Analysis

  • max time kernel
    171s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 12:28

General

  • Target

    71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

  • Size

    2.2MB

  • MD5

    2e26ec54afd1288b055e7706de808a6c

  • SHA1

    64a439521d75f2d77fef60db5115fc8645266003

  • SHA256

    71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a

  • SHA512

    c2cdcd0d97b9b22ffab2a2a76470adf813a5d58d052e25f4f5181948afa29958fb3647b0d785bdd6c8e07a80c0d9d04cda33d21d522510c6850f178c39f41861

  • SSDEEP

    49152:zzrlxWjx1Hp7rH403mwRaKkYpYfJWGwvPDKvxe:zzrTmxVpg032iYRWGwvP

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
    "C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
      "C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Users\Admin\AppData\Local\TempCSGO Client.exe
        "C:\Users\Admin\AppData\Local\TempCSGO Client.exe"
        3⤵
        • Executes dropped EXE
        PID:1116
      • C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
        "C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\792399" "C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Users\Admin\AppData\Roaming\windows.exe
          "C:\Users\Admin\AppData\Roaming\windows.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Users\Admin\AppData\Roaming\windows.exe
            "C:\Users\Admin\AppData\Roaming\windows.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\712281" "C:\Users\Admin\AppData\Roaming\windows.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:524
            • C:\Users\Admin\AppData\Roaming\windows.exe
              "C:\Users\Admin\AppData\Roaming\windows.exe"
              6⤵
              • Executes dropped EXE
              PID:2004
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\55.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 0127.0.0.1
            5⤵
            • Runs ping.exe
            PID:1384
    • C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
      "C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • C:\Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • C:\Users\Admin\AppData\Local\Temp\55.bat

    Filesize

    188B

    MD5

    69af552a021c6429c5f9000313a3ed79

    SHA1

    bb4f1f89c22a765d1d788e56927ba4bf4e8f6ecc

    SHA256

    08d85fc24cb4d70ec500c1507f6f7389cdcaf07082f6383b1aa72f9b8ca1f29c

    SHA512

    85a3c43fa90ab7d1462522762809e44ebdaafecda8dbd90d22bc6575bb9854f2691ee9da97bb1ddb9815a3c31905be5bdc1d50ac618501c637f220fa4477aed9

  • C:\Users\Admin\AppData\Local\Temp\712281

    Filesize

    18KB

    MD5

    ba7ed704ea46ad6efe082e5ff4e373ee

    SHA1

    f77c50c318e5b65c06ef07b466fbf49fa477fc34

    SHA256

    b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30

    SHA512

    b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

  • C:\Users\Admin\AppData\Local\Temp\792399

    Filesize

    18KB

    MD5

    ba7ed704ea46ad6efe082e5ff4e373ee

    SHA1

    f77c50c318e5b65c06ef07b466fbf49fa477fc34

    SHA256

    b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30

    SHA512

    b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

  • C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Local\Temp\incl1

    Filesize

    12KB

    MD5

    b8f891833c18f882d28dca0d8bf1edf6

    SHA1

    fe2ba906a57c8011d74ed5ab63da5dda5db106d9

    SHA256

    99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5

    SHA512

    a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

  • C:\Users\Admin\AppData\Local\Temp\incl1

    Filesize

    12KB

    MD5

    b8f891833c18f882d28dca0d8bf1edf6

    SHA1

    fe2ba906a57c8011d74ed5ab63da5dda5db106d9

    SHA256

    99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5

    SHA512

    a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

  • C:\Users\Admin\AppData\Local\Temp\incl2

    Filesize

    660KB

    MD5

    65372a6302983fc206e90a544c61c7c5

    SHA1

    2a9328477ec18ec759fc151e05ce083ccf3e858f

    SHA256

    f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c

    SHA512

    384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2

  • C:\Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • C:\Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • \Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • \Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • \Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • \Users\Admin\AppData\Local\TempCSGO Client.exe

    Filesize

    151KB

    MD5

    5f05e7130bc6dc523faa9cf537157af1

    SHA1

    c63fe5480dbed5a2b0d40426160d5892a8c9130f

    SHA256

    ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

    SHA512

    dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

  • \Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • \Users\Admin\AppData\Roaming\windows.exe

    Filesize

    1.6MB

    MD5

    ca31b9b62cd0e6d2c306076283058574

    SHA1

    9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

    SHA256

    21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

    SHA512

    84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

  • memory/524-96-0x0000000000000000-mapping.dmp

  • memory/1116-69-0x0000000000000000-mapping.dmp

  • memory/1116-103-0x0000000000B36000-0x0000000000B55000-memory.dmp

    Filesize

    124KB

  • memory/1116-72-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

    Filesize

    10.1MB

  • memory/1116-89-0x000007FEF2350000-0x000007FEF33E6000-memory.dmp

    Filesize

    16.6MB

  • memory/1180-90-0x0000000000000000-mapping.dmp

  • memory/1312-97-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-104-0x0000000000444BFE-mapping.dmp

  • memory/1312-60-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-100-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-106-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-59-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-101-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-112-0x0000000074290000-0x000000007483B000-memory.dmp

    Filesize

    5.7MB

  • memory/1312-108-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1312-113-0x0000000074290000-0x000000007483B000-memory.dmp

    Filesize

    5.7MB

  • memory/1384-92-0x0000000000000000-mapping.dmp

  • memory/1708-76-0x0000000000000000-mapping.dmp

  • memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

    Filesize

    8KB

  • memory/1728-73-0x0000000074290000-0x000000007483B000-memory.dmp

    Filesize

    5.7MB

  • memory/1728-55-0x0000000074290000-0x000000007483B000-memory.dmp

    Filesize

    5.7MB

  • memory/1908-57-0x0000000000000000-mapping.dmp

  • memory/1912-84-0x0000000000000000-mapping.dmp