c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b607447d7329e4b4cf411321d39be60.exe
Size

1.7MB
MD5

2b607447d7329e4b4cf411321d39be60
SHA1

5e102f5055eb327d965e1ff542708f5c22993cb3
SHA256

c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36
SHA512

9640cd9eebcc85971c25a8617c73241ae37029509140bccae1ef6b9e1e74fe1e4ac0a3869c4448b7ad043ccc4b81be7060098627b0cfcadff6a6fbcef6f0e4a8
SSDEEP

24576:h7WsPkA8QsBPyoG0HBrC2zJSKD5YKPmg/ptFL2De60BtKF+ho3njkoo/LZSS9e:hrEQsBT1D5YKPp/j0jN

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	2b607447d7329e4b4cf411321d39be60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2b607447d7329e4b4cf411321d39be60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	2b607447d7329e4b4cf411321d39be60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	2b607447d7329e4b4cf411321d39be60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	2b607447d7329e4b4cf411321d39be60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	2b607447d7329e4b4cf411321d39be60.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	fservice.exe
2708	services.exe

Loads dropped DLL 6 IoCs

pid	Process
2220	2b607447d7329e4b4cf411321d39be60.exe
2220	2b607447d7329e4b4cf411321d39be60.exe
2708	services.exe
2708	services.exe
2836	fservice.exe
2220	2b607447d7329e4b4cf411321d39be60.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-6.dat	upx
behavioral1/memory/2220-7-0x0000000003110000-0x000000000330F000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-8.dat	upx
behavioral1/files/0x000c00000001225c-9.dat	upx
behavioral1/files/0x000c00000001225c-13.dat	upx
behavioral1/files/0x0008000000012281-20.dat	upx
behavioral1/memory/2836-18-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-16.dat	upx
behavioral1/files/0x002f000000015004-25.dat	upx
behavioral1/memory/2708-29-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/files/0x002f000000015004-35.dat	upx
behavioral1/memory/2220-47-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2836-39-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-50-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-51-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-52-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-54-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-55-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-56-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-58-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-59-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-61-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-62-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-63-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-64-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2708-65-0x0000000000400000-0x00000000005FF000-memory.dmp	upx

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	2b607447d7329e4b4cf411321d39be60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	2b607447d7329e4b4cf411321d39be60.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	2b607447d7329e4b4cf411321d39be60.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	2b607447d7329e4b4cf411321d39be60.exe
File opened for modification	C:\Windows\system\sservice.exe	2b607447d7329e4b4cf411321d39be60.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe
2708	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	services.exe
2708	services.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2836	2220	2b607447d7329e4b4cf411321d39be60.exe	28
PID 2220 wrote to memory of 2836	2220	2b607447d7329e4b4cf411321d39be60.exe	28
PID 2220 wrote to memory of 2836	2220	2b607447d7329e4b4cf411321d39be60.exe	28
PID 2220 wrote to memory of 2836	2220	2b607447d7329e4b4cf411321d39be60.exe	28
PID 2836 wrote to memory of 2708	2836	fservice.exe	29
PID 2836 wrote to memory of 2708	2836	fservice.exe	29
PID 2836 wrote to memory of 2708	2836	fservice.exe	29
PID 2836 wrote to memory of 2708	2836	fservice.exe	29
PID 2708 wrote to memory of 2756	2708	services.exe	30
PID 2708 wrote to memory of 2756	2708	services.exe	30
PID 2708 wrote to memory of 2756	2708	services.exe	30
PID 2708 wrote to memory of 2756	2708	services.exe	30
PID 2708 wrote to memory of 2760	2708	services.exe	32
PID 2708 wrote to memory of 2760	2708	services.exe	32
PID 2708 wrote to memory of 2760	2708	services.exe	32
PID 2708 wrote to memory of 2760	2708	services.exe	32
PID 2760 wrote to memory of 2876	2760	NET.exe	37
PID 2760 wrote to memory of 2876	2760	NET.exe	37
PID 2760 wrote to memory of 2876	2760	NET.exe	37
PID 2760 wrote to memory of 2876	2760	NET.exe	37
PID 2756 wrote to memory of 2588	2756	NET.exe	34
PID 2756 wrote to memory of 2588	2756	NET.exe	34
PID 2756 wrote to memory of 2588	2756	NET.exe	34
PID 2756 wrote to memory of 2588	2756	NET.exe	34
PID 2220 wrote to memory of 2620	2220	2b607447d7329e4b4cf411321d39be60.exe	36
PID 2220 wrote to memory of 2620	2220	2b607447d7329e4b4cf411321d39be60.exe	36
PID 2220 wrote to memory of 2620	2220	2b607447d7329e4b4cf411321d39be60.exe	36
PID 2220 wrote to memory of 2620	2220	2b607447d7329e4b4cf411321d39be60.exe	36

C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe
"C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:2588
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat

Filesize
133B

MD5
5300e7900660b56890cef6fb2a30d084

SHA1
343273fde8fbc94031b1d208b532d19cb7188e7a

SHA256
f8e986e36ebe53831268b627b4e2cd5c1a77b7b6e6384eb8a3cf90624b820e90

SHA512
6ab940529b9476e1b89cd5c05eb38e66a7e323409a5d0ca796ece522ba800cd90bf352d7cad2d479a4d12d5e4134ba3445c8ccd6df74748cb1538a4cf03c1e95

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
350KB

MD5
b4d84a8da17a6293cfe26ba3502e0f31

SHA1
c9c875a706fe2e747a8f70e77945a6b4c357aee3

SHA256
1d456a121f887752c60ff29d909eec76945b76957ba7242a552342a51f0cee5a

SHA512
6fe6fa84ec9c65ca68aa85eba6f955fa60449e03e755b9e907f8b5fc880647a29204f23ae4ef0b15c60bb8f768e02ec68abeac3e7b0f6bb77a9232f4fa6edd67

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
141KB

MD5
747fb4cef32ade993a27eb1f98a99c60

SHA1
86192c25cf12c5c5597d2af37a8bb8fdc7ef1bc1

SHA256
af3e8ad07df783dba7bb00caa143bfa9f32fa8a384230a0a2ea59ee1a1de7253

SHA512
7201019302e4fe95abb1d8349b1600345d0570122dc2c84214b923fb4708e5ee37771893753a1d4a1917f7f38cbe77d01bd0b2512f27d7a41515d776cf31c955

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
423KB

MD5
802f6bc8f8f528a6403a7d692889f7a6

SHA1
b65b1822df80359756bf4be42b1653ef02dfeed0

SHA256
bf851d9d112bffc6226dcf75580aaee6c669c4a906bc7383fca354ed54a5e8b2

SHA512
4cf1dc33f2291e9abe53bb52522b545b75555c27ad7250856f9a8aeba07a62019f1d4dc860a88f486a0834960ba8d92e4476c98b37665b8d399ad74bb967fd46

Download Submit
C:\Windows\services.exe

Filesize
142KB

MD5
ae9eabdeab506afaf6c5c1f4b3316199

SHA1
97f8bdc612aec200998f91a1f9c0253c08848f55

SHA256
785efc08ed43b6e9063f682299a5e569491759353cd7062a5b8ef304845cc2b9

SHA512
645c3f4ba1fa72ed7ad809eeaf47c36c2fda5d51d596f6668803a76b9492a3a9a48d60143f4e482836e072efe27b57bf9cf76b3dab356ab715bf92aae6c6f1de

Download Submit
C:\Windows\services.exe

Filesize
365KB

MD5
fc503394fec9a823f86cd4056830a02f

SHA1
5efe21ac10961fc43dc814110900fe31f3044fe3

SHA256
3290eb33d0ee5026283006552700f0a9645e601f7d5095ef79c002e71d1c2bac

SHA512
53b091b4c7e6e6e4e3f88bc5e0365fe4c2f61540aab2f74e08cde795e8cc17085833b2ab3092b70d4e7468a98470090c14c9b5eb59aac81505d9a432dc54fe34

Download Submit
C:\Windows\system\sservice.exe

Filesize
155KB

MD5
4585d7a754682a7c7cc2d87354af55d7

SHA1
a5279d2b253dc286d1cbb2718a4698b96158f7f5

SHA256
8c7d3d572369a9604f3c861d50d9467c10c170acd54c35197bea1484658ed119

SHA512
a4c3a5f159d68ac29b661ff51953ef0d0825acada0a8799be14a8ca8cf306cd7031bbbf7479a1f05968a4d989ec17f3fcdba9b06adcd0a7652938bd6109746d0

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
471KB

MD5
3e6905ceb9e13e9b71c792799a84b0d5

SHA1
a4b7e7589aa16da77f9684aa70e6dce6ffb27602

SHA256
e0b41a30fef87bba93ce07c04dd9461e38ef4feacb3958117dbc39e965e79bb9

SHA512
2b708ea2373dcd6ac0b019dd81e9d0ff20fc8ac3ae222dcf041554a66c6612ca539fda35fb3613394b3ed6630632c72b7a6b7b70225ceccd4b59fcbc840b13e8

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
326KB

MD5
a4825c7c36480ddf97d3b2ed1d608ab6

SHA1
3dfe89d1daa2f668be5a6fc11224d5e5b71e42c2

SHA256
7739ad2a3cbdea12abf9c617fd0f9063191fd2d8c8d3ea0d0278844f1998e7d4

SHA512
05b56ab0e19b413ddafce414c90be89acf64fe038316f93a1c30bfcad684cd73ace7647caa22439a8d893da51c95c4e008d69d8004e2d4e2392faa253c1f9b16

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/2220-7-0x0000000003110000-0x000000000330F000-memory.dmp

Filesize
2.0MB

Download
memory/2220-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2220-14-0x0000000003110000-0x000000000330F000-memory.dmp

Filesize
2.0MB

Download
memory/2220-47-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2220-0-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-50-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-58-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-65-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2708-64-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-63-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-62-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-51-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-52-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-53-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2708-54-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-55-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-56-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-29-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-59-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2708-61-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2836-18-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2836-39-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2836-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2836-30-0x0000000003070000-0x000000000326F000-memory.dmp

Filesize
2.0MB

Download