eternity | 378e73163cdc250496de7411f5a9bab810786e49b39a51e80c39f17139c5d7b2

Analysis

max time kernel
133s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tz_project.exe
Size

904KB
MD5

6b2f18cbf35253af423a68a266a8de77
SHA1

2e8cba91ca4d1cd619afa10c95b0abce8c4ffd61
SHA256

378e73163cdc250496de7411f5a9bab810786e49b39a51e80c39f17139c5d7b2
SHA512

3b98f0d4aba56abb844ac83e61a417712487b527243cd8a83fa0be95eae70f8fa054e0dda0e3ecfa99fed9b36ad1572c6a9f5cb122a69fe86987198ea46435ff
SSDEEP

12288:UTEYAsROAsrt/uxduo1jB0Y96q3hHENbBqAmViSSQJLFSTvyaWumDMxx4EN1SLvu:UwT7rC6qRHKbBhsD/yvSgN1CvXDa

Score

10^/10

eternity evasion stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2324-1-0x0000000000360000-0x000000000044A000-memory.dmp	disable_win_def

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2324-1-0x0000000000360000-0x000000000044A000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz_project.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz_project.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz_project.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
512	dcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4928	powershell.exe
4928	powershell.exe
4652	powershell.exe
4652	powershell.exe
1104	powershell.exe
1104	powershell.exe
2068	powershell.exe
2068	powershell.exe
4652	powershell.exe
2068	powershell.exe
4208	powershell.exe
2068	powershell.exe
4928	powershell.exe
1104	powershell.exe
5056	powershell.exe
5056	powershell.exe
4652	powershell.exe
1012	powershell.exe
1012	powershell.exe
3624	powershell.exe
3624	powershell.exe
4600	powershell.exe
4600	powershell.exe
3484	powershell.exe
3484	powershell.exe
1104	powershell.exe
1796	powershell.exe
1796	powershell.exe
4928	powershell.exe
2312	powershell.exe
2312	powershell.exe
5056	powershell.exe
1012	powershell.exe
3624	powershell.exe
4600	powershell.exe
2312	powershell.exe
3484	powershell.exe
1796	powershell.exe
5056	powershell.exe
2312	powershell.exe
3624	powershell.exe
4600	powershell.exe
1012	powershell.exe
3484	powershell.exe
1796	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	tz_project.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	powershell.exe
Token: SeSecurityPrivilege	4516	powershell.exe
Token: SeTakeOwnershipPrivilege	4516	powershell.exe
Token: SeLoadDriverPrivilege	4516	powershell.exe
Token: SeSystemProfilePrivilege	4516	powershell.exe
Token: SeSystemtimePrivilege	4516	powershell.exe
Token: SeProfSingleProcessPrivilege	4516	powershell.exe
Token: SeIncBasePriorityPrivilege	4516	powershell.exe
Token: SeCreatePagefilePrivilege	4516	powershell.exe
Token: SeBackupPrivilege	4516	powershell.exe
Token: SeRestorePrivilege	4516	powershell.exe
Token: SeShutdownPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeSystemEnvironmentPrivilege	4516	powershell.exe
Token: SeRemoteShutdownPrivilege	4516	powershell.exe
Token: SeUndockPrivilege	4516	powershell.exe
Token: SeManageVolumePrivilege	4516	powershell.exe
Token: 33	4516	powershell.exe
Token: 34	4516	powershell.exe
Token: 35	4516	powershell.exe
Token: 36	4516	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeIncreaseQuotaPrivilege	4208	powershell.exe
Token: SeSecurityPrivilege	4208	powershell.exe
Token: SeTakeOwnershipPrivilege	4208	powershell.exe
Token: SeLoadDriverPrivilege	4208	powershell.exe
Token: SeSystemProfilePrivilege	4208	powershell.exe
Token: SeSystemtimePrivilege	4208	powershell.exe
Token: SeProfSingleProcessPrivilege	4208	powershell.exe
Token: SeIncBasePriorityPrivilege	4208	powershell.exe
Token: SeCreatePagefilePrivilege	4208	powershell.exe
Token: SeBackupPrivilege	4208	powershell.exe
Token: SeRestorePrivilege	4208	powershell.exe
Token: SeShutdownPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeSystemEnvironmentPrivilege	4208	powershell.exe
Token: SeRemoteShutdownPrivilege	4208	powershell.exe
Token: SeUndockPrivilege	4208	powershell.exe
Token: SeManageVolumePrivilege	4208	powershell.exe
Token: 33	4208	powershell.exe
Token: 34	4208	powershell.exe
Token: 35	4208	powershell.exe
Token: 36	4208	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeIncreaseQuotaPrivilege	2068	powershell.exe
Token: SeSecurityPrivilege	2068	powershell.exe
Token: SeTakeOwnershipPrivilege	2068	powershell.exe
Token: SeLoadDriverPrivilege	2068	powershell.exe
Token: SeSystemProfilePrivilege	2068	powershell.exe
Token: SeSystemtimePrivilege	2068	powershell.exe
Token: SeProfSingleProcessPrivilege	2068	powershell.exe
Token: SeIncBasePriorityPrivilege	2068	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 512	2324	tz_project.exe	73
PID 2324 wrote to memory of 512	2324	tz_project.exe	73
PID 2324 wrote to memory of 512	2324	tz_project.exe	73
PID 2324 wrote to memory of 4516	2324	tz_project.exe	74
PID 2324 wrote to memory of 4516	2324	tz_project.exe	74
PID 2324 wrote to memory of 4208	2324	tz_project.exe	77
PID 2324 wrote to memory of 4208	2324	tz_project.exe	77
PID 2324 wrote to memory of 1104	2324	tz_project.exe	79
PID 2324 wrote to memory of 1104	2324	tz_project.exe	79
PID 2324 wrote to memory of 4600	2324	tz_project.exe	80
PID 2324 wrote to memory of 4600	2324	tz_project.exe	80
PID 2324 wrote to memory of 2068	2324	tz_project.exe	81
PID 2324 wrote to memory of 2068	2324	tz_project.exe	81
PID 2324 wrote to memory of 4928	2324	tz_project.exe	85
PID 2324 wrote to memory of 4928	2324	tz_project.exe	85
PID 2324 wrote to memory of 5056	2324	tz_project.exe	86
PID 2324 wrote to memory of 5056	2324	tz_project.exe	86
PID 2324 wrote to memory of 3624	2324	tz_project.exe	89
PID 2324 wrote to memory of 3624	2324	tz_project.exe	89
PID 2324 wrote to memory of 3484	2324	tz_project.exe	90
PID 2324 wrote to memory of 3484	2324	tz_project.exe	90
PID 2324 wrote to memory of 4652	2324	tz_project.exe	93
PID 2324 wrote to memory of 4652	2324	tz_project.exe	93
PID 2324 wrote to memory of 2312	2324	tz_project.exe	94
PID 2324 wrote to memory of 2312	2324	tz_project.exe	94
PID 2324 wrote to memory of 1012	2324	tz_project.exe	97
PID 2324 wrote to memory of 1012	2324	tz_project.exe	97
PID 2324 wrote to memory of 1796	2324	tz_project.exe	99
PID 2324 wrote to memory of 1796	2324	tz_project.exe	99

C:\Users\Admin\AppData\Local\Temp\tz_project.exe
"C:\Users\Admin\AppData\Local\Temp\tz_project.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e85b5d5e149efaf5fff9f038eb2b970

SHA1
0d70ae6de7867a6549ee2ac228007edcc9900137

SHA256
1b9364a39f05c95db5cfc308f941933b85bc493cc452be5c746973889cd83390

SHA512
444a36ff36a0cba9fffbf4530fda74727bd4cf39c6a6c2c69a9ad690b02ed787f90f10951c1bcf3ce7d7540896cc8d7e2a7fd77e8186bd29fba9e76212dcf05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d92f9b082e3bbc0e85bc0cc70d930d81

SHA1
60e58203ea3586d31f533e395fd08365e06afebf

SHA256
3f4bea4cf1ade54b3531baebd8ed8694b63a74f3a75af4369a1fd1e6f59c7acb

SHA512
5c3808b34f81d8a65f63be889e02e28a8566b099ad0c772cce776f66595cdecc11f717685fbcf32eb7ccc1859f26beaffb620bba0d4ef597f49f8c4a94acc9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61e25ec1bdb82e7bf41dee1c6c8455bd

SHA1
72518ff6e6288a7afea3d80c76f1e4167793512d

SHA256
07f8712cec389b86db7b6a80d84dfc8de47e7b5cc8cb21caffa3be5aa68baf52

SHA512
ec274540552dad0a815cf84a5250b7e2f5a13af2a842545ee3dc7f92449967a1d353c2672037b683cf5d1ad297221cf55ed1817eae61059f46429c9652c3fffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d624921ab95b9b4bf73b722e8878c241

SHA1
15c6596895ea95707122be1818cd3532e06b7de6

SHA256
46ff055f8c73e6421e4c4af2dbd008e6b870cf75510b982c85be134252f3efd1

SHA512
32424f8569e6f96d851fb2d21877d974557e5b2d75748e70edfde352d182216b1e70157e2cc525a76028f978c58ad2389ebf7643a601bb27bc80eb16ee79d403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0925f8a84b77cc73b521e5a2bc78a6e

SHA1
7c34a5e64271360b6935ded11fc49f6c185090c5

SHA256
118746e67e09c0ec6840e75f1b5fcbbca236071c333d547829465e878438c00c

SHA512
d2c6e53066a0f9ab79b2513a0b35bb0250a665c118d2e5e3dffad3e0752c8dc15737f40eb6d8b9bf37fcd3b6f36f09e2946952d14bca359077c197cc05db1343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a69793291b5a50912b0fe91bf586d8f7

SHA1
fc781f6ad869ea0eacdead3a722526910957ebc7

SHA256
aa4d1da6396489d04e1d8d01235c5a9cf301b5db9cc6885009afbc170ca657bf

SHA512
ce0a84755c42197a8be89d61082f115d545d3c41194faecb3e640a773e7591ed6980d956f41b1f71db213fe7bc4ea8e29907746c5765cfecc5a169768e89b020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2270577f83edcb5d605cb79415a39977

SHA1
7a4ea0e831df1ed21fbcc9884432d0d20d1f40ca

SHA256
b2115b9d67cd42c8d39a4748eb71b1316b8da5a2aa5365ea1e6dd960573e2e55

SHA512
f05558cb252a788460bc5a4f8525bf22b0609043fb9e085e9fe76e77d98a26fd37b9655055ab51dc18716744a986a352c90b1ba78cb194059a139d1527306edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c086d35be331902bfc2d74e2d458723a

SHA1
b47394c8ddf9451cce08c02120279509eef0d367

SHA256
f86194400235e08a4236c088c824db8249cf27c17bc317b279145fdf1e08c3f1

SHA512
0eba97e0d70d04be305f1085728d9722919d9e1fd8e1a4c24718d1bfaa1be0fe7ad7b315eb87a604a5173f81f20115200ec31e7e672e2ef908db72dfbe22aac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iktvioni.zxo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/2324-7-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-3-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-552-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-1-0x0000000000360000-0x000000000044A000-memory.dmp

Filesize
936KB

Download
memory/2324-2-0x0000000002540000-0x0000000002590000-memory.dmp

Filesize
320KB

Download
memory/2324-4-0x00000000024D0000-0x000000000250E000-memory.dmp

Filesize
248KB

Download
memory/2324-5-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-13-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-12-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-0-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

Filesize
4KB

Download
memory/2324-6-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-60-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-18-0x000001C8E98A0000-0x000001C8E98C2000-memory.dmp

Filesize
136KB

Download
memory/4516-19-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-24-0x000001C8E9A50000-0x000001C8E9AC6000-memory.dmp

Filesize
472KB

Download
memory/4516-21-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-20-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

Filesize
9.9MB

Download