5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9

Analysis

max time kernel
178s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
24-03-2022 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eset32.exe
Size

3.9MB
MD5

b405bf6533c047b1a47ceced3b42c23b
SHA1

bbb321d380c3f9d17e49a9f2167234742e292e4d
SHA256

5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
SHA512

662af21fa3c267ca3a7b451d1a969e1b2dc4fd197368a066e7273b51673bf6def91b02b4d5e429c3b6947a5c97ceb17703b0e716eb6e6dc5a146ca2af40a4c82

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

12.exe1.exeSystem.exesihost64.exe

pid process

1288 12.exe
4428 1.exe
3676 System.exe
3708 sihost64.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

System.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation System.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 4428 set thread context of 3896 4428 1.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3548 schtasks.exe

pid	process
1288	12.exe
4428	1.exe
3676	System.exe
3708	sihost64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	System.exe

description	pid	process	target process
PID 4428 set thread context of 3896	4428	1.exe	AppLaunch.exe

pid	process
3548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exe12.exepowershell.exepowershell.exeSystem.exe

pid	process
3544	powershell.exe
3544	powershell.exe
5000	powershell.exe
5000	powershell.exe
1288	12.exe
1072	powershell.exe
1072	powershell.exe
3972	powershell.exe
3972	powershell.exe
3676	System.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exe12.exepowershell.exepowershell.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	1288	12.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3676	System.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Eset32.exe1.exe12.execmd.execmd.execmd.exeSystem.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 1288	816	Eset32.exe	12.exe
PID 816 wrote to memory of 1288	816	Eset32.exe	12.exe
PID 816 wrote to memory of 4428	816	Eset32.exe	1.exe
PID 816 wrote to memory of 4428	816	Eset32.exe	1.exe
PID 816 wrote to memory of 4428	816	Eset32.exe	1.exe
PID 4428 wrote to memory of 3896	4428	1.exe	AppLaunch.exe
PID 4428 wrote to memory of 3896	4428	1.exe	AppLaunch.exe
PID 4428 wrote to memory of 3896	4428	1.exe	AppLaunch.exe
PID 4428 wrote to memory of 3896	4428	1.exe	AppLaunch.exe
PID 4428 wrote to memory of 3896	4428	1.exe	AppLaunch.exe
PID 1288 wrote to memory of 3916	1288	12.exe	cmd.exe
PID 1288 wrote to memory of 3916	1288	12.exe	cmd.exe
PID 3916 wrote to memory of 3544	3916	cmd.exe	powershell.exe
PID 3916 wrote to memory of 3544	3916	cmd.exe	powershell.exe
PID 3916 wrote to memory of 5000	3916	cmd.exe	powershell.exe
PID 3916 wrote to memory of 5000	3916	cmd.exe	powershell.exe
PID 1288 wrote to memory of 456	1288	12.exe	cmd.exe
PID 1288 wrote to memory of 456	1288	12.exe	cmd.exe
PID 456 wrote to memory of 3548	456	cmd.exe	schtasks.exe
PID 456 wrote to memory of 3548	456	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 4580	1288	12.exe	cmd.exe
PID 1288 wrote to memory of 4580	1288	12.exe	cmd.exe
PID 4580 wrote to memory of 3676	4580	cmd.exe	System.exe
PID 4580 wrote to memory of 3676	4580	cmd.exe	System.exe
PID 3676 wrote to memory of 4796	3676	System.exe	cmd.exe
PID 3676 wrote to memory of 4796	3676	System.exe	cmd.exe
PID 4796 wrote to memory of 1072	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 1072	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 3972	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 3972	4796	cmd.exe	powershell.exe
PID 3676 wrote to memory of 3708	3676	System.exe	sihost64.exe
PID 3676 wrote to memory of 3708	3676	System.exe	sihost64.exe

C:\Users\Admin\AppData\Local\Temp\Eset32.exe
"C:\Users\Admin\AppData\Local\Temp\Eset32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\Admin\AppData\Roaming\Windows\System.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\Admin\AppData\Roaming\Windows\System.exe"
4⤵
- Creates scheduled task(s)
PID:3548

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Windows\System.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Roaming\Windows\System.exe
C:\Users\Admin\AppData\Roaming\Windows\System.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:3708

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3235c0b45a0ee14bd4e5213339b30705

SHA1
49ebee3177d8bf7d2b1ce8df3f28f3cc576364aa

SHA256
e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f

SHA512
2e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
387705875fe8f8bdd5d35c8e2a4c600f

SHA1
e77cdf21500b7eccb85cc239d6ee39d08851c460

SHA256
1bbe1a66eaa8ed26b6e2759926fd451cbd5a9ca87fa23b272c1438a41015d83d

SHA512
5b072aa43cfba2461ced211442bff3e90858561d3125b758ddba9f1d8267c79342559f5f5014292ccc810512b509105a00e5282ed6e82aef77e8387e2c8e3d69

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
MD5
d9f92868eee8d3c8ecd29a7969419d29

SHA1
0a74749dfcd4eca403859431ebb18ba2a7e845bf

SHA256
b7154023e4778ac19ee6885bf403bf20ce675ef4b87f816e379fa98293526be3

SHA512
5f29374b1bc47f8a978d03476bd8727dcb42b0d6ad028a6decdbbf41363c70001ea017888b5e8a44326d86d2f2fdfe39ade6c27861b7aa317f2f09a62bae95f7

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
MD5
d9f92868eee8d3c8ecd29a7969419d29

SHA1
0a74749dfcd4eca403859431ebb18ba2a7e845bf

SHA256
b7154023e4778ac19ee6885bf403bf20ce675ef4b87f816e379fa98293526be3

SHA512
5f29374b1bc47f8a978d03476bd8727dcb42b0d6ad028a6decdbbf41363c70001ea017888b5e8a44326d86d2f2fdfe39ade6c27861b7aa317f2f09a62bae95f7

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\System.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\System.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe
MD5
e2dd8887aee175ef9befd87b2f6105b3

SHA1
dfc0527e7425ef633db3db034e2e3db8e09f9b28

SHA256
c09d1684236d9ce1d7e0c1c14119b4dc84cbc841da4f4fb84131aa0f367f38f1

SHA512
2313792b160d1d6e28bc2cc2d45ba25773bd5ca1434026316181088c4385c9265922174d65dfac377768024f67f7b9e4cb1b9b6a4fa08606324797e4e1f1e93f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe
MD5
e2dd8887aee175ef9befd87b2f6105b3

SHA1
dfc0527e7425ef633db3db034e2e3db8e09f9b28

SHA256
c09d1684236d9ce1d7e0c1c14119b4dc84cbc841da4f4fb84131aa0f367f38f1

SHA512
2313792b160d1d6e28bc2cc2d45ba25773bd5ca1434026316181088c4385c9265922174d65dfac377768024f67f7b9e4cb1b9b6a4fa08606324797e4e1f1e93f

Download Submit
memory/456-165-0x0000000000000000-mapping.dmp

Download
memory/1072-177-0x0000021B65A33000-0x0000021B65A35000-memory.dmp

Filesize
8KB

Download
memory/1072-173-0x0000000000000000-mapping.dmp

Download
memory/1072-175-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/1072-176-0x0000021B65A30000-0x0000021B65A32000-memory.dmp

Filesize
8KB

Download
memory/1072-179-0x0000021B65A36000-0x0000021B65A38000-memory.dmp

Filesize
8KB

Download
memory/1288-143-0x000000001E330000-0x000000001E332000-memory.dmp

Filesize
8KB

Download
memory/1288-137-0x0000000000F40000-0x0000000001150000-memory.dmp

Filesize
2.1MB

Download
memory/1288-140-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/1288-134-0x0000000000000000-mapping.dmp

Download
memory/1288-142-0x0000000002020000-0x0000000002032000-memory.dmp

Filesize
72KB

Download
memory/3544-154-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/3544-157-0x000002D480786000-0x000002D480788000-memory.dmp

Filesize
8KB

Download
memory/3544-156-0x000002D480783000-0x000002D480785000-memory.dmp

Filesize
8KB

Download
memory/3544-155-0x000002D480780000-0x000002D480782000-memory.dmp

Filesize
8KB

Download
memory/3544-153-0x000002D49BAF0000-0x000002D49BB12000-memory.dmp

Filesize
136KB

Download
memory/3544-152-0x0000000000000000-mapping.dmp

Download
memory/3548-166-0x0000000000000000-mapping.dmp

Download
memory/3676-168-0x0000000000000000-mapping.dmp

Download
memory/3676-171-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/3676-174-0x0000000003450000-0x0000000003452000-memory.dmp

Filesize
8KB

Download
memory/3708-192-0x0000000000CA0000-0x0000000000CA2000-memory.dmp

Filesize
8KB

Download
memory/3708-191-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/3708-190-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/3708-186-0x0000000000000000-mapping.dmp

Download
memory/3896-147-0x0000000000412000-0x000000000049E000-memory.dmp

Filesize
560KB

Download
memory/3896-189-0x0000000000AF0000-0x0000000000B56000-memory.dmp

Filesize
408KB

Download
memory/3896-145-0x0000000000000000-mapping.dmp

Download
memory/3896-148-0x0000000000410000-0x00000000004A2000-memory.dmp

Filesize
584KB

Download
memory/3916-151-0x0000000000000000-mapping.dmp

Download
memory/3972-184-0x0000022F06E06000-0x0000022F06E08000-memory.dmp

Filesize
8KB

Download
memory/3972-182-0x0000022F06E00000-0x0000022F06E02000-memory.dmp

Filesize
8KB

Download
memory/3972-183-0x0000022F06E03000-0x0000022F06E05000-memory.dmp

Filesize
8KB

Download
memory/3972-185-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/3972-180-0x0000000000000000-mapping.dmp

Download
memory/4428-138-0x0000000000000000-mapping.dmp

Download
memory/4428-144-0x0000000000112000-0x0000000000114000-memory.dmp

Filesize
8KB

Download
memory/4580-167-0x0000000000000000-mapping.dmp

Download
memory/4796-172-0x0000000000000000-mapping.dmp

Download
memory/5000-162-0x000001B873B60000-0x000001B873B62000-memory.dmp

Filesize
8KB

Download
memory/5000-161-0x00007FFE79F80000-0x00007FFE7AA41000-memory.dmp

Filesize
10.8MB

Download
memory/5000-158-0x0000000000000000-mapping.dmp

Download
memory/5000-163-0x000001B873B63000-0x000001B873B65000-memory.dmp

Filesize
8KB

Download
memory/5000-164-0x000001B873B66000-0x000001B873B68000-memory.dmp

Filesize
8KB

Download