cryptbot | 9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10

Analysis

max time kernel
144s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90189f8dffe3cbfbb1dc181647b2219b.exe
Size

2.3MB
MD5

90189f8dffe3cbfbb1dc181647b2219b
SHA1

118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
SHA256

9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
SHA512

c0f469355304226bf0d3ecb84f877d10da0d35695011d3d1cd7bb3a7d2330ee92f6cdd9eea5d1c75c29a140f45f7a67f3b779db645c71b1272eb9c046d85f96a
SSDEEP

24576:SdyOaWSMdZo5NYyyVo6cc0WwZ/ct3mW2ny/v/LtGZsYjot0hq+BMGzHOMJWv+pA+:SdyO++HiqAMe/i/09y/6j

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://ivyhur32.top/gate.php

Attributes

payload_url
http://womheq04.top/favism.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

favism.exeDpEditor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	favism.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

favism.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	favism.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	favism.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2036 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

favism.exeDpEditor.exe

pid process

1496 favism.exe
1668 DpEditor.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exefavism.exe

pid process

1624 cmd.exe
1496 favism.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2036	cmd.exe

pid	process
1496	favism.exe
1668	DpEditor.exe

pid	process
1624	cmd.exe
1496	favism.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe	themida
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe	themida
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe	themida
behavioral1/memory/1496-147-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
behavioral1/memory/1496-148-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
behavioral1/memory/1496-151-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
behavioral1/memory/1496-152-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
behavioral1/memory/1496-154-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1496-159-0x0000000000DB0000-0x00000000014FA000-memory.dmp	themida
behavioral1/memory/1668-161-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-162-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-163-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-164-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-165-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-166-0x0000000001150000-0x000000000189A000-memory.dmp	themida
behavioral1/memory/1668-167-0x0000000001150000-0x000000000189A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

favism.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	favism.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	90189f8dffe3cbfbb1dc181647b2219b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	90189f8dffe3cbfbb1dc181647b2219b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

favism.exeDpEditor.exe

pid process

1496 favism.exe
1668 DpEditor.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exe

description pid process target process

PID 1520 set thread context of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1496	favism.exe
1668	DpEditor.exe

description	pid	process	target process
PID 1520 set thread context of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	90189f8dffe3cbfbb1dc181647b2219b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	90189f8dffe3cbfbb1dc181647b2219b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	90189f8dffe3cbfbb1dc181647b2219b.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1528 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1668 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exefavism.exeDpEditor.exe

pid process

2000 90189f8dffe3cbfbb1dc181647b2219b.exe
1496 favism.exe
1668 DpEditor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exe

description pid process

Token: SeDebugPrivilege 1520 90189f8dffe3cbfbb1dc181647b2219b.exe

pid	process
1528	timeout.exe

pid	process
1668	DpEditor.exe

pid	process
2000	90189f8dffe3cbfbb1dc181647b2219b.exe
1496	favism.exe
1668	DpEditor.exe

description	pid	process
Token: SeDebugPrivilege	1520	90189f8dffe3cbfbb1dc181647b2219b.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

90189f8dffe3cbfbb1dc181647b2219b.exe90189f8dffe3cbfbb1dc181647b2219b.execmd.execmd.exefavism.exe

description	pid	process	target process
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 1520 wrote to memory of 2000	1520	90189f8dffe3cbfbb1dc181647b2219b.exe	90189f8dffe3cbfbb1dc181647b2219b.exe
PID 2000 wrote to memory of 1624	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 1624	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 1624	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 1624	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 1624 wrote to memory of 1496	1624	cmd.exe	favism.exe
PID 1624 wrote to memory of 1496	1624	cmd.exe	favism.exe
PID 1624 wrote to memory of 1496	1624	cmd.exe	favism.exe
PID 1624 wrote to memory of 1496	1624	cmd.exe	favism.exe
PID 2000 wrote to memory of 2036	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 2036	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 2036	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2000 wrote to memory of 2036	2000	90189f8dffe3cbfbb1dc181647b2219b.exe	cmd.exe
PID 2036 wrote to memory of 1528	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1528	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1528	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1528	2036	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1668	1496	favism.exe	DpEditor.exe
PID 1496 wrote to memory of 1668	1496	favism.exe	DpEditor.exe
PID 1496 wrote to memory of 1668	1496	favism.exe	DpEditor.exe
PID 1496 wrote to memory of 1668	1496	favism.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe
"C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe
C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe
2⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout -t 5
4⤵
- Delays execution with timeout.exe
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242B.tmp
Filesize
32B

MD5
3b33d980229e76222b961d17fd5aa43d

SHA1
43a761a68478e66db8f1dbce4b7a56ff2ce4fd20

SHA256
bd6e8000665e82408208cdf1fcc74a925c13c5a6492c252ca0153ce19f4141d3

SHA512
8e4e22744ed0e62a86d2df15df709b1498beea7359b64ac086679ef0fbceacd94ab9fca452b1234bbef17a87f5c6200104e84b934b8ed4bad3b1d26c68b5729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24CB.tmp
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
Filesize
2.8MB

MD5
c80174066854ead10f62934ae4329c1b

SHA1
58b216cc2ed0dacf6b7c6b76b2203697d1151dc7

SHA256
961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab

SHA512
100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7

Download Submit
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
Filesize
2.8MB

MD5
c80174066854ead10f62934ae4329c1b

SHA1
58b216cc2ed0dacf6b7c6b76b2203697d1151dc7

SHA256
961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab

SHA512
100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.8MB

MD5
c80174066854ead10f62934ae4329c1b

SHA1
58b216cc2ed0dacf6b7c6b76b2203697d1151dc7

SHA256
961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab

SHA512
100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7

Download Submit
\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe
Filesize
2.8MB

MD5
c80174066854ead10f62934ae4329c1b

SHA1
58b216cc2ed0dacf6b7c6b76b2203697d1151dc7

SHA256
961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab

SHA512
100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.8MB

MD5
c80174066854ead10f62934ae4329c1b

SHA1
58b216cc2ed0dacf6b7c6b76b2203697d1151dc7

SHA256
961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab

SHA512
100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7

Download Submit
memory/1496-147-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1496-159-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1496-154-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1496-152-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1496-151-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1496-148-0x0000000000DB0000-0x00000000014FA000-memory.dmp

Filesize
7.3MB

Download
memory/1520-55-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/1520-54-0x0000000000D80000-0x0000000000FDC000-memory.dmp

Filesize
2.4MB

Download
memory/1520-57-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/1520-56-0x00000000054D0000-0x0000000005686000-memory.dmp

Filesize
1.7MB

Download
memory/1624-149-0x0000000002120000-0x000000000286A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-167-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-166-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-165-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-164-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-163-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-162-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/1668-161-0x0000000001150000-0x000000000189A000-memory.dmp

Filesize
7.3MB

Download
memory/2000-64-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-153-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-61-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-62-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-69-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2000-66-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-68-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-58-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-59-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-60-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download