ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cf

Analysis

max time kernel
34s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Size

1.0MB
MD5

9d768567d44193f17d840bcb4e4fa340
SHA1

c9ec0494e9d5e8baf2eee2fa4edb82b6de314486
SHA256

ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cf
SHA512

7368c3273678f6b48eff356cc369152d688011770cb98faecca9a8e3c9eeecdf403393b1ea2e776296609febd01cdc9d99515c0544dd186176a791930ad403a0
SSDEEP

24576:W/GRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHG:F8TjFJspDLoVMgdk

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2444	@AE195A.tmp.exe
2844	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
2732	WdExt.exe
2916	module_launcher.exe
2080	kb50145.exe
2768	injector_s.exe

Loads dropped DLL 13 IoCs

pid	Process
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2444	@AE195A.tmp.exe
2348	cmd.exe
2348	cmd.exe
2732	WdExt.exe
2120	cmd.exe
2120	cmd.exe
2948	cmd.exe
2948	cmd.exe
2080	kb50145.exe
2080	kb50145.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\""	module_launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AE195A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module_launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kb50145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	injector_s.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2444	@AE195A.tmp.exe
2732	WdExt.exe
2916	module_launcher.exe
2916	module_launcher.exe
2916	module_launcher.exe
2916	module_launcher.exe
2916	module_launcher.exe
2916	module_launcher.exe
2768	injector_s.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	injector_s.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 1288 wrote to memory of 2956	1288	ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe	29
PID 2956 wrote to memory of 2444	2956	explorer.exe	30
PID 2956 wrote to memory of 2444	2956	explorer.exe	30
PID 2956 wrote to memory of 2444	2956	explorer.exe	30
PID 2956 wrote to memory of 2444	2956	explorer.exe	30
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2956 wrote to memory of 2844	2956	explorer.exe	31
PID 2444 wrote to memory of 2348	2444	@AE195A.tmp.exe	33
PID 2444 wrote to memory of 2348	2444	@AE195A.tmp.exe	33
PID 2444 wrote to memory of 2348	2444	@AE195A.tmp.exe	33
PID 2444 wrote to memory of 2348	2444	@AE195A.tmp.exe	33
PID 2444 wrote to memory of 1832	2444	@AE195A.tmp.exe	34
PID 2444 wrote to memory of 1832	2444	@AE195A.tmp.exe	34
PID 2444 wrote to memory of 1832	2444	@AE195A.tmp.exe	34
PID 2444 wrote to memory of 1832	2444	@AE195A.tmp.exe	34
PID 2348 wrote to memory of 2732	2348	cmd.exe	37
PID 2348 wrote to memory of 2732	2348	cmd.exe	37
PID 2348 wrote to memory of 2732	2348	cmd.exe	37
PID 2348 wrote to memory of 2732	2348	cmd.exe	37
PID 2732 wrote to memory of 2120	2732	WdExt.exe	38
PID 2732 wrote to memory of 2120	2732	WdExt.exe	38
PID 2732 wrote to memory of 2120	2732	WdExt.exe	38
PID 2732 wrote to memory of 2120	2732	WdExt.exe	38
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2120 wrote to memory of 2916	2120	cmd.exe	40
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2916 wrote to memory of 2948	2916	module_launcher.exe	41
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2948 wrote to memory of 2080	2948	cmd.exe	43
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2768	2080	kb50145.exe	44
PID 2080 wrote to memory of 2708	2080	kb50145.exe	45
PID 2080 wrote to memory of 2708	2080	kb50145.exe	45
PID 2080 wrote to memory of 2708	2080	kb50145.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\@AE195A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\@AE195A.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 2732
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\injector_s.exe
        
        "C:\Users\Admin\AppData\Roaming\injector_s.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
      "C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Se1C49.tmp

Filesize
896B

MD5
be49ee9d1b6da594241ce3b7432c5d64

SHA1
d81e68b9bf84258af2e6b5595c4f5c8d53b9c901

SHA256
db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8

SHA512
0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0x.bat

Filesize
44B

MD5
804bb96081db73d249b1d21573d8ea59

SHA1
abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

SHA256
b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

SHA512
d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe

Filesize
100KB

MD5
d93f66f49305dd28437838e8648951a6

SHA1
3e8b01b7f8651ae1729c2e96e1c6060e384b1b42

SHA256
f921b620a25de7032177c6a62e0b8221d732040e44565d16ffb75948f312be3d

SHA512
6336521bf2bd6a109199607fa730bd8108afef39e88543f5105bb756951a785d21d4dc603a3b97bb65f2e381c7bb19695da1464da6904f97e0b5954186fbce24

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
953KB

MD5
d504771daaf92f65166bdc29b3a1eb1f

SHA1
6732533bd8dba38577af39e9b8c146e24ba829c7

SHA256
67bf7f03364b9eb375b0d4ae4e1463ad71f1f8bb427370b45a00d18e3da6d135

SHA512
6ba86eec301b1d42767fe26b0aedb15eb97c84b2b6536fb608cd74f1e26d90a67d2aec19ca3e35aa4a9ba0a52b1340b4a4643eda8a1c4c7e4963069c99bc2e22

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
122B

MD5
2af20963c408073d72b7fc80f689e8f1

SHA1
3652994c0e5b8b24ac9cbf244ea3eb6dafb21d20

SHA256
219e678efb6753e7176e75e4431d79ee3e2da91ddca6892175c9c60377554850

SHA512
e2baef4933805406775c6111d6be0cfdd67d6de6524e077c9d58b42a5028906419b2a9486511d1603f7efc9f14cb53ffe524940105b01ae5125b32b0d0eb41d9

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
342de0107064036f3a420dad5e52c83f

SHA1
4eaf02046293ab8d8cd6cc776e56ae10c6b2afba

SHA256
1a8879e00fc987d1e234bb55dd6cd36d3adace2cd7ca93e8bbd3894ce2033788

SHA512
f344963a81411be2f782d255cf6504f70dd54ab698b35e16fbe9439778eedee2711ec5efc8bb743995b9e0fa77b66fdca1d9ba1b236b99536e6898b0be1976db

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
107B

MD5
85eb3280f9675f88d00040cbea92277f

SHA1
2fece0a30b2153b4a9fee72fe5a637dee1967a2f

SHA256
bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

SHA512
2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Local\Temp\@AE195A.tmp.exe

Filesize
951KB

MD5
543a33df795c7264f370205682d88621

SHA1
4c187681f762b377611cc16027f766ff88227bdd

SHA256
0b5edd769c5c81392a96295a72bd635c1c5df5854726b35813bcf136793605e9

SHA512
8956a4a8f2169aa8c90c297341599c8b2b5afdbef77d272ad1cdffecc1ab84bed0ba617a3561e6e6b5c6ccfcb9f4da205e7e937e4bb81b8bda1a057b24f29ef6

Download Submit
\Users\Admin\AppData\Roaming\Admin\kb50145.exe

Filesize
76KB

MD5
8bf335774fbb62bbe1de03921dfe047a

SHA1
24fc750a20aebb52f23e84264d201f458106d95d

SHA256
048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

SHA512
aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

Download Submit
\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

Filesize
172KB

MD5
6ff3155e619e2c601db536c88741e094

SHA1
c71bfc0a9b11db33c801035e06d31a03e2901dd0

SHA256
b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

SHA512
8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
\Users\Admin\AppData\Roaming\injector_s.exe

Filesize
188KB

MD5
1d1491e1759c1e39bf99a5df90311db3

SHA1
8bd6faed091bb00f879ef379715461130493e97f

SHA256
22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

SHA512
ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

Download Submit
memory/1376-364-0x00000000029C0000-0x00000000029CD000-memory.dmp

Filesize
52KB

Download
memory/2444-17-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2916-331-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download