
File opened for modification	C:\Windows\assembly	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
Token: 33	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
Token: SeIncBasePriorityPrivilege	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
Token: SeDebugPrivilege	920	explorer.exe
Token: 33	920	explorer.exe
Token: SeIncBasePriorityPrivilege	920	explorer.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4996	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	83
PID 2088 wrote to memory of 4996	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	83
PID 2088 wrote to memory of 4996	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	83
PID 2088 wrote to memory of 4176	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	85
PID 2088 wrote to memory of 4176	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	85
PID 2088 wrote to memory of 4176	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	85
PID 2088 wrote to memory of 3772	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	87
PID 2088 wrote to memory of 3772	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	87
PID 2088 wrote to memory of 3772	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	87
PID 2088 wrote to memory of 1432	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	89
PID 2088 wrote to memory of 1432	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	89
PID 2088 wrote to memory of 1432	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	89
PID 2088 wrote to memory of 4532	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	91
PID 2088 wrote to memory of 4532	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	91
PID 2088 wrote to memory of 4532	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	91
PID 2088 wrote to memory of 1596	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	94
PID 2088 wrote to memory of 1596	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	94
PID 2088 wrote to memory of 1596	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	94
PID 4996 wrote to memory of 3276	4996	cmd.exe	93
PID 4996 wrote to memory of 3276	4996	cmd.exe	93
PID 4996 wrote to memory of 3276	4996	cmd.exe	93
PID 2088 wrote to memory of 1224	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	95
PID 2088 wrote to memory of 1224	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	95
PID 2088 wrote to memory of 1224	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	95
PID 2088 wrote to memory of 3664	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	98
PID 2088 wrote to memory of 3664	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	98
PID 2088 wrote to memory of 3664	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	98
PID 4176 wrote to memory of 3080	4176	cmd.exe	100
PID 4176 wrote to memory of 3080	4176	cmd.exe	100
PID 4176 wrote to memory of 3080	4176	cmd.exe	100
PID 1432 wrote to memory of 4960	1432	cmd.exe	101
PID 1432 wrote to memory of 4960	1432	cmd.exe	101
PID 1432 wrote to memory of 4960	1432	cmd.exe	101
PID 4532 wrote to memory of 3600	4532	cmd.exe	102
PID 4532 wrote to memory of 3600	4532	cmd.exe	102
PID 4532 wrote to memory of 3600	4532	cmd.exe	102
PID 3772 wrote to memory of 4196	3772	cmd.exe	103
PID 3772 wrote to memory of 4196	3772	cmd.exe	103
PID 3772 wrote to memory of 4196	3772	cmd.exe	103
PID 1596 wrote to memory of 1972	1596	cmd.exe	104
PID 1596 wrote to memory of 1972	1596	cmd.exe	104
PID 1596 wrote to memory of 1972	1596	cmd.exe	104
PID 1224 wrote to memory of 2228	1224	cmd.exe	105
PID 1224 wrote to memory of 2228	1224	cmd.exe	105
PID 1224 wrote to memory of 2228	1224	cmd.exe	105
PID 3664 wrote to memory of 860	3664	cmd.exe	106
PID 3664 wrote to memory of 860	3664	cmd.exe	106
PID 3664 wrote to memory of 860	3664	cmd.exe	106
PID 2088 wrote to memory of 920	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	107
PID 2088 wrote to memory of 920	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	107
PID 2088 wrote to memory of 920	2088	4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe	107
PID 920 wrote to memory of 4652	920	explorer.exe	108
PID 920 wrote to memory of 4652	920	explorer.exe	108
PID 920 wrote to memory of 4652	920	explorer.exe	108
PID 4652 wrote to memory of 4392	4652	cmd.exe	110
PID 4652 wrote to memory of 4392	4652	cmd.exe	110
PID 4652 wrote to memory of 4392	4652	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe
"C:\Users\Admin\AppData\Local\Temp\4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Adds Run key to start application
    PID:860
- C:\Users\Admin\AppData\Roaming\explorer.exe
  "C:\Users\Admin\AppData\Roaming\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft® Windows® Operating System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe
      4⤵
      Adds Run key to start application
      PID:4392
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
480KB

MD5
7a478a60432a2f6ba70d08f35316e281

SHA1
b6cf341f272c62643fc098c81f5bf29cb4b7dbc8

SHA256
4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc

SHA512
81553c0e54f420e137aadd472d8b15cc026d9db87726182591f090dcfe00d471a11881786b8e9173ae436877c14221637bcfd1d02f318a3b42fdc854abc2b250

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
480KB

MD5
7a478a60432a2f6ba70d08f35316e281

SHA1
b6cf341f272c62643fc098c81f5bf29cb4b7dbc8

SHA256
4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc

SHA512
81553c0e54f420e137aadd472d8b15cc026d9db87726182591f090dcfe00d471a11881786b8e9173ae436877c14221637bcfd1d02f318a3b42fdc854abc2b250

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
480KB

MD5
7a478a60432a2f6ba70d08f35316e281

SHA1
b6cf341f272c62643fc098c81f5bf29cb4b7dbc8

SHA256
4af7c72253f706a407b2e7e476bc760a25f18cb644a4049b467257953165a5fc

SHA512
81553c0e54f420e137aadd472d8b15cc026d9db87726182591f090dcfe00d471a11881786b8e9173ae436877c14221637bcfd1d02f318a3b42fdc854abc2b250

Download Submit
memory/920-155-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/920-159-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2088-132-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2088-157-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2088-133-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download