c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3

Analysis

max time kernel
135s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Size

1.1MB
MD5

1134ef5931d60fe644adc5ebbaea12f6
SHA1

2b1aa5e95e604baf20b95c17b65f9a02d51eff5e
SHA256

c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3
SHA512

6622c5929a3eef4af935934c434c1cc8a2d3b303a62a3e27f97d5598615589f077db157539c37d6e45f981420011a439d4f2559d476cee71f4cdacb02d285759
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QW:acallSllG4ZM7QzMN

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1268	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
1268	svchcst.exe
1796	svchcst.exe
3228	svchcst.exe
4796	svchcst.exe
212	svchcst.exe
228	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
1268	svchcst.exe
1268	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
3228	svchcst.exe
3228	svchcst.exe
4796	svchcst.exe
4796	svchcst.exe
212	svchcst.exe
212	svchcst.exe
228	svchcst.exe
228	svchcst.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 5080	952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	87
PID 952 wrote to memory of 5080	952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	87
PID 952 wrote to memory of 5080	952	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	87
PID 5080 wrote to memory of 1268	5080	WScript.exe	94
PID 5080 wrote to memory of 1268	5080	WScript.exe	94
PID 5080 wrote to memory of 1268	5080	WScript.exe	94
PID 1268 wrote to memory of 4720	1268	svchcst.exe	95
PID 1268 wrote to memory of 4720	1268	svchcst.exe	95
PID 1268 wrote to memory of 4720	1268	svchcst.exe	95
PID 1268 wrote to memory of 2756	1268	svchcst.exe	96
PID 1268 wrote to memory of 2756	1268	svchcst.exe	96
PID 1268 wrote to memory of 2756	1268	svchcst.exe	96
PID 4720 wrote to memory of 1796	4720	WScript.exe	99
PID 4720 wrote to memory of 1796	4720	WScript.exe	99
PID 4720 wrote to memory of 1796	4720	WScript.exe	99
PID 2756 wrote to memory of 3228	2756	WScript.exe	100
PID 2756 wrote to memory of 3228	2756	WScript.exe	100
PID 2756 wrote to memory of 3228	2756	WScript.exe	100
PID 1796 wrote to memory of 3884	1796	svchcst.exe	101
PID 1796 wrote to memory of 3884	1796	svchcst.exe	101
PID 1796 wrote to memory of 3884	1796	svchcst.exe	101
PID 3884 wrote to memory of 4796	3884	WScript.exe	102
PID 3884 wrote to memory of 4796	3884	WScript.exe	102
PID 3884 wrote to memory of 4796	3884	WScript.exe	102
PID 4796 wrote to memory of 844	4796	svchcst.exe	103
PID 4796 wrote to memory of 844	4796	svchcst.exe	103
PID 4796 wrote to memory of 844	4796	svchcst.exe	103
PID 4796 wrote to memory of 4932	4796	svchcst.exe	104
PID 4796 wrote to memory of 4932	4796	svchcst.exe	104
PID 4796 wrote to memory of 4932	4796	svchcst.exe	104
PID 4932 wrote to memory of 212	4932	WScript.exe	105
PID 4932 wrote to memory of 212	4932	WScript.exe	105
PID 4932 wrote to memory of 212	4932	WScript.exe	105
PID 844 wrote to memory of 228	844	WScript.exe	106
PID 844 wrote to memory of 228	844	WScript.exe	106
PID 844 wrote to memory of 228	844	WScript.exe	106

C:\Users\Admin\AppData\Local\Temp\c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
"C:\Users\Admin\AppData\Local\Temp\c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
43318d9a503382e1148fbc928d86ee0a

SHA1
d085c3285f16c3a1555b8742634ff05619e08c28

SHA256
93b369e1351c2e27270cc5f13ecd8875df8097e0d5ab5b1c8cae6b19aaa9c3e3

SHA512
f9d9b8ca789b9d76d6b3d1b3238fc817b2c797b8d59e17cc241c80df6b493fa9d3919baaaf316d5b2bbc9f0033d35e9ae995ab90796d77f7e121e1f8ce179897

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94fe82c5ebdad6f02eb1259d7a62c437

SHA1
0ec5791cc463235315afade0c9a56eca884a96af

SHA256
c22133a08637902d86be8a7e9be4885c02ef581bf0ff91109f45cf76eec26894

SHA512
f5e293266ad2a3228ffc58232e712a84590afa2cf5b485de04b38bf48347dab75e54019477880ad707a1f40ad2f49e38760a4b24ddcc4649be1fcfcb252e6737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5f8d2617abbdddf7fa1ed1a6706f93ff

SHA1
d266348558020dea3667fd399ccbd4798653195a

SHA256
63182d23abffd30722b0fd203380aeff60364d3fcf106a1e13efdf4a1140049d

SHA512
8d6b5c422722be8b467f533b986a7ea580be9fb36fc7855f995e5087edd638d08f19c25fa434dab44df2a5675cfb8b61fc07f6b99a906b08519f2edf1e9c71f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bd9a7033a5cd37a8b0843a8063131310

SHA1
01306490eed17db95de401103333098643b1a4ca

SHA256
2d9e2a247d25492c9aa0e5812bb5836b21fbf93abc3aebc9cd8855ecf2b213fe

SHA512
ebc22e42fdf52f48a129643c75397848f2506163b6bab3b5ef06aea8ee87eb7aef819999831760b42c41e107e69aa6b6d59d5b6f8025eeb7a1d9f79f444ff8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
735b91c02cebc3cb178e4166255bf8f9

SHA1
a5699bfae7e3af659d9b0d50c739b5f7dffb33f7

SHA256
c5ad2ccfe2dc31ba5c9a2c72e410af617a94e3e4db4742cb48d1bfd3c23c9f64

SHA512
05449ca3bbcd81e3dab1df60b3ff01c4038309667b100b26610e0db099205f990456f205b0c0deb43a6c3359a7bec371408fc39c4f971549a89bf4394e0e58df

Download Submit
memory/212-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/212-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/228-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/228-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3228-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3228-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4796-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download