9a48fc78ecd173b8a61b1104b1da2ab8d9d44c1f2fc96b00370abae3221b0127

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe
Size

27.6MB
MD5

d7d1fa33325a6e19694456fff690d50b
SHA1

35e9c4fdda414a33de57c70d666d88ae87cc622a
SHA256

9a48fc78ecd173b8a61b1104b1da2ab8d9d44c1f2fc96b00370abae3221b0127
SHA512

f9373e9bc52696275426aa84c1ccb2aa345c114cc22e0c74fad4fcf458e16853c4b89940845fc7313f180ebecf1ff578f1fbce1c087825c25a10e2b7c4e11a0d
SSDEEP

393216:u9bQVj4y/KKWTJRmSQh2AYrjq/6yq0B4qUWBUQn9o2f03kND5/wPP8Mz:u9bk/9IESQhge/6F0BWW2QnGki8Mz

Score

10^/10

discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	iToolsAVMTask.exe
1924	letsvpn-latest.exe

Loads dropped DLL 10 IoCs

pid	Process
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
2652	iToolsAVMTask.exe
1924	letsvpn-latest.exe
1924	letsvpn-latest.exe
1924	letsvpn-latest.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iToolsAVMTask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
480	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2104	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	letsvpn-latest.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	1648	mmc.exe
Token: SeIncBasePriorityPrivilege	1648	mmc.exe
Token: 33	1648	mmc.exe
Token: SeIncBasePriorityPrivilege	1648	mmc.exe
Token: SeDebugPrivilege	2104	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2748	mmc.exe
2748	mmc.exe
2652	iToolsAVMTask.exe
1648	mmc.exe
1648	mmc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2972	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	31
PID 2316 wrote to memory of 2972	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	31
PID 2316 wrote to memory of 2972	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	31
PID 2972 wrote to memory of 480	2972	cmd.exe	33
PID 2972 wrote to memory of 480	2972	cmd.exe	33
PID 2972 wrote to memory of 480	2972	cmd.exe	33
PID 2316 wrote to memory of 1932	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	34
PID 2316 wrote to memory of 1932	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	34
PID 2316 wrote to memory of 1932	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	34
PID 2316 wrote to memory of 2804	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	36
PID 2316 wrote to memory of 2804	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	36
PID 2316 wrote to memory of 2804	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	36
PID 2804 wrote to memory of 2780	2804	cmd.exe	38
PID 2804 wrote to memory of 2780	2804	cmd.exe	38
PID 2804 wrote to memory of 2780	2804	cmd.exe	38
PID 2804 wrote to memory of 2716	2804	cmd.exe	39
PID 2804 wrote to memory of 2716	2804	cmd.exe	39
PID 2804 wrote to memory of 2716	2804	cmd.exe	39
PID 2804 wrote to memory of 2700	2804	cmd.exe	40
PID 2804 wrote to memory of 2700	2804	cmd.exe	40
PID 2804 wrote to memory of 2700	2804	cmd.exe	40
PID 2316 wrote to memory of 2936	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	41
PID 2316 wrote to memory of 2936	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	41
PID 2316 wrote to memory of 2936	2316	2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe	41
PID 2748 wrote to memory of 2652	2748	mmc.exe	44
PID 2748 wrote to memory of 2652	2748	mmc.exe	44
PID 2748 wrote to memory of 2652	2748	mmc.exe	44
PID 2748 wrote to memory of 2652	2748	mmc.exe	44
PID 1648 wrote to memory of 1924	1648	mmc.exe	46
PID 1648 wrote to memory of 1924	1648	mmc.exe	46
PID 1648 wrote to memory of 1924	1648	mmc.exe	46
PID 1648 wrote to memory of 1924	1648	mmc.exe	46
PID 1924 wrote to memory of 2104	1924	letsvpn-latest.exe	47
PID 1924 wrote to memory of 2104	1924	letsvpn-latest.exe	47
PID 1924 wrote to memory of 2104	1924	letsvpn-latest.exe	47
PID 1924 wrote to memory of 2104	1924	letsvpn-latest.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_d7d1fa33325a6e19694456fff690d50b_cobalt-strike_hijackloader_ryuk.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:480
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\b956u.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\2ADt8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2780
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2716
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\WqF5L\NWR5b~16\s+C:\ProgramData\WqF5L\NWR5b~16\a C:\ProgramData\WqF5L\NWR5b~16\TSLib.dll
  2⤵
  PID:2936

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\ProgramData\WqF5L\NWR5b~16\iToolsAVMTask.exe
  "C:\ProgramData\WqF5L\NWR5b~16\iToolsAVMTask.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\ProgramData\letsvpn-latest.exe
  "C:\ProgramData\letsvpn-latest.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WqF5L\NWR5b~16\MSVCP120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\SK.txt

Filesize
204KB

MD5
58db5aa08fc3e68c05c41c58c09ee1a0

SHA1
443317c7ab51bed50bbaa90ab9c43d7d0a371b5d

SHA256
7e14d04ff4edf6e6f062184cdd41d7b1d8964be8117fa5c8d3f00c03ad6c8eac

SHA512
017dde32345e0518991198a047d3dc01caf5e3fae9730b8e69e80b0033a0f62c5abd5cb339c9b3130c0012caca2d14fd67067621fe621b8b31b24a90c4196902

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\SkinSharp.dll

Filesize
231KB

MD5
4a5177de87d2ddb2e37fb334e1dd7364

SHA1
fa7eb1581767cea7e6e0a91ea8453b2ec3907bce

SHA256
50b27360888f2e25f5105acc7ff756a981de01af3b6d0376b9b40d565f67d3b2

SHA512
46639342202800fdb3c7730e77a842ba564e132370eb62734173cc7b1db3a7a1528b74ac179fa021b9df03a0354def3a7867a4b46d570e6522906dcd4706f3bf

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\TSLib.dll

Filesize
353KB

MD5
93fffe6278513969f1763c74771af352

SHA1
a9cba645ce1c10534b5ddbfd24846084fad3298b

SHA256
3a042c0f373e48523760be41a0eebe51410a598641777c7ae4295b4f2e0cc185

SHA512
d682e5da2d6223d01b25d6bb6464e16f8ef6e7460f5aac16501ea3c9ac9263fc2848dbb0ecccc4a8edf7a84ab886e753dd7b17cc48911ddd7735ba556eb6afc1

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\UICore.dll

Filesize
643KB

MD5
de97956ca645f2ff3af8abb2ddee8525

SHA1
cac8bf1452795fc5d79c581a2f432735876037ef

SHA256
283b86e04c42ad51de61af556163aeca222ebc3430433f37f11e70c035cbdadd

SHA512
3d639c68cdb15e8d3a7a114790ae60a19378a7dfb0e56a0af95fccfec9b561eeee9b2345fbf48b8f3864fee56e1ec7786bde4545125561c0f03624006144718a

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\VMCore.dll

Filesize
515KB

MD5
3f2e14def6a0937dad09c7dcdde028f9

SHA1
16c9c6ad2337f24905e55b38e41134e9a7a248e6

SHA256
55fc51e1ab6226b725f9aa8d9703514280b9405d37d507085fdb9d0fa2aecfec

SHA512
1b81ce19b34e60af9236c45192fcea88b15753461c4cb88451981a2476254e5c711b3fc1382856286299e10d7ecf84b85e8d1c0213dda3755860924f598262b5

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\ZLib.dll

Filesize
109KB

MD5
cf418dbccbfec6df4ca9de57d3d09e00

SHA1
1316b2eabb4dd172657585b229de08fb5e067799

SHA256
b6901aee4202968a57bfef4ec599c35d2f6ffca3584b2835b7234c49e4b01e40

SHA512
02c46b69f08d7acc9a4364cf827f113a2e970335c959c9cb6b6863ca9c935a748ac61fd1e3dbbb423a30dffb7c08f420ed6fff31ad376b32b00063e9241cee86

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\a

Filesize
176KB

MD5
99a4d2a919eeb78ce2428096a19d8be7

SHA1
d069b49171dba3fe560c2b9dd782132831f6b4f2

SHA256
7c7edb12d33c2483dbbd7ef7bc0184ffd5ce077b70686ce82a15e7b93283a6ca

SHA512
d049a7532cf05235e3fdaf13344f1bbb2b9b0f96e4270a7096fa8b5863a1c67191768c9d0055d488417abbd3e34e1b1c79a4a0618a21392066d5b81cd8a71a11

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\iToolsAVMTask.exe

Filesize
446KB

MD5
e4d5dd31c405c19c69180d4e2206bab5

SHA1
1f01c589d383f361b4bb442476592f03ce10d173

SHA256
b78c80aad5b20278e54b64f74dc8f98ab573d48b133d1a9178c53e57d8e5258f

SHA512
35f46c8d33fa761e91169138f38beec5e51d735b23e4ca3894e7b0daf4c687a7f22029a2c8b80d1c46cefd5c2e7697f74646eedb8aa3161efc4fd142485562ff

Download Submit
C:\ProgramData\WqF5L\NWR5b~16\s

Filesize
176KB

MD5
9a10d11cbc41b8b24403e07a2c6d70ab

SHA1
29b0c3727dc69b9b865d1eb5f08d1345fb528e18

SHA256
c708b225c8d8eea884e3af3a46e14b498f05b9994da31d42f1208aa2b38c1a18

SHA512
859ef3648c5d73b04703e6e43783e9967253f78ef6239e88fe098fe869602f8a3b4aa70a0f45f1e48aa4811a17ed3f559849d5cd7e4dcdb1ba34dd398b2ff21f

Download Submit
C:\ProgramData\letsvpn-latest.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Users\Admin\AppData\Roaming\2ADt8.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7FD.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7FD.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7FD.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/2316-1-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2316-3-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2316-45-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2316-23-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2316-4-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2316-2-0x0000000180000000-0x00000001801F0000-memory.dmp

Filesize
1.9MB

Download
memory/2652-41-0x00000000005A0000-0x0000000000609000-memory.dmp

Filesize
420KB

Download