04746766505910dd8988fed6fdd008942557badc1ff9a553fd732914ca8156c3

Analysis

max time kernel
148s
max time network
178s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe
Size

827KB
MD5

2b2c6d2857d5442e1d38a724c05d17fd
SHA1

99ae73718cb56d9dbc6bf61773ae3994cce55d58
SHA256

36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987
SHA512

c26fdae3a71521da9966cb3c331642090a2799aabbce33fbf79038137dac4b63386a5c824698623b231d9dde8e29b03d089a4fa1c9e087e700666bb1132c1da6
SSDEEP

24576:myeFxsRdrM54UNouOIKS3W91gvuR1ckxA2cZEC:1qQqGUNomKS3W9pYk+2cZ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it179916.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it179916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it179916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it179916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it179916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it179916.exe

Executes dropped EXE 4 IoCs

pid	Process
2012	zirw4509.exe
308	ziWh6976.exe
1472	it179916.exe
1600	jr196799.exe

Loads dropped DLL 8 IoCs

pid	Process
1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe
2012	zirw4509.exe
2012	zirw4509.exe
308	ziWh6976.exe
308	ziWh6976.exe
308	ziWh6976.exe
308	ziWh6976.exe
1600	jr196799.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	it179916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it179916.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziWh6976.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zirw4509.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zirw4509.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziWh6976.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1472	it179916.exe
1472	it179916.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	it179916.exe
Token: SeDebugPrivilege	1600	jr196799.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 1128 wrote to memory of 2012	1128	36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe	28
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 2012 wrote to memory of 308	2012	zirw4509.exe	29
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1472	308	ziWh6976.exe	30
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31
PID 308 wrote to memory of 1600	308	ziWh6976.exe	31

C:\Users\Admin\AppData\Local\Temp\36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe
"C:\Users\Admin\AppData\Local\Temp\36108347fe6895016fba031c06791828e168f88c3199e683710874bd05173987.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it179916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it179916.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe

Filesize
568KB

MD5
ba5261403e44296b65b7bced56e6380b

SHA1
cf14c7dd2ad0de08d5126709b1505a541dafa674

SHA256
675e898a2972d5990679baead6586503f8e5090e93b4a9b53b1ae0b7e92106a1

SHA512
87d6cf4bf681a7e029b9d76a106937bb86c105c27a225519eb85739e61c9cff2e74e177c9cc2559eb69a65b159276c1a6329a0207f572802f0e8751f88dbb964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe

Filesize
568KB

MD5
ba5261403e44296b65b7bced56e6380b

SHA1
cf14c7dd2ad0de08d5126709b1505a541dafa674

SHA256
675e898a2972d5990679baead6586503f8e5090e93b4a9b53b1ae0b7e92106a1

SHA512
87d6cf4bf681a7e029b9d76a106937bb86c105c27a225519eb85739e61c9cff2e74e177c9cc2559eb69a65b159276c1a6329a0207f572802f0e8751f88dbb964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe

Filesize
414KB

MD5
adfe4d421f94c2154c57cad4d82c4f3d

SHA1
36a31f31b8f83c750fdf7b97e74e4c83000b338f

SHA256
858251b2eb59cd0a39d3b83f58dcc061038e5e82fe4e3d6702de645d8f6987f3

SHA512
a30c0c559669316f26fd1f6b9bcf9139a5e7814672c8ff5dec5b89f08ae1e35291f48175cd64329d2f278b1fc6b2b749352ab469158de92cd0341041c2541f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe

Filesize
414KB

MD5
adfe4d421f94c2154c57cad4d82c4f3d

SHA1
36a31f31b8f83c750fdf7b97e74e4c83000b338f

SHA256
858251b2eb59cd0a39d3b83f58dcc061038e5e82fe4e3d6702de645d8f6987f3

SHA512
a30c0c559669316f26fd1f6b9bcf9139a5e7814672c8ff5dec5b89f08ae1e35291f48175cd64329d2f278b1fc6b2b749352ab469158de92cd0341041c2541f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it179916.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it179916.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe

Filesize
568KB

MD5
ba5261403e44296b65b7bced56e6380b

SHA1
cf14c7dd2ad0de08d5126709b1505a541dafa674

SHA256
675e898a2972d5990679baead6586503f8e5090e93b4a9b53b1ae0b7e92106a1

SHA512
87d6cf4bf681a7e029b9d76a106937bb86c105c27a225519eb85739e61c9cff2e74e177c9cc2559eb69a65b159276c1a6329a0207f572802f0e8751f88dbb964

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirw4509.exe

Filesize
568KB

MD5
ba5261403e44296b65b7bced56e6380b

SHA1
cf14c7dd2ad0de08d5126709b1505a541dafa674

SHA256
675e898a2972d5990679baead6586503f8e5090e93b4a9b53b1ae0b7e92106a1

SHA512
87d6cf4bf681a7e029b9d76a106937bb86c105c27a225519eb85739e61c9cff2e74e177c9cc2559eb69a65b159276c1a6329a0207f572802f0e8751f88dbb964

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe

Filesize
414KB

MD5
adfe4d421f94c2154c57cad4d82c4f3d

SHA1
36a31f31b8f83c750fdf7b97e74e4c83000b338f

SHA256
858251b2eb59cd0a39d3b83f58dcc061038e5e82fe4e3d6702de645d8f6987f3

SHA512
a30c0c559669316f26fd1f6b9bcf9139a5e7814672c8ff5dec5b89f08ae1e35291f48175cd64329d2f278b1fc6b2b749352ab469158de92cd0341041c2541f27

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziWh6976.exe

Filesize
414KB

MD5
adfe4d421f94c2154c57cad4d82c4f3d

SHA1
36a31f31b8f83c750fdf7b97e74e4c83000b338f

SHA256
858251b2eb59cd0a39d3b83f58dcc061038e5e82fe4e3d6702de645d8f6987f3

SHA512
a30c0c559669316f26fd1f6b9bcf9139a5e7814672c8ff5dec5b89f08ae1e35291f48175cd64329d2f278b1fc6b2b749352ab469158de92cd0341041c2541f27

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\it179916.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr196799.exe

Filesize
381KB

MD5
b1b3a261e08f9d3bb6292f0834b6eb45

SHA1
e1ffd71097dcf39d70244773b0305cd744b5810f

SHA256
48c98396928683f3e3c25ab2d72dff18194c15a12294b823b576025018db0f7f

SHA512
c71e9ba9ee0579654407cfe9914ea270a71b24b31278401f5991362cd852c4f36ff3e6c41626c35c18b7240b489400e4c989f0d4125e136c044dbe6d66e2495b

Download Submit
memory/1472-82-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/1600-110-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-130-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-95-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-96-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-98-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-100-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-104-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-102-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-108-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-106-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-93-0x0000000004640000-0x000000000467C000-memory.dmp

Filesize
240KB

Download
memory/1600-112-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-114-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-118-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-116-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-120-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-122-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-124-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-126-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-94-0x00000000047F0000-0x000000000482A000-memory.dmp

Filesize
232KB

Download
memory/1600-128-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-132-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-134-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-138-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-136-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-140-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-142-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1600-143-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-144-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1600-146-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-148-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-152-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-150-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-154-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-158-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-156-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-160-0x00000000047F0000-0x0000000004825000-memory.dmp

Filesize
212KB

Download
memory/1600-889-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1600-892-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download