1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6

Analysis

max time kernel
151s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe
Size

2.3MB
MD5

a01a8da429429d02b6ebbdc6260f2b33
SHA1

02d0f2ff2813d4abebf43ac0929026b477578a04
SHA256

1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6
SHA512

7dc8d3258fcaa16f867fd653a7bf63a42d0125c0121b7e2eacbf2df8d7cb5d22cf4783e46aaddcee30738b9cf630185cff1813b3cd7fb66cd13bf00a5e385484
SSDEEP

49152:pNaF7+Nh5F27BZ+02kt134vl7RiMHu2wa3YGID6r:

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3600	svchost..exe
1336	svchost.exe
3540	svchost..exe
1640	suchost..exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svchost..exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svchost..exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	svchost..exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	svchost..exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost._backup.exe	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCX3076.tmp	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
1640	suchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe
3540	svchost..exe
1640	suchost..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	svchost..exe
Token: SeDebugPrivilege	1640	suchost..exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3600	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	81
PID 1760 wrote to memory of 3600	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	81
PID 1760 wrote to memory of 3600	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	81
PID 1760 wrote to memory of 1336	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	82
PID 1760 wrote to memory of 1336	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	82
PID 1760 wrote to memory of 1336	1760	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	82
PID 1336 wrote to memory of 204	1336	svchost.exe	86
PID 1336 wrote to memory of 204	1336	svchost.exe	86
PID 1336 wrote to memory of 204	1336	svchost.exe	86
PID 3600 wrote to memory of 3540	3600	svchost..exe	87
PID 3600 wrote to memory of 3540	3600	svchost..exe	87
PID 3600 wrote to memory of 3540	3600	svchost..exe	87
PID 204 wrote to memory of 2636	204	vbc.exe	88
PID 204 wrote to memory of 2636	204	vbc.exe	88
PID 204 wrote to memory of 2636	204	vbc.exe	88
PID 1336 wrote to memory of 3700	1336	svchost.exe	89
PID 1336 wrote to memory of 3700	1336	svchost.exe	89
PID 1336 wrote to memory of 3700	1336	svchost.exe	89
PID 3700 wrote to memory of 1184	3700	vbc.exe	91
PID 3700 wrote to memory of 1184	3700	vbc.exe	91
PID 3700 wrote to memory of 1184	3700	vbc.exe	91
PID 3540 wrote to memory of 1640	3540	svchost..exe	92
PID 3540 wrote to memory of 1640	3540	svchost..exe	92
PID 3540 wrote to memory of 1640	3540	svchost..exe	92

C:\Users\Admin\AppData\Local\Temp\1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe
"C:\Users\Admin\AppData\Local\Temp\1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\svchost..exe
  "C:\Users\Admin\AppData\Local\Temp\svchost..exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\Documents\suchost..exe
      "C:\Users\Admin\Documents\suchost..exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gu6zkryl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29A12014F6B9468A92AD72F37634887E.TMP"
      4⤵
      PID:2636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ypzw7qg2.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc787DBF3E85AF4DF5BBC91B7F4BF3F6F6.TMP"
      4⤵
      PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSNPSharp.dll

Filesize
832KB

MD5
6065f66bf5cc088e7344f13f5a63cfa4

SHA1
d23abadbe3a2fe5b102a2f889d30ae2a8da44baf

SHA256
cae1b97f3bb7e41d6f56d28b77bd36ce418f3b52503351e36d8486cfe1d509a4

SHA512
f2a555107e305975b2caa47726cfe9cf0aea3814380a7467e1eef9e89ef0d9ffbd4e36b70d6f839cdba8827aa4f7e61852c01e87f5f7c5840985217dc96acf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp

Filesize
1KB

MD5
d861bbd95eb12d5793fdd5e8595cbc95

SHA1
61281a09f71386090e4f21d1f4cf042dabd789cb

SHA256
0cc53d7fe7ed6731e7a8298cde471216226abd8541b00e673327b4a120730353

SHA512
aad68bc2bea8506c4793e679947d9a23ea60410dec3a5eefd2b3f4f5bd64d936c3a336b2f5c8aa25d45480b303647dddf4fdc0a80206531ba9abb224d8b816af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EE0.tmp

Filesize
1KB

MD5
ca84c0774cfac73057ff00c0e99e8f1e

SHA1
7ebb8fdfdb8f7b3a973c55fe68b809829e99d40f

SHA256
eb7239034068b9df443716811b27befb3f72cc82b1e544e0f072c6f7489f7616

SHA512
b10b8c10369c1da3f446f0ba8eedad69f0420f13e2b29a92a28692fb284857dfbbf7ec2ada8a5c741cd276e5ba81161c1d70d64882c39726c9020ffed5b7f91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\U80zbC.resources

Filesize
837KB

MD5
0dd6ee68b5d1c95fe57f69fd71e62cf4

SHA1
9e28eac57f6e5e5a4390a1b84af4534c81ce6f09

SHA256
a5d54306c43a066d7779550e96d8a57687ee9911e97ca540cdca6af724d1e13a

SHA512
ed4cecd95cff9d6821d709628d88c1b860de8274e479803a0025dbefb5b710f9f27a9976a11c838a4f4a2351bd59e04f3ab5c2987e5fc1014b7a52a228cd73ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu6zkryl.0.vb

Filesize
106KB

MD5
e7e8fb1a54aebcc363d2b203c9a86f19

SHA1
56c50bc611526fe86f89cf2e1200e33879990c79

SHA256
36e70ec31d21dbb630023069e6efa74645e82481ba9fc8a770654710398bd5c0

SHA512
8de62110ecf92d325bc903312ad14cde8eeef35b4d30693e3fe98444452d6880d143e79ebdd1a92eba47751ee84f67d027b52848b40aa83e8d4b95210e053731

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu6zkryl.cmdline

Filesize
379B

MD5
95b7447cec287001e4ae2f89e8955cea

SHA1
48a90c8d7670085a6fe58cdced666f6c72b1b3c6

SHA256
630a217b29e087ac76e1720df9c21e343405bdbed13934f971a3fb27566f68d2

SHA512
6a1e32604e88cb824756425e183af99e18c204482854cb44be5373466e9f872484deb3c7c2454f4737ca7c85973385afcef8e1a4d93cee1e3b1379024de19124

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu6zkryl.exe

Filesize
916KB

MD5
55e382d29f51e662bbedfe0bdb7eb662

SHA1
23e2020eaee7aeb278359bc847a2b2eead589cc2

SHA256
3167ee48dfc7bca4caa51757674c6023fb89d578862799d41618025c4c1919b0

SHA512
f2ce5e4cd76107d1a1cf4f69bf5fa7d75972fcdaa27301fff1b742aee25ab04d1388d024ed29cdb2aee6d5764ac1341fa1f479cc3e1eff53ab313f29cd3db915

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.resources

Filesize
2.3MB

MD5
077abaec87632eda25a73ee600105fa4

SHA1
5ae5b9614343e2fa9be1fea3c8a64bd21c347913

SHA256
d77eb0c78ea838e593761fd0bd2ff41d65ae8a5696bd541c672fe6d06cc00210

SHA512
1f6ac53b9db824cce1d30293e2761de996713cfe4eb2c63ece4d130c337eaa1ebf689f3d332d35cea4a45a4e6a1c1514d6a5a9e5f1b7c424baaf9c1e518aab69

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.2MB

MD5
835d009faa18e1f3a3b40ab09b26b615

SHA1
8ab0e5842ea99cd5204cdf277f0720fc6dd73c5b

SHA256
4e01af55f2cb3fd6e792e040a697624ee55261a1ca81859d1e3d0e1284834160

SHA512
941a8a687d2e9d6c07e99d7d3c2667dc5dda1ca49bbe8d288fa4dc1595cc5bd78ccb51a4e1c20b8b7e6dc0e1ab42d7c79fe883a44b3be1c0ed7bc030a029d651

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.2MB

MD5
835d009faa18e1f3a3b40ab09b26b615

SHA1
8ab0e5842ea99cd5204cdf277f0720fc6dd73c5b

SHA256
4e01af55f2cb3fd6e792e040a697624ee55261a1ca81859d1e3d0e1284834160

SHA512
941a8a687d2e9d6c07e99d7d3c2667dc5dda1ca49bbe8d288fa4dc1595cc5bd78ccb51a4e1c20b8b7e6dc0e1ab42d7c79fe883a44b3be1c0ed7bc030a029d651

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29A12014F6B9468A92AD72F37634887E.TMP

Filesize
652B

MD5
0ff150359137f740bd251482b96fadc7

SHA1
607804c20d93757d87012d364b64c3c63413f704

SHA256
39b869c1f23f4425e64ed88797fac5f0115cd3ca4d602061fb7613b116cd5818

SHA512
e78117da436de7c296104313273593cf56f25880226a5c0922b9d344c20142a2c4bb1a7b42f660ea79685f588f2213fbce39d307fd4f5ec8b1688826b5e952f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc787DBF3E85AF4DF5BBC91B7F4BF3F6F6.TMP

Filesize
992B

MD5
8cc1aee5defe7f01e077689077ba7fec

SHA1
b0f1c2b5da1b53b708f654710a1839887b7bf665

SHA256
ed38a033bca30b7b257f06cc24acc21199d3af88c408805ab6f07ce6c9f066bc

SHA512
56e56874ae3019c9b00c68b9ee7a8da7aad0b6af8a3acc7a6cac6be4d172c05461ff0e86968d2075cedfa0507e9bd7ac2ab7833f440ee15823c82fe43698eb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypzw7qg2.0.vb

Filesize
42KB

MD5
258f929ee9c9b4d67aa2a70c723b7879

SHA1
fa1c7c1c3ffafe05306f0f17c2e91fb480cf0e69

SHA256
28d9c769be0f9826d170554ef3f4486994cfa81344314ed672048272539041ab

SHA512
0f2318c40d284092232debc34f0e96fa897e56bd2758aef07baec000e505aee35b227e15a6c9d101a89d168a82d320013bcd2332a3ba01ad78fbbeadd12afdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypzw7qg2.cmdline

Filesize
268B

MD5
ab3c3739b3c749b0c94938e095f7d2bf

SHA1
9d84df2027372bfb9abbdc48a884d3e59e13bd71

SHA256
0e04300f2f1ac84f2c99fdad0fdb239502d0f495807131392320469751d21c85

SHA512
7a820768cab7b74d6fe012904722298cba0932bd7a200004ec384c219e94c1a0d7a2b46c12818d951e98a52c7996ce7e468997ce8e567aa89974909d0a8a5155

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost._backup.exe

Filesize
2.3MB

MD5
bf6116c79ad4c83f42f57a5429779814

SHA1
1cfc0d61652aad03b60ea080a322cfb6d7bad122

SHA256
70f5c288e209870c8fdc59604983f4861393394ad9a0a37a050615ef5050d1cc

SHA512
abfdf659570a5a629a17d497a9e2229168862fb5df75342a5b0319d729df7bace9fedcd1d6dc27ccaba3df209c8f97882f1701980d3e201eeac90a89d6f80e32

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
memory/1336-139-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/1336-166-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-165-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-168-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-154-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-167-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/3600-161-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/3600-138-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download