f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral3/memory/2908-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/2908-37-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral3/memory/2792-45-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/2908-46-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral3/memory/2792-61-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1900 netsh.exe
4776 netsh.exe
3376 netsh.exe
1448 netsh.exe

pid	process
1900	netsh.exe
4776	netsh.exe
3376	netsh.exe
1448	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2792 svchost.exe

pid	process
2792	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe

pid	process
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
2176	powershell.exe
2176	powershell.exe
1524	powershell.exe
1524	powershell.exe
2176	powershell.exe
1524	powershell.exe
2908	svchost_dump_SCY - Copy.exe
2908	svchost_dump_SCY - Copy.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
976	powershell.exe
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: 36	1796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: 36	1796	WMIC.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 2908 wrote to memory of 1796	2908	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2908 wrote to memory of 1796	2908	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2908 wrote to memory of 1900	2908	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2908 wrote to memory of 1900	2908	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2908 wrote to memory of 4776	2908	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2908 wrote to memory of 4776	2908	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2908 wrote to memory of 2176	2908	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2908 wrote to memory of 2176	2908	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2908 wrote to memory of 1524	2908	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2908 wrote to memory of 1524	2908	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2908 wrote to memory of 3244	2908	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 3244	2908	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 560	2908	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 560	2908	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 2792	2908	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2908 wrote to memory of 2792	2908	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2792 wrote to memory of 3696	2792	svchost.exe	WMIC.exe
PID 2792 wrote to memory of 3696	2792	svchost.exe	WMIC.exe
PID 2792 wrote to memory of 3376	2792	svchost.exe	netsh.exe
PID 2792 wrote to memory of 3376	2792	svchost.exe	netsh.exe
PID 2792 wrote to memory of 1448	2792	svchost.exe	netsh.exe
PID 2792 wrote to memory of 1448	2792	svchost.exe	netsh.exe
PID 2792 wrote to memory of 4492	2792	svchost.exe	powershell.exe
PID 2792 wrote to memory of 4492	2792	svchost.exe	powershell.exe
PID 2792 wrote to memory of 976	2792	svchost.exe	powershell.exe
PID 2792 wrote to memory of 976	2792	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1900

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:3244

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:560

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3376

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vecgf20.x4j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
399e885091f433c306661eee1cd438db

SHA1
d148192a1880432eb6a46fbf73777223fa279f5c

SHA256
e5ab202452cbbc9629ee9ad360da834e860e5650b490b60e63ffc1825772a1e3

SHA512
899863701065a827dd0b29f3e5f9dfa18ff6ac4683e5da16175f233bbb98895c224d7e391085d06106dd7d6ec2505449db4ad3fa242c9309e0c88889361935e0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
2.9MB

MD5
ce12819fc39b0a987f90ecb2ba56ee61

SHA1
2a4cc8c8eed769e062e5f91713f2a19815cbd53b

SHA256
efb44e8ca3ba974d1316dd9a32de4ef75f0fc3ec9a73b33084be007e98d46093

SHA512
18b40ab8b0174ab733ec319500754ce8db5e8bfa5b0440a0341659b1cc0f1c3885f28830a5603a2ef4524d0c68c8a91f56c4d33131a0f62653fdc326256f275a

Download Submit
C:\Windows\System\svchost.exe

Filesize
507KB

MD5
c428877c787b0c17234a2e3293b70d5c

SHA1
3fa59af9a980a9746cbb8f78b3af2057a6834bc1

SHA256
00549815095049678074d93784eb5e53803575873be167f8419f61b5eea9020e

SHA512
5568a24551f35f2a394e2cbed58b6af801f99accac84242858f6b90c14f9a2a3d356198ba681015e7eef7548b92b8185184cd2ac34d6f49c9c102e159c51317d

Download Submit
C:\Windows\System\svchost.exe

Filesize
510KB

MD5
c3db33307069f604f94ea806c21d71e7

SHA1
8530f9426538086d66763ec7ace42093c62651e1

SHA256
fd2f135353c8cfd3d27cdacfca1846717f47bfc9bb5609e49096f1178c5b6883

SHA512
05ebda2ad5500e1cc9e44542dcd1eebb9597def3ae1d4a5556c48c12d56902efa29cdbd5ad1db8ea6ddf6a5d02afe22bcea8a5da96e8a591184e00f323b88a72

Download Submit
C:\Windows\System\svchost.exe

Filesize
139KB

MD5
c557f5903b026a289ca7625257d8399e

SHA1
e9e4ca538545bb6fc0466894500d8bf85dd50c54

SHA256
00197545c6cc4a761a6896fa63bda0fe64ca30b9f28e218dc8ae092d6786ecb6

SHA512
8f9c4af3e00715ceb05e96a5a74f6b0cfc5f3b90fff422c2862d49379efe59d2db6dce17c563b2e1f2e5a269cd1fd658ce84c2e984a3f59726f80cedf4f8855f

Download Submit
memory/976-77-0x00000183CB6D0000-0x00000183CB6E0000-memory.dmp

Filesize
64KB

Download
memory/976-79-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/976-66-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/976-67-0x00000183CB6D0000-0x00000183CB6E0000-memory.dmp

Filesize
64KB

Download
memory/1524-26-0x000001F13BEF0000-0x000001F13BF00000-memory.dmp

Filesize
64KB

Download
memory/1524-22-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1524-35-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1524-24-0x000001F13BEF0000-0x000001F13BF00000-memory.dmp

Filesize
64KB

Download
memory/1524-28-0x000001F13BEF0000-0x000001F13BF00000-memory.dmp

Filesize
64KB

Download
memory/1524-23-0x000001F13BEF0000-0x000001F13BF00000-memory.dmp

Filesize
64KB

Download
memory/2176-21-0x00000294F3C00000-0x00000294F3C10000-memory.dmp

Filesize
64KB

Download
memory/2176-20-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-25-0x00000294F3C00000-0x00000294F3C10000-memory.dmp

Filesize
64KB

Download
memory/2176-34-0x00007FF9D2420000-0x00007FF9D2EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-27-0x00000294F3C00000-0x00000294F3C10000-memory.dmp

Filesize
64KB

Download
memory/2176-1-0x00000294F3B80000-0x00000294F3BA2000-memory.dmp

Filesize
136KB

Download
memory/2792-45-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2792-80-0x0000000031C20000-0x0000000032102000-memory.dmp

Filesize
4.9MB

Download
memory/2792-61-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2908-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2908-46-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2908-37-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4492-58-0x000001ECF3720000-0x000001ECF3730000-memory.dmp

Filesize
64KB

Download
memory/4492-64-0x00007FF9D2370000-0x00007FF9D2E31000-memory.dmp

Filesize
10.8MB

Download
memory/4492-62-0x000001ECF3720000-0x000001ECF3730000-memory.dmp

Filesize
64KB

Download
memory/4492-60-0x000001ECF3720000-0x000001ECF3730000-memory.dmp

Filesize
64KB

Download
memory/4492-54-0x000001ECF3720000-0x000001ECF3730000-memory.dmp

Filesize
64KB

Download
memory/4492-47-0x00007FF9D2370000-0x00007FF9D2E31000-memory.dmp

Filesize
10.8MB

Download