privateloader | e71d9dae0ae73ca4950fd14cc868de8ffdc25985c93b033994631271c74c98e7

Analysis

max time kernel
141s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

officeactivator.exe
Size

15.2MB
MD5

209635421416545cb239f7484909fcf8
SHA1

850fb53685bc7e70fe267aaed72f45ae7589ee03
SHA256

e71d9dae0ae73ca4950fd14cc868de8ffdc25985c93b033994631271c74c98e7
SHA512

c64adac9909f7c5f3e0e412b8403e2298d5698c33334f4571757c2c7276bcb820c70a7c48f7a17ccb546906007188dc798c8f3e9063faa8b00cfe7a90410bc0e
SSDEEP

393216:uLoWykOEywRjHw4sxA0gnItqy0wRoEbLNKE:bkPnRjQk0OVyV6yKE

Score

10^/10

privateloader execution loader upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	2532	powershell.exe
24	1600	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3644	files.dat

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4132-0-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-109-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-110-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-111-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-112-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-113-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-114-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-115-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-116-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-119-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-121-0x0000000000400000-0x0000000002334000-memory.dmp	upx
behavioral2/memory/4132-122-0x0000000000400000-0x0000000002334000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
4208	powershell.exe
2532	powershell.exe
3428	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2532	powershell.exe
2532	powershell.exe
3428	powershell.exe
3428	powershell.exe
1600	powershell.exe
1600	powershell.exe
4208	powershell.exe
4208	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe
Token: 35	456	WMIC.exe
Token: 36	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe
Token: 35	456	WMIC.exe
Token: 36	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe
Token: SeManageVolumePrivilege	5116	WMIC.exe
Token: 33	5116	WMIC.exe
Token: 34	5116	WMIC.exe
Token: 35	5116	WMIC.exe
Token: 36	5116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2080	4132	officeactivator.exe	84
PID 4132 wrote to memory of 2080	4132	officeactivator.exe	84
PID 4132 wrote to memory of 1900	4132	officeactivator.exe	86
PID 4132 wrote to memory of 1900	4132	officeactivator.exe	86
PID 2080 wrote to memory of 456	2080	cmd.exe	88
PID 2080 wrote to memory of 456	2080	cmd.exe	88
PID 4132 wrote to memory of 3312	4132	officeactivator.exe	89
PID 4132 wrote to memory of 3312	4132	officeactivator.exe	89
PID 3312 wrote to memory of 3644	3312	cmd.exe	92
PID 3312 wrote to memory of 3644	3312	cmd.exe	92
PID 3312 wrote to memory of 3644	3312	cmd.exe	92
PID 4132 wrote to memory of 3272	4132	officeactivator.exe	93
PID 4132 wrote to memory of 3272	4132	officeactivator.exe	93
PID 3272 wrote to memory of 5116	3272	cmd.exe	95
PID 3272 wrote to memory of 5116	3272	cmd.exe	95
PID 4132 wrote to memory of 2532	4132	officeactivator.exe	104
PID 4132 wrote to memory of 2532	4132	officeactivator.exe	104
PID 4132 wrote to memory of 2532	4132	officeactivator.exe	104
PID 4132 wrote to memory of 4212	4132	officeactivator.exe	109
PID 4132 wrote to memory of 4212	4132	officeactivator.exe	109
PID 4132 wrote to memory of 4212	4132	officeactivator.exe	109
PID 4132 wrote to memory of 3428	4132	officeactivator.exe	111
PID 4132 wrote to memory of 3428	4132	officeactivator.exe	111
PID 4132 wrote to memory of 3428	4132	officeactivator.exe	111
PID 4132 wrote to memory of 1600	4132	officeactivator.exe	113
PID 4132 wrote to memory of 1600	4132	officeactivator.exe	113
PID 4132 wrote to memory of 1600	4132	officeactivator.exe	113
PID 4132 wrote to memory of 2636	4132	officeactivator.exe	116
PID 4132 wrote to memory of 2636	4132	officeactivator.exe	116
PID 4132 wrote to memory of 2636	4132	officeactivator.exe	116
PID 4132 wrote to memory of 4208	4132	officeactivator.exe	118
PID 4132 wrote to memory of 4208	4132	officeactivator.exe	118
PID 4132 wrote to memory of 4208	4132	officeactivator.exe	118

C:\Users\Admin\AppData\Local\Temp\officeactivator.exe
"C:\Users\Admin\AppData\Local\Temp\officeactivator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\officeactivator.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\officeactivator.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:3644
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over9966934\v32.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over9966934
  2⤵
  - Drops file in Windows directory
  PID:4212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over9966934\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over4020084\v32.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over4020084
  2⤵
  - Drops file in Windows directory
  PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over4020084\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d58443e6755f09ea4693611dde399ba4

SHA1
640f40e61ca74ece05d65895ddaabe4532b412a1

SHA256
602d3b2178241fe914790dc0dd943bd98a3806ebd6fa3c0a433318c653a2c2c6

SHA512
0abd264f30e528e69d24390994c50be565a165dbcb46b7e503ace4d9011d1808c9cd984825587404eb4429adc0068bb93f5fe81feadb1f0635ee1f54f3e72064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bcd2f7da4393f4656bd9da717f4d11bd

SHA1
e36abef3452217eb0d3e484730239433c6fc316b

SHA256
42fced28e006155056071cf1ddf61ff496f050bcb1b69d7d6c03e278dce24107

SHA512
cf62d0aa79390ea5f423bd537ba690f61923400356e461ea266294c8021dca0c1df1796ba514d6070b4613b1219bc61da3a1c6ac45b5fb9d5cc8708ced001ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
108905a7ec2ed1a58f0c2b8ddc94492e

SHA1
b93d66f33bfe1b91eeee88a9ca7ec4f030e1ece3

SHA256
8c68e0a8ffd60d1ee922b0a08adc8838bdd7b546e5c74e1e462b3d0bead951e6

SHA512
262caad74f093f5520368b4d31b473c5290b62f7727e115f4cc8200d90a89c55f6b1ca3430c7a19daf28d13e443d40213320a6fe99400e4d24a8575122541301

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ictxulmp.ti1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\over9966934\VersionDescriptor.xml

Filesize
12KB

MD5
0683e991aa4c85756dcd7976353a69f6

SHA1
0a6cfd8cee180fef48573d9397613ed1011c5de9

SHA256
273422775a5e7e7b293dca576c28aa4668423b030fbf3978ac6d7327a5622ba0

SHA512
4821ee5bb57ec87b5bd3901e37f7330785196be424309e5888705c19b42e61e095a3b30221dfc8d8d67e2a1829da9be1b78ca4fbc1c9e0390559d4ee9b7f5c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\over9966934\v32.cab

Filesize
10KB

MD5
1b70f9a025f172d8233b042481811329

SHA1
21adea9cb88b80b2d10d6c8b0ec6854e4f37b732

SHA256
f7a7c4e9b329e1cecaa515bd58b332f71a537d74a82cf9edc5277248d2b4a5e3

SHA512
b219ced87dd73bdeb09f4116eca0570f20f9809e2c068bd5c0cecefecbc99544afc44cdc0794755829037ad98df691bbe10ebd50dcaeed9f2ccc5dab26b446be

Download Submit
C:\Users\Admin\AppData\Local\Temp\over9966934\v32.txt

Filesize
12KB

MD5
68f361b7590a97c5af78f12081ad0fea

SHA1
770826c0b3c2f318c84f4494b3ec11ed29b305b2

SHA256
3e578124ae84dd719d4916c4e82cf1c1fbfaa0966376e3a89ed715b426c772fd

SHA512
1fd7a79597617aa2ead885bfa9f54fcf40abd51770192cb59c47cde47a95629304a0e71b0dd9b2c81e9e98e1c025be19a4740b233ac3a40241d4c85824db6c30

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
15206fd1eb7042187f11cb555bcd84df

SHA1
339afb81b5135ab98b1621840211a0adcf934114

SHA256
2662c3ce65774cda2551e0a1df09eb47ffe720af68628dd1e61826bec2fa9a24

SHA512
4923b2ecd5e524eca82aecdc6ff5c5396191db689ce3e6519d2d794918c175f967e58c7f038a3650d2794cf2f804879af5a009ff8602bbfbbe770b3bdcda6e2c

Download Submit
memory/1600-85-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/2532-34-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/2532-49-0x0000000006690000-0x00000000066AA000-memory.dmp

Filesize
104KB

Download
memory/2532-48-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/2532-47-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/2532-46-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/2532-45-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-35-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/2532-33-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/2532-32-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/2532-31-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

Filesize
216KB

Download
memory/3428-71-0x00000000074E0000-0x0000000007A84000-memory.dmp

Filesize
5.6MB

Download
memory/3428-69-0x0000000006E90000-0x0000000006F26000-memory.dmp

Filesize
600KB

Download
memory/3428-70-0x0000000006150000-0x0000000006172000-memory.dmp

Filesize
136KB

Download
memory/4132-112-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-109-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-110-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-111-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-0-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-113-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-114-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-115-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-116-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-119-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-121-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download
memory/4132-122-0x0000000000400000-0x0000000002334000-memory.dmp

Filesize
31.2MB

Download