99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25

Analysis

max time kernel
152s
max time network
202s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
Size

220KB
MD5

3f229fac211b28edc27bb254e8d8ad69
SHA1

2240a23dbecc9e722832b434f6fea7430db6017d
SHA256

99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25
SHA512

f72f57231333eafe28c375c01133823e8f30b13ab352f99d0ece19a1e8ba6e356e5e5b28a2c7ed20949bf973bfd235216f8ad02430d6fbec3e72d5b87dac4c01
SSDEEP

6144:SRgZnR7q7n/hyB1g9UpxSrwhw6A2po7Bd4hitw:iaR7egPp0whwoo774Qtw

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1380-60-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral1/memory/1380-61-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral1/memory/1380-63-0x0000000020010000-0x0000000020088000-memory.dmp	upx

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	attrib.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1380	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
Token: SeDebugPrivilege	1380	svchost.exe
Token: SeTakeOwnershipPrivilege	1380	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1364 wrote to memory of 1380	1364	99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe	28
PID 1380 wrote to memory of 824	1380	svchost.exe	31
PID 1380 wrote to memory of 824	1380	svchost.exe	31
PID 1380 wrote to memory of 824	1380	svchost.exe	31
PID 1380 wrote to memory of 824	1380	svchost.exe	31
PID 824 wrote to memory of 828	824	cmd.exe	33
PID 824 wrote to memory of 828	824	cmd.exe	33
PID 824 wrote to memory of 828	824	cmd.exe	33
PID 824 wrote to memory of 828	824	cmd.exe	33
PID 1380 wrote to memory of 1084	1380	svchost.exe	34
PID 1380 wrote to memory of 1084	1380	svchost.exe	34
PID 1380 wrote to memory of 1084	1380	svchost.exe	34
PID 1380 wrote to memory of 1084	1380	svchost.exe	34
PID 1380 wrote to memory of 988	1380	svchost.exe	36
PID 1380 wrote to memory of 988	1380	svchost.exe	36
PID 1380 wrote to memory of 988	1380	svchost.exe	36
PID 1380 wrote to memory of 988	1380	svchost.exe	36
PID 988 wrote to memory of 1688	988	cmd.exe	38
PID 988 wrote to memory of 1688	988	cmd.exe	38
PID 988 wrote to memory of 1688	988	cmd.exe	38
PID 988 wrote to memory of 1688	988	cmd.exe	38
PID 1380 wrote to memory of 1236	1380	svchost.exe	39
PID 1380 wrote to memory of 1236	1380	svchost.exe	39
PID 1380 wrote to memory of 1236	1380	svchost.exe	39
PID 1380 wrote to memory of 1236	1380	svchost.exe	39
PID 1380 wrote to memory of 328	1380	svchost.exe	41
PID 1380 wrote to memory of 328	1380	svchost.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
828	attrib.exe
1688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
"C:\Users\Admin\AppData\Local\Temp\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib -h "C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"
      4⤵
      Views/modifies file attributes
      PID:828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe" "C:\Windows\system32\"
    3⤵
    - Drops file in System32 directory
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h "C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1688
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1168
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:472
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1204
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe
    3⤵
    - Adds Run key to start application
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe

Filesize
220KB

MD5
c1e0a51d7d6e1e27b59996a42acac037

SHA1
8e2d615d7537bded70c543a6f5b013ba46b5369c

SHA256
1733bc0b79ba3906614ef358c48cf56ebc3e3b9ae7ab53b18c224fd0518b374a

SHA512
85ecba6e0074c1049e591793fdc1147db5e5aaec3d1c338a60ff87c6b7823f8d7054205faf350323d799efc8b847396739262d77c68b6f35254af92e5482ab7c

Download Submit
C:\Windows\SysWOW64\99afa3dfd1949ef862980ea4b35321a07bf90bc21a59b6c158ddd989f3852e25.exe

Filesize
220KB

MD5
c1e0a51d7d6e1e27b59996a42acac037

SHA1
8e2d615d7537bded70c543a6f5b013ba46b5369c

SHA256
1733bc0b79ba3906614ef358c48cf56ebc3e3b9ae7ab53b18c224fd0518b374a

SHA512
85ecba6e0074c1049e591793fdc1147db5e5aaec3d1c338a60ff87c6b7823f8d7054205faf350323d799efc8b847396739262d77c68b6f35254af92e5482ab7c

Download Submit
memory/328-72-0x0000000000000000-mapping.dmp

Download
memory/472-77-0x0000000000000000-mapping.dmp

Download
memory/824-64-0x0000000000000000-mapping.dmp

Download
memory/828-65-0x0000000000000000-mapping.dmp

Download
memory/988-68-0x0000000000000000-mapping.dmp

Download
memory/1044-76-0x0000000000000000-mapping.dmp

Download
memory/1076-79-0x0000000000000000-mapping.dmp

Download
memory/1084-66-0x0000000000000000-mapping.dmp

Download
memory/1168-74-0x0000000000000000-mapping.dmp

Download
memory/1204-78-0x0000000000000000-mapping.dmp

Download
memory/1236-71-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000013140000-0x000000001314E000-memory.dmp

Filesize
56KB

Download
memory/1380-57-0x0000000000000000-mapping.dmp

Download
memory/1380-60-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1380-58-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1380-63-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1380-62-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1380-61-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1688-69-0x0000000000000000-mapping.dmp

Download
memory/1812-73-0x0000000000000000-mapping.dmp

Download
memory/1884-75-0x0000000000000000-mapping.dmp

Download