c073c4db7a3cb5bcb63e4ed852363d0d31a85ec58ef3129645d7faa84d11b165

Analysis

max time kernel
52s
max time network
57s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/06/2023, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spacers.exe
Size

63.4MB
MD5

85ebea3f511747b3ec2d06f7b03d08bb
SHA1

817e6afcdb3bca84fbc0d245a7617b6e6cffc019
SHA256

178cda9435836fa7fae58264b67cf3e10b7561b3ca8f4a58bd264534d6116225
SHA512

815a941b5126c563b5b228018337b06d88dd0477f2664de829790bbc10eaa71dc5e0e0ede0b43b50891eef32f23e45d8c55fa818f5522338a7455888d1ba9318
SSDEEP

786432:CX8r2z/cyKBQs3OE/Hx6IVswnbOo525r+7dOLBDun:CsSrczZ3OEAnl1BydOtDun

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4004	powershell.exe
4004	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
4004	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe
792	powershell.exe
2932	powershell.exe
5044	powershell.exe
792	powershell.exe
5044	powershell.exe
2932	powershell.exe
792	powershell.exe
2932	powershell.exe
5044	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	4004	powershell.exe
Token: SeSecurityPrivilege	4004	powershell.exe
Token: SeTakeOwnershipPrivilege	4004	powershell.exe
Token: SeLoadDriverPrivilege	4004	powershell.exe
Token: SeSystemProfilePrivilege	4004	powershell.exe
Token: SeSystemtimePrivilege	4004	powershell.exe
Token: SeProfSingleProcessPrivilege	4004	powershell.exe
Token: SeIncBasePriorityPrivilege	4004	powershell.exe
Token: SeCreatePagefilePrivilege	4004	powershell.exe
Token: SeBackupPrivilege	4004	powershell.exe
Token: SeRestorePrivilege	4004	powershell.exe
Token: SeShutdownPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeSystemEnvironmentPrivilege	4004	powershell.exe
Token: SeRemoteShutdownPrivilege	4004	powershell.exe
Token: SeUndockPrivilege	4004	powershell.exe
Token: SeManageVolumePrivilege	4004	powershell.exe
Token: 33	4004	powershell.exe
Token: 34	4004	powershell.exe
Token: 35	4004	powershell.exe
Token: 36	4004	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeIncreaseQuotaPrivilege	4332	powershell.exe
Token: SeSecurityPrivilege	4332	powershell.exe
Token: SeTakeOwnershipPrivilege	4332	powershell.exe
Token: SeLoadDriverPrivilege	4332	powershell.exe
Token: SeSystemProfilePrivilege	4332	powershell.exe
Token: SeSystemtimePrivilege	4332	powershell.exe
Token: SeProfSingleProcessPrivilege	4332	powershell.exe
Token: SeIncBasePriorityPrivilege	4332	powershell.exe
Token: SeCreatePagefilePrivilege	4332	powershell.exe
Token: SeBackupPrivilege	4332	powershell.exe
Token: SeRestorePrivilege	4332	powershell.exe
Token: SeShutdownPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeSystemEnvironmentPrivilege	4332	powershell.exe
Token: SeRemoteShutdownPrivilege	4332	powershell.exe
Token: SeUndockPrivilege	4332	powershell.exe
Token: SeManageVolumePrivilege	4332	powershell.exe
Token: 33	4332	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3464	2440	spacers.exe	67
PID 2440 wrote to memory of 3464	2440	spacers.exe	67
PID 3464 wrote to memory of 4688	3464	cmd.exe	69
PID 3464 wrote to memory of 4688	3464	cmd.exe	69
PID 2440 wrote to memory of 3980	2440	spacers.exe	70
PID 2440 wrote to memory of 3980	2440	spacers.exe	70
PID 2440 wrote to memory of 4004	2440	spacers.exe	71
PID 2440 wrote to memory of 4004	2440	spacers.exe	71
PID 3980 wrote to memory of 780	3980	powershell.exe	73
PID 3980 wrote to memory of 780	3980	powershell.exe	73
PID 780 wrote to memory of 2580	780	csc.exe	74
PID 780 wrote to memory of 2580	780	csc.exe	74
PID 2440 wrote to memory of 2212	2440	spacers.exe	76
PID 2440 wrote to memory of 2212	2440	spacers.exe	76
PID 2440 wrote to memory of 4332	2440	spacers.exe	79
PID 2440 wrote to memory of 4332	2440	spacers.exe	79
PID 2440 wrote to memory of 3836	2440	spacers.exe	81
PID 2440 wrote to memory of 3836	2440	spacers.exe	81
PID 2440 wrote to memory of 2932	2440	spacers.exe	83
PID 2440 wrote to memory of 2932	2440	spacers.exe	83
PID 2440 wrote to memory of 5044	2440	spacers.exe	88
PID 2440 wrote to memory of 5044	2440	spacers.exe	88
PID 2440 wrote to memory of 792	2440	spacers.exe	84
PID 2440 wrote to memory of 792	2440	spacers.exe	84
PID 2440 wrote to memory of 1316	2440	spacers.exe	89
PID 2440 wrote to memory of 1316	2440	spacers.exe	89
PID 1316 wrote to memory of 4424	1316	cmd.exe	91
PID 1316 wrote to memory of 4424	1316	cmd.exe	91
PID 2440 wrote to memory of 4764	2440	spacers.exe	92
PID 2440 wrote to memory of 4764	2440	spacers.exe	92
PID 2440 wrote to memory of 3184	2440	spacers.exe	94
PID 2440 wrote to memory of 3184	2440	spacers.exe	94
PID 3184 wrote to memory of 3168	3184	cmd.exe	96
PID 3184 wrote to memory of 3168	3184	cmd.exe	96
PID 2440 wrote to memory of 2260	2440	spacers.exe	97
PID 2440 wrote to memory of 2260	2440	spacers.exe	97

C:\Users\Admin\AppData\Local\Temp\spacers.exe
"C:\Users\Admin\AppData\Local\Temp\spacers.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cpfdigor\cpfdigor.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3F3.tmp" "c:\Users\Admin\AppData\Local\Temp\cpfdigor\CSC21C8AF39BA74235809B1C25B5E82D1F.TMP"
      4⤵
      PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
549f14c376cf1f7b0886c6e80c0b4304

SHA1
550cd3995deecaf376dfd62f471ffbe3b19896f4

SHA256
3b651079902e3596f93800b9b834d11ab3d08efd6e45f4de6022baf719ccd302

SHA512
1db03c8dc253a0ec3e4ffb819282dc327dbe3550db747873146267a6fda4dd5f6d08321fab4c2d7e28974e84dcf9c4ffc00aca3cd64019d710f083a26e6d59b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
549f14c376cf1f7b0886c6e80c0b4304

SHA1
550cd3995deecaf376dfd62f471ffbe3b19896f4

SHA256
3b651079902e3596f93800b9b834d11ab3d08efd6e45f4de6022baf719ccd302

SHA512
1db03c8dc253a0ec3e4ffb819282dc327dbe3550db747873146267a6fda4dd5f6d08321fab4c2d7e28974e84dcf9c4ffc00aca3cd64019d710f083a26e6d59b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
549f14c376cf1f7b0886c6e80c0b4304

SHA1
550cd3995deecaf376dfd62f471ffbe3b19896f4

SHA256
3b651079902e3596f93800b9b834d11ab3d08efd6e45f4de6022baf719ccd302

SHA512
1db03c8dc253a0ec3e4ffb819282dc327dbe3550db747873146267a6fda4dd5f6d08321fab4c2d7e28974e84dcf9c4ffc00aca3cd64019d710f083a26e6d59b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c373cdb8236bb363319af570bd628dfc

SHA1
4f756c7d4a6f6e8494bd884bb9e00646e84e119b

SHA256
68d7a477b2bc5a4bf0f3894860999fa442a5b8653579f8173391dcc43dcbaf47

SHA512
cf8b041f6bfa9608191750a577bd86573656a017af61882db73f3e1f639411855038e3b761965cf04b26a0c0bbec1b6320482e787b7d667e0450c8ffb9ef1ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7574e857f9b74300e710d2622656f71c

SHA1
5451c4cb5bd37d238576d56fc3aa0c71c44305ea

SHA256
781dcfc23cab1349a66dd2d5c387181d3f42b106672cd3dc395da9550dbc0937

SHA512
c563c3a98616d039fb49b1d72a2a494b8ec97f4121296192cb544ee89bf90a112b32345dd040c514b7a496b3d23b7441b53c6b18b744be0a163407d201113e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b8b86a4cbc7916f2bc580d8c673c2085

SHA1
4bb26a4c5d5e08b02f5ff05ceea7bb67c0f830d6

SHA256
adb40f0446faf5ff4ee892faa373f7f3549a1699b309f27b58dc56b217f6e0d5

SHA512
35a864b3296756128d35296745b335207b183ddd806a7beb4566e9c4655f4197b47c8a3e34614ffcac3129e9f06b6257a6cbce4d1b97f4a9142d54f444a48856

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3F3.tmp

Filesize
1KB

MD5
492ae15be25fece272daec2ebc1c917b

SHA1
81f76e8afcfbadce2b4f793b1cea85e437b370ee

SHA256
19e3c4411ff420f50ee4a59ef6e155a566ee1850de2e8f0c433ec25570cad0ca

SHA512
9e5cf1a52caa529e3d9b9657b26cba7c8404c56341c13bc4fe973534c0b872fee1e07ee2af1269e0371e24a730831440aead264438e8c8c2603f559baa5bd3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jac3c5u2.1bi.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpfdigor\cpfdigor.dll

Filesize
3KB

MD5
3cc938349d785bf3a37ba199eb2b58bc

SHA1
d25ba059748c9ece9a28680c5b39e7ed4f353713

SHA256
a376b92f7de4e175c24922abbb6069a14aaa5cb8495f02829750f409be28d114

SHA512
36ee4151613d7d4d7639472f6b550d0d418e1b1528e15c81f4da93a051bae777aacdd3948dd46608a74bc6cc2d39cc056942f1f1365816903fb7c6b9119f90ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cpfdigor\CSC21C8AF39BA74235809B1C25B5E82D1F.TMP

Filesize
652B

MD5
4cb441889cf541f52c1549ecb4e2e266

SHA1
6d8245d8dacede6d00961e0f5f29c3bd6c9d5218

SHA256
3601ea7d0ad4c7d8eed560ee6b93a6cb61b144177992efdf3d5cef022ec8ee0d

SHA512
876fd6350ff87458e927f81cbe28de20e919a128f5f405cb56a3789e04dfdb003d968ac78ee3e277f0ce66160c342243857f7ccb4d3f9ec21f5276b6ce5811ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cpfdigor\cpfdigor.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cpfdigor\cpfdigor.cmdline

Filesize
369B

MD5
655d23b50cd5c1eb9d722a8539e78d20

SHA1
6151e9bc2817e6c1389682c05344c25c0f7ec217

SHA256
cd4566a07f7cdfafb2c4fe20e45c8d5eaac0d71aafa9af04b9d77328acb07d8c

SHA512
32b77b256c8198abf9a3740824a6341bd418a807bcab959c49981f3b9f79f2ffa7b1ba640f643e1f4f4e2ba6225e7f307db731b533533305750913c4f7e3668f

Download Submit
memory/792-992-0x000001ADC09A0000-0x000001ADC09B0000-memory.dmp

Filesize
64KB

Download
memory/792-984-0x000001ADC09A0000-0x000001ADC09B0000-memory.dmp

Filesize
64KB

Download
memory/2212-465-0x0000024A3A890000-0x0000024A3A8A0000-memory.dmp

Filesize
64KB

Download
memory/2212-464-0x0000024A3A890000-0x0000024A3A8A0000-memory.dmp

Filesize
64KB

Download
memory/2932-973-0x000001FC42C50000-0x000001FC42C60000-memory.dmp

Filesize
64KB

Download
memory/2932-989-0x000001FC42C50000-0x000001FC42C60000-memory.dmp

Filesize
64KB

Download
memory/2932-1497-0x000001FC42C50000-0x000001FC42C60000-memory.dmp

Filesize
64KB

Download
memory/2932-1449-0x000001FC42C50000-0x000001FC42C60000-memory.dmp

Filesize
64KB

Download
memory/2932-1446-0x000001FC42C50000-0x000001FC42C60000-memory.dmp

Filesize
64KB

Download
memory/3980-173-0x0000018955520000-0x0000018955530000-memory.dmp

Filesize
64KB

Download
memory/3980-209-0x000001893D210000-0x000001893D218000-memory.dmp

Filesize
32KB

Download
memory/3980-147-0x0000018955630000-0x00000189556A6000-memory.dmp

Filesize
472KB

Download
memory/3980-176-0x0000018955520000-0x0000018955530000-memory.dmp

Filesize
64KB

Download
memory/4004-394-0x0000018953390000-0x00000189533B2000-memory.dmp

Filesize
136KB

Download
memory/4004-169-0x000001893AD90000-0x000001893ADA0000-memory.dmp

Filesize
64KB

Download
memory/4004-172-0x000001893AD90000-0x000001893ADA0000-memory.dmp

Filesize
64KB

Download
memory/4004-375-0x0000018953390000-0x00000189533BA000-memory.dmp

Filesize
168KB

Download
memory/4004-182-0x00000189531D0000-0x000001895320C000-memory.dmp

Filesize
240KB

Download
memory/4004-128-0x0000018952F50000-0x0000018952F72000-memory.dmp

Filesize
136KB

Download
memory/4332-681-0x00000263368A0000-0x00000263368B0000-memory.dmp

Filesize
64KB

Download
memory/4332-682-0x00000263368A0000-0x00000263368B0000-memory.dmp

Filesize
64KB

Download
memory/4764-1525-0x0000023692390000-0x00000236923A0000-memory.dmp

Filesize
64KB

Download
memory/4764-1527-0x0000023692390000-0x00000236923A0000-memory.dmp

Filesize
64KB

Download
memory/5044-1440-0x0000028777620000-0x0000028777630000-memory.dmp

Filesize
64KB

Download
memory/5044-1494-0x0000028777620000-0x0000028777630000-memory.dmp

Filesize
64KB

Download
memory/5044-1443-0x0000028777620000-0x0000028777630000-memory.dmp

Filesize
64KB

Download
memory/5044-969-0x0000028777620000-0x0000028777630000-memory.dmp

Filesize
64KB

Download
memory/5044-959-0x0000028777620000-0x0000028777630000-memory.dmp

Filesize
64KB

Download