956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d

Analysis

max time kernel
65s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
Size

541KB
MD5

1d7f62d28cb0885bef466efde20583f3
SHA1

a462cb6ecbd5f6a25033b4db52f51340472fd241
SHA256

956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d
SHA512

acc5e4332380010fa5f417acafa548840b74295a122105f3211f565c79c7cd50a645c3b781f16f28166380a32e41a2f9d34a0a3b52faa800943c2214345d8a16
SSDEEP

12288:ADaq927uCSbyjNfh7NC/E5l2F+7p64ozoCeaUUo2VWe:ADz2yyjT7N+R+7IjeaUUo28e

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3268-132-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/3268-142-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/files/0x000400000001da0b-145.dat	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\Ð¡ÓÎÏ·.ico	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RtkSYUdp.exe	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe

Runs regedit.exe 3 IoCs

pid	Process
636	regedit.exe
1316	regedit.exe
4288	regedit.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 636	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	83
PID 3268 wrote to memory of 636	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	83
PID 3268 wrote to memory of 636	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	83
PID 3268 wrote to memory of 1316	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	84
PID 3268 wrote to memory of 1316	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	84
PID 3268 wrote to memory of 1316	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	84
PID 3268 wrote to memory of 3084	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	85
PID 3268 wrote to memory of 3084	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	85
PID 3268 wrote to memory of 3084	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	85
PID 3268 wrote to memory of 4288	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	87
PID 3268 wrote to memory of 4288	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	87
PID 3268 wrote to memory of 4288	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	87
PID 3268 wrote to memory of 2236	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	91
PID 3268 wrote to memory of 2236	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	91
PID 3268 wrote to memory of 2236	3268	956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe	91
PID 2236 wrote to memory of 1896	2236	cmd.exe	93
PID 2236 wrote to memory of 1896	2236	cmd.exe	93
PID 2236 wrote to memory of 1896	2236	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe
"C:\Users\Admin\AppData\Local\Temp\956bc669fb78d56a792596c08e8243c196aaad7779b2fbe7fd435a90d7e6251d.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp
  2⤵
  - Modifies registry class
  - Runs regedit.exe
  PID:636
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$10943.tmp
  2⤵
  - Runs regedit.exe
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
  2⤵
  PID:3084
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
  2⤵
  - Modifies registry class
  - Runs regedit.exe
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
    3⤵
    PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
665B

MD5
f1a978e634978a65312d40a14c89c0c8

SHA1
37abbedff6a56142242d52d1847c8b644f70f8b0

SHA256
7bc6406a489989514df4f1c0d6cfd05684fa638a7b31e9cc7e8fa618e77d4d3a

SHA512
1aeccc3b6d3d54baf623e2dd435b020325bac285f1717881836a31184fa8626ee0721cf4ac2e61f542c64b88fe3119c401cc1583be519201581703435666c9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

Filesize
1KB

MD5
f9ce5c8a3059991babf4084151caa492

SHA1
26567f89a885b0e69f24309c3e5c58e8e938f841

SHA256
e82c214f33cad1b25146758e22fd887b15f63b1a7a8d716b358c50dc5c3d4e96

SHA512
cce48827588aa5968453a8a69baeab8435083dca1d625d079b01d4f9292c7bcb85ab1217f1cf96ea301eef49b7a96a76b58413d4496f1c35e234df7c7e5c9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
4KB

MD5
e65d0630e7c3363eff81fd64109c3dac

SHA1
062d18f42ff35760bed198d51c1056a42c22bfba

SHA256
286db12cc30d8834f18cbc2d72aab3cbc8ab4c515dc8f4e124c82eaa61e4061d

SHA512
d4921c73729c5a00f9f2348d93cd0db827ea17cb45295f0f0b05d99597a241dab7703b674dd107e7a9d15854765b279af7d4f6b7ab8c44a1e658e361c63c0559

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/3268-142-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3268-132-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download