trickbot | 0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/12/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
Size

368KB
MD5

46b6312d182ac953c201c1b6bf1bacf6
SHA1

6edcdb9d801e1ef4d6f096360f872d58b3bfb339
SHA256

0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb
SHA512

f6240ca84c7632f00ffbe4de08ece155d238f4a9ef7fa7cdec1699afba18fe937c756072504243bdd5a66450a2f789cbb2082d0cd6f461cf555fdae4a671aa3a
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qf:emSuOcHmnYhrDMTrban4qf

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2640-1-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/2640-6-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/2672-10-0x00000000000D0000-0x00000000000F9000-memory.dmp	trickbot_loader32
behavioral1/memory/2672-20-0x00000000000D0000-0x00000000000F9000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
2328	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
3048	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2708	sc.exe
2716	sc.exe
3052	sc.exe
2964	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
2860	powershell.exe
3048	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeTcbPrivilege	2328	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2656	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	30
PID 2640 wrote to memory of 2656	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	30
PID 2640 wrote to memory of 2656	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	30
PID 2640 wrote to memory of 2656	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	30
PID 2640 wrote to memory of 2688	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	31
PID 2640 wrote to memory of 2688	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	31
PID 2640 wrote to memory of 2688	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	31
PID 2640 wrote to memory of 2688	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	31
PID 2640 wrote to memory of 2832	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	33
PID 2640 wrote to memory of 2832	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	33
PID 2640 wrote to memory of 2832	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	33
PID 2640 wrote to memory of 2832	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	33
PID 2640 wrote to memory of 2672	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	36
PID 2640 wrote to memory of 2672	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	36
PID 2640 wrote to memory of 2672	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	36
PID 2640 wrote to memory of 2672	2640	0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe	36
PID 2832 wrote to memory of 2860	2832	cmd.exe	39
PID 2832 wrote to memory of 2860	2832	cmd.exe	39
PID 2832 wrote to memory of 2860	2832	cmd.exe	39
PID 2832 wrote to memory of 2860	2832	cmd.exe	39
PID 2688 wrote to memory of 2964	2688	cmd.exe	37
PID 2688 wrote to memory of 2964	2688	cmd.exe	37
PID 2688 wrote to memory of 2964	2688	cmd.exe	37
PID 2656 wrote to memory of 2708	2656	cmd.exe	38
PID 2688 wrote to memory of 2964	2688	cmd.exe	37
PID 2656 wrote to memory of 2708	2656	cmd.exe	38
PID 2656 wrote to memory of 2708	2656	cmd.exe	38
PID 2656 wrote to memory of 2708	2656	cmd.exe	38
PID 2672 wrote to memory of 2648	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	40
PID 2672 wrote to memory of 2648	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	40
PID 2672 wrote to memory of 2648	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	40
PID 2672 wrote to memory of 2648	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	40
PID 2672 wrote to memory of 2568	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	41
PID 2672 wrote to memory of 2568	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	41
PID 2672 wrote to memory of 2568	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	41
PID 2672 wrote to memory of 2568	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	41
PID 2672 wrote to memory of 2060	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	42
PID 2672 wrote to memory of 2060	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	42
PID 2672 wrote to memory of 2060	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	42
PID 2672 wrote to memory of 2060	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	42
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2672 wrote to memory of 2848	2672	0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe	45
PID 2568 wrote to memory of 2716	2568	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
"C:\Users\Admin\AppData\Local\Temp\0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
  C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2848

C:\Windows\system32\taskeng.exe
taskeng.exe {5078C905-F000-4E5D-8781-B6F62ED5D775} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
  C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9

Filesize
1KB

MD5
27c2f4bc8d8506c56c5ff117e24b6db3

SHA1
b1c5b1ac1b722b5b397720dcbf795a8a5cae70c6

SHA256
c7b5acfc2022dff91c6a15148d2fd4f0c208413f8284fee8c000f5b7d75525fd

SHA512
02758ab8eb6a80ae354c8c29177348f33bab12540859ae529118e2e7c6cb8d6cd6f89972c9f3238cdeb05b0b2acb5e326ac99f065d7cf3862ad9a2b98bba006a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
64c681bd73344f5a0f9b09eb32d92d8c

SHA1
d142e234b4620b417ab4a8bbe1a7ab71aa4601b0

SHA256
8d4a487c51b4de006f150acbeee5066d715b28b39165f54ae03afc4a73306f27

SHA512
392cde4d3c7cb5e757ded483dc3288f1b89406a5a8a2a99ef29c542fb762fb1fc331c268d37cc06f50d0eacf84b87c452ede2b050845c000922faec27aeba0ee

Download Submit
\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe

Filesize
368KB

MD5
46b6312d182ac953c201c1b6bf1bacf6

SHA1
6edcdb9d801e1ef4d6f096360f872d58b3bfb339

SHA256
0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb

SHA512
f6240ca84c7632f00ffbe4de08ece155d238f4a9ef7fa7cdec1699afba18fe937c756072504243bdd5a66450a2f789cbb2082d0cd6f461cf555fdae4a671aa3a

Download Submit
memory/2640-1-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2640-6-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2672-10-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2672-20-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2672-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2672-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2848-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download