ff1b3eaa6c3da3cbf72c6cb7f3a1389ce5434ef3d4ab829213cafd21cde729da

Analysis

max time kernel
142s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

132.0MB
MD5

b57a40c63cc54575c4d332f15a547546
SHA1

b82b61b7e36a5a6f8b6a22f2a878f9eda5fb4c01
SHA256

2ccb11f136637815cbe5d99610c1d57e13ee11bcbf183f8a37f0065c64903d2a
SHA512

a67d64f7eb13362bcd82a74a3fb4ee35b0afc237f90005f01090ba58dd4408ef087322f77e13f6bc90323ad1854d14db7805302461da1f7996dd3a2d80e9f6e6
SSDEEP

1572864:o4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVw:9l/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4112	Launcher.exe
4112	Launcher.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ipinfo.io
27	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1188	powershell.exe
2260	powershell.exe
4904	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4024	Launcher.exe
4024	Launcher.exe
2260	powershell.exe
4904	powershell.exe
1188	powershell.exe
4904	powershell.exe
4904	powershell.exe
2260	powershell.exe
2260	powershell.exe
1188	powershell.exe
1188	powershell.exe
3024	Launcher.exe
3024	Launcher.exe
3024	Launcher.exe
3024	Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe
Token: 36	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	2260	powershell.exe
Token: SeSecurityPrivilege	2260	powershell.exe
Token: SeTakeOwnershipPrivilege	2260	powershell.exe
Token: SeLoadDriverPrivilege	2260	powershell.exe
Token: SeSystemProfilePrivilege	2260	powershell.exe
Token: SeSystemtimePrivilege	2260	powershell.exe
Token: SeProfSingleProcessPrivilege	2260	powershell.exe
Token: SeIncBasePriorityPrivilege	2260	powershell.exe
Token: SeCreatePagefilePrivilege	2260	powershell.exe
Token: SeBackupPrivilege	2260	powershell.exe
Token: SeRestorePrivilege	2260	powershell.exe
Token: SeShutdownPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeSystemEnvironmentPrivilege	2260	powershell.exe
Token: SeRemoteShutdownPrivilege	2260	powershell.exe
Token: SeUndockPrivilege	2260	powershell.exe
Token: SeManageVolumePrivilege	2260	powershell.exe
Token: 33	2260	powershell.exe
Token: 34	2260	powershell.exe
Token: 35	2260	powershell.exe
Token: 36	2260	powershell.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe
Token: SeCreatePagefilePrivilege	4112	Launcher.exe
Token: SeShutdownPrivilege	4112	Launcher.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 1892	4112	Launcher.exe	87
PID 4112 wrote to memory of 1892	4112	Launcher.exe	87
PID 4112 wrote to memory of 1892	4112	Launcher.exe	87
PID 1892 wrote to memory of 1876	1892	cmd.exe	89
PID 1892 wrote to memory of 1876	1892	cmd.exe	89
PID 1892 wrote to memory of 1876	1892	cmd.exe	89
PID 4112 wrote to memory of 1468	4112	Launcher.exe	90
PID 4112 wrote to memory of 1468	4112	Launcher.exe	90
PID 4112 wrote to memory of 1468	4112	Launcher.exe	90
PID 4112 wrote to memory of 4904	4112	Launcher.exe	92
PID 4112 wrote to memory of 4904	4112	Launcher.exe	92
PID 4112 wrote to memory of 4904	4112	Launcher.exe	92
PID 4112 wrote to memory of 2260	4112	Launcher.exe	93
PID 4112 wrote to memory of 2260	4112	Launcher.exe	93
PID 4112 wrote to memory of 2260	4112	Launcher.exe	93
PID 4112 wrote to memory of 1188	4112	Launcher.exe	95
PID 4112 wrote to memory of 1188	4112	Launcher.exe	95
PID 4112 wrote to memory of 1188	4112	Launcher.exe	95
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 2248	4112	Launcher.exe	98
PID 4112 wrote to memory of 4024	4112	Launcher.exe	99
PID 4112 wrote to memory of 4024	4112	Launcher.exe	99
PID 4112 wrote to memory of 4024	4112	Launcher.exe	99
PID 4112 wrote to memory of 1384	4112	Launcher.exe	103
PID 4112 wrote to memory of 1384	4112	Launcher.exe	103
PID 4112 wrote to memory of 1384	4112	Launcher.exe	103
PID 1384 wrote to memory of 364	1384	cmd.exe	105
PID 1384 wrote to memory of 364	1384	cmd.exe	105
PID 1384 wrote to memory of 364	1384	cmd.exe	105
PID 4112 wrote to memory of 3024	4112	Launcher.exe	116
PID 4112 wrote to memory of 3024	4112	Launcher.exe	116
PID 4112 wrote to memory of 3024	4112	Launcher.exe	116

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 --field-trial-handle=2024,i,9451698548482609215,2873635699132414685,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --mojo-platform-channel-handle=2240 --field-trial-handle=2024,i,9451698548482609215,2873635699132414685,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:364
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3032 --field-trial-handle=2024,i,9451698548482609215,2873635699132414685,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4279e6347a341c54e5e9bcc5ccf0b55e

SHA1
54e8b5376f11426145c70cb07a47da6c7c536bfe

SHA256
1d6fb68d1b317f18ae1f506adebddc735260a7d79fc25cbe5208a66baf9611fb

SHA512
ebfa6e9a7ae45305d929c0ec75fcf2d368fa786427e533859b537b4c1a3d609f9eff313977e6c3a33acf4d06906149fdc8f3bf684d36be9c5f669867e6b722c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
28dc319d8ecc734bb569df03ce48623f

SHA1
49c69e31bcc52a569b5e5a00c40fd611c75bccaa

SHA256
b651a619848da87fc0f52218d57728856da0d4c0fc4f217170498723d2a0f7e6

SHA512
3603e6b468e13eba17e88daa40868cb0dc2608d2e5dcdce5033bc0a7cfabb4b7f5b1b7354e6ebefaf4b31758f95d1b5be071d9245780b0fd30db425fc55f3776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
176B

MD5
aa6bd109c0f77c04b25118af13c5f06a

SHA1
0676a9e8d3ce97b224d7f0871e975996447e1d6c

SHA256
def9a662fd93324f622d0b954dd1b40aa29262c27ae3d1fdd473aeaaa91068e5

SHA512
d276e6a1f1aa88ab908cc8ce3c953e3ffaa5546b36a540cb48b298b6984ddde75b8baf9df9f341010ae833dcf1ab08e1eb36238a79a4d4d63563e4df3725de73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ffe68c7-afb2-429d-af0b-7d33361674a2.tmp.node

Filesize
95KB

MD5
5d764128ece6612a3569a382e28e8679

SHA1
644a9b556c63740ba6ebae07646aa417dd2354e8

SHA256
4fecf002838f2c0d179fdbc1b3dad7868a5ff3c14ce2a2a70c18c5e35ed4eb74

SHA512
944b7e5e8846875998aa9672fbe6789a541853e5ea1c7d8a63c1839c0f814003da2ea40d18e90169046f6ff929d36084af5fe0dc357341c77b6dc97b3568785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\55c46558-d543-4492-be10-3098789ddd28.tmp.node

Filesize
1.5MB

MD5
61afcbf8b2fba5628c4c1c0640db4073

SHA1
7eac20d5c51c8b2b1fc49d61543f88e6935b14e9

SHA256
1ca727a3bc5e068f73ad7f427c555828fc90dc3eb022f9a0153635c2d30fb814

SHA512
d8e164c426cb556aae7e08449931cbb507363de185540aaa23f78c0457a413c4978aebb615185eda447ee39da46f361ff8499eadb95b020762d5f10904cd611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajkqnnjt.1cv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1188-69-0x0000000007260000-0x00000000072F2000-memory.dmp

Filesize
584KB

Download
memory/1188-67-0x0000000007D80000-0x0000000008324000-memory.dmp

Filesize
5.6MB

Download
memory/1188-49-0x0000000007000000-0x0000000007076000-memory.dmp

Filesize
472KB

Download
memory/1188-48-0x0000000006100000-0x0000000006144000-memory.dmp

Filesize
272KB

Download
memory/2260-47-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/2260-46-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/2260-18-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-80-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/2260-51-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/2260-55-0x00000000070B0000-0x00000000070E2000-memory.dmp

Filesize
200KB

Download
memory/2260-56-0x000000006CC60000-0x000000006CCAC000-memory.dmp

Filesize
304KB

Download
memory/2260-66-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/2260-87-0x000000006D3F0000-0x000000006D744000-memory.dmp

Filesize
3.3MB

Download
memory/2260-68-0x0000000007110000-0x00000000071B3000-memory.dmp

Filesize
652KB

Download
memory/3024-98-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-100-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-104-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-105-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-106-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-107-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-108-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-109-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-110-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/3024-99-0x000000000F130000-0x000000000F131000-memory.dmp

Filesize
4KB

Download
memory/4904-86-0x000000006D3F0000-0x000000006D744000-memory.dmp

Filesize
3.3MB

Download
memory/4904-13-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/4904-14-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/4904-15-0x0000000005160000-0x0000000005182000-memory.dmp

Filesize
136KB

Download
memory/4904-16-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/4904-17-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/4904-70-0x000000006CC60000-0x000000006CCAC000-memory.dmp

Filesize
304KB

Download
memory/4904-85-0x0000000007850000-0x0000000007874000-memory.dmp

Filesize
144KB

Download
memory/4904-84-0x0000000007820000-0x000000000784A000-memory.dmp

Filesize
168KB

Download
memory/4904-50-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download