9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 18:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Size

342KB
MD5

8e20a07d18bf563615b7438c221b2230
SHA1

49933a8b92c158c6eeb051a5cac665a1ee1a886d
SHA256

9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30
SHA512

6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa
SSDEEP

6144:T6gJbaRkNJvY2k0bsRkcQRkfIwps+69yV9Goa0ixEHzBmcrBlVZU+uhXX7:5bm8qN0bFciRwf69GxiKTBvVZkhn7

Score

10^/10

aspackv2 persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000122f3-66.dat	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	fservice.exe
936	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1380-55-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral1/files/0x0008000000005c51-56.dat	upx
behavioral1/files/0x0008000000005c51-57.dat	upx
behavioral1/files/0x0008000000005c51-59.dat	upx
behavioral1/files/0x000a0000000122f3-62.dat	upx
behavioral1/files/0x0008000000005c51-61.dat	upx
behavioral1/files/0x0009000000012307-64.dat	upx
behavioral1/files/0x0009000000012307-71.dat	upx
behavioral1/memory/1288-75-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral1/memory/936-83-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral1/memory/1380-87-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral1/memory/936-90-0x0000000000400000-0x00000000005F9000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1580	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
936	services.exe
936	services.exe
1288	fservice.exe
1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File opened for modification	C:\Windows\system\sservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe
936	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
936	services.exe
936	services.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1288	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	27
PID 1380 wrote to memory of 1288	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	27
PID 1380 wrote to memory of 1288	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	27
PID 1380 wrote to memory of 1288	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	27
PID 1288 wrote to memory of 936	1288	fservice.exe	28
PID 1288 wrote to memory of 936	1288	fservice.exe	28
PID 1288 wrote to memory of 936	1288	fservice.exe	28
PID 1288 wrote to memory of 936	1288	fservice.exe	28
PID 936 wrote to memory of 1780	936	services.exe	29
PID 936 wrote to memory of 1780	936	services.exe	29
PID 936 wrote to memory of 1780	936	services.exe	29
PID 936 wrote to memory of 1780	936	services.exe	29
PID 936 wrote to memory of 1544	936	services.exe	30
PID 936 wrote to memory of 1544	936	services.exe	30
PID 936 wrote to memory of 1544	936	services.exe	30
PID 936 wrote to memory of 1544	936	services.exe	30
PID 936 wrote to memory of 1116	936	services.exe	32
PID 936 wrote to memory of 1116	936	services.exe	32
PID 936 wrote to memory of 1116	936	services.exe	32
PID 936 wrote to memory of 1116	936	services.exe	32
PID 1780 wrote to memory of 2028	1780	NET.exe	37
PID 1780 wrote to memory of 2028	1780	NET.exe	37
PID 1780 wrote to memory of 2028	1780	NET.exe	37
PID 1780 wrote to memory of 2028	1780	NET.exe	37
PID 1116 wrote to memory of 1728	1116	NET.exe	36
PID 1116 wrote to memory of 1728	1116	NET.exe	36
PID 1116 wrote to memory of 1728	1116	NET.exe	36
PID 1116 wrote to memory of 1728	1116	NET.exe	36
PID 1544 wrote to memory of 1452	1544	NET.exe	35
PID 1544 wrote to memory of 1452	1544	NET.exe	35
PID 1544 wrote to memory of 1452	1544	NET.exe	35
PID 1544 wrote to memory of 1452	1544	NET.exe	35
PID 1380 wrote to memory of 1580	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	38
PID 1380 wrote to memory of 1580	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	38
PID 1380 wrote to memory of 1580	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	38
PID 1380 wrote to memory of 1580	1380	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	38

C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
"C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SharedAccess
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe.bat
  2⤵
  - Deletes itself
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe.bat

Filesize
133B

MD5
d1272622af621c1061d811153c1dc969

SHA1
85eef0d1bf66fd31b332877c0796227c311af5dc

SHA256
10c6b61cbbf17f737e8a4358d8114b5f6128c0e361523a0f97e0ed4e8183e10b

SHA512
09132170769cb076f48fc6cd1353e56ed361e5a7f6575f24dc7a99876a41dd50799af7380a2f0f7f8f23db1d044d4b1319a22a2245bcf02598bf22f06579cf5f

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\system\sservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
16KB

MD5
d910659cca6a1650c10ff263c8a10fe7

SHA1
d38dbccb50b63430a51d8f6df2a6c4d23677cff0

SHA256
5b308dfdd00dadc887a56f90e05ebfa9963be0c463d524e2ddd8680cb810d2d8

SHA512
30c2e455478d270fc1800d251e36014f16c5e7dd9e67c1c1b0f5d4e6070fbd2875c6706efff710b83897704cefb10c7ce1b5c993548568c1f142e5b5c8d44df4

Download Submit
memory/936-90-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/936-84-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/936-83-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/936-85-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1288-75-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/1288-76-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1380-88-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/1380-80-0x0000000002F80000-0x0000000003179000-memory.dmp

Filesize
2.0MB

Download
memory/1380-81-0x0000000002F80000-0x0000000003179000-memory.dmp

Filesize
2.0MB

Download
memory/1380-82-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1380-87-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download