74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8

Analysis

max time kernel
152s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Size

181KB
MD5

7d3b5e0524975e9cf9063cc53eb13e4d
SHA1

15790c2428c14fcf753fbb3d08eaa44b0752b7c3
SHA256

74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8
SHA512

d5dd8c5109e0fbd6a81883d6767f862b6a0f3a7608b5c0685ff989b18cf5499286404d81cc8135141880051cb50c9151740ddcc2be4dbf0564417561c4c1e5f6
SSDEEP

3072:4faI9mPig4XjzI7CVACmjmliW1AEyd7pqVvLDPbL5OeL4QwHCAtLbtYQSe4:45ETAj7Ahgj1RY7pqbL5OnFiO3we4

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	nakas.exe

Deletes itself 1 IoCs

pid	Process
1924	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	nakas.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	nakas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ulsudiymmu = "C:\\Users\\Admin\\AppData\\Roaming\\Evik\\nakas.exe"	nakas.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\44E66441-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe
1292	nakas.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
Token: SeSecurityPrivilege	1924	cmd.exe
Token: SeSecurityPrivilege	1924	cmd.exe
Token: SeSecurityPrivilege	1924	cmd.exe
Token: SeSecurityPrivilege	1924	cmd.exe
Token: SeSecurityPrivilege	1924	cmd.exe
Token: SeManageVolumePrivilege	1568	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1568	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1568	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1568	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1292	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	28
PID 1908 wrote to memory of 1292	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	28
PID 1908 wrote to memory of 1292	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	28
PID 1908 wrote to memory of 1292	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	28
PID 1292 wrote to memory of 1120	1292	nakas.exe	10
PID 1292 wrote to memory of 1120	1292	nakas.exe	10
PID 1292 wrote to memory of 1120	1292	nakas.exe	10
PID 1292 wrote to memory of 1120	1292	nakas.exe	10
PID 1292 wrote to memory of 1120	1292	nakas.exe	10
PID 1292 wrote to memory of 1164	1292	nakas.exe	18
PID 1292 wrote to memory of 1164	1292	nakas.exe	18
PID 1292 wrote to memory of 1164	1292	nakas.exe	18
PID 1292 wrote to memory of 1164	1292	nakas.exe	18
PID 1292 wrote to memory of 1164	1292	nakas.exe	18
PID 1292 wrote to memory of 1196	1292	nakas.exe	17
PID 1292 wrote to memory of 1196	1292	nakas.exe	17
PID 1292 wrote to memory of 1196	1292	nakas.exe	17
PID 1292 wrote to memory of 1196	1292	nakas.exe	17
PID 1292 wrote to memory of 1196	1292	nakas.exe	17
PID 1292 wrote to memory of 1908	1292	nakas.exe	27
PID 1292 wrote to memory of 1908	1292	nakas.exe	27
PID 1292 wrote to memory of 1908	1292	nakas.exe	27
PID 1292 wrote to memory of 1908	1292	nakas.exe	27
PID 1292 wrote to memory of 1908	1292	nakas.exe	27
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1908 wrote to memory of 1924	1908	74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe	29
PID 1292 wrote to memory of 1668	1292	nakas.exe	30
PID 1292 wrote to memory of 1668	1292	nakas.exe	30
PID 1292 wrote to memory of 1668	1292	nakas.exe	30
PID 1292 wrote to memory of 1668	1292	nakas.exe	30
PID 1292 wrote to memory of 1668	1292	nakas.exe	30
PID 1292 wrote to memory of 1936	1292	nakas.exe	31
PID 1292 wrote to memory of 1936	1292	nakas.exe	31
PID 1292 wrote to memory of 1936	1292	nakas.exe	31
PID 1292 wrote to memory of 1936	1292	nakas.exe	31
PID 1292 wrote to memory of 1936	1292	nakas.exe	31
PID 1292 wrote to memory of 1568	1292	nakas.exe	32
PID 1292 wrote to memory of 1568	1292	nakas.exe	32
PID 1292 wrote to memory of 1568	1292	nakas.exe	32
PID 1292 wrote to memory of 1568	1292	nakas.exe	32
PID 1292 wrote to memory of 1568	1292	nakas.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe
  "C:\Users\Admin\AppData\Local\Temp\74672a8a67b9a66733696a096ff95645836642354a5e6315754c86d1408ef8f8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\Evik\nakas.exe
    "C:\Users\Admin\AppData\Roaming\Evik\nakas.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp38fa0fef.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1924

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"
1⤵
PID:1936

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp38fa0fef.bat

Filesize
307B

MD5
d793bf7010dac9cb439956e3f698c4a9

SHA1
74c415fb304128b8742cd9a40f07611ab818ad6b

SHA256
03c222476df04d0ffe064cc06ec35dda8843eb07172f0e31abc71fb6c3cc3585

SHA512
da45d03b48c46cde4af28be202ecb18937a0ffda4285f650c0a4c9e0f62d409f1dbbba39741610d3248765cde4710beac756ba88dde72af5651716c0b8ff437e

Download Submit
C:\Users\Admin\AppData\Roaming\Evik\nakas.exe

Filesize
181KB

MD5
a9bda2b0e4c35a3ce502d3796cc5e473

SHA1
d21efb34903116d2bb726f793bd58a104d9a7e4d

SHA256
e406e7ca2a06aa440a8f44c96f8089ff88440e460845ec7215cfbea397ba832b

SHA512
0ecff5a4c31b1d20028b2ebee9abee95ca27e5bcddb2d3416ca1d5265b1e446003446ad27abac282df37a65d17b83d56a73d493dc9e045fcc94d776f96215a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Evik\nakas.exe

Filesize
181KB

MD5
a9bda2b0e4c35a3ce502d3796cc5e473

SHA1
d21efb34903116d2bb726f793bd58a104d9a7e4d

SHA256
e406e7ca2a06aa440a8f44c96f8089ff88440e460845ec7215cfbea397ba832b

SHA512
0ecff5a4c31b1d20028b2ebee9abee95ca27e5bcddb2d3416ca1d5265b1e446003446ad27abac282df37a65d17b83d56a73d493dc9e045fcc94d776f96215a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Wogu\edaq.ymi

Filesize
3KB

MD5
61fed7d63cd71abc535085b152560c1b

SHA1
e7ac2d1a1a664c6047b849a7aa21590808e6ce82

SHA256
192f22d7ba136abe6b3750e5b942b18a33fa44666ff1a03e4afc2501944b9ac3

SHA512
2cf13fe9a2addf6289f0d27f3d0103e525b17ee032392d54d0a9fc158844e2a5f2a697d322179ce3ef9a7699ad5b17ebd91bb27e19ffd9e9a82393ea339c2eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Wogu\edaq.ymi

Filesize
4KB

MD5
50a85316ffa6ca41ee79ce233934da8f

SHA1
79525226cfdb24b581b92c790bc6cbe11b17b5c4

SHA256
e801d66bfd5cf2bc417ed162e78185e0d8bafcdccfa7a905e8dbd1a054724970

SHA512
6f0db7ab81b1d4646f28faa69af7ae1a7f62af3573bf5685543bb766d1a83a83ed8adb2de88ae0dc428bf54bd81654b9b6d40fbbe3d531bee8bb5fdfcfbb2355

Download Submit
\Users\Admin\AppData\Roaming\Evik\nakas.exe

Filesize
181KB

MD5
a9bda2b0e4c35a3ce502d3796cc5e473

SHA1
d21efb34903116d2bb726f793bd58a104d9a7e4d

SHA256
e406e7ca2a06aa440a8f44c96f8089ff88440e460845ec7215cfbea397ba832b

SHA512
0ecff5a4c31b1d20028b2ebee9abee95ca27e5bcddb2d3416ca1d5265b1e446003446ad27abac282df37a65d17b83d56a73d493dc9e045fcc94d776f96215a4a

Download Submit
\Users\Admin\AppData\Roaming\Evik\nakas.exe

Filesize
181KB

MD5
a9bda2b0e4c35a3ce502d3796cc5e473

SHA1
d21efb34903116d2bb726f793bd58a104d9a7e4d

SHA256
e406e7ca2a06aa440a8f44c96f8089ff88440e460845ec7215cfbea397ba832b

SHA512
0ecff5a4c31b1d20028b2ebee9abee95ca27e5bcddb2d3416ca1d5265b1e446003446ad27abac282df37a65d17b83d56a73d493dc9e045fcc94d776f96215a4a

Download Submit
memory/1120-77-0x0000000001DE0000-0x0000000001E19000-memory.dmp

Filesize
228KB

Download
memory/1120-76-0x0000000001DE0000-0x0000000001E19000-memory.dmp

Filesize
228KB

Download
memory/1120-74-0x0000000001DE0000-0x0000000001E19000-memory.dmp

Filesize
228KB

Download
memory/1120-75-0x0000000001DE0000-0x0000000001E19000-memory.dmp

Filesize
228KB

Download
memory/1120-72-0x0000000001DE0000-0x0000000001E19000-memory.dmp

Filesize
228KB

Download
memory/1164-82-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1164-81-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1164-80-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1164-83-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1196-86-0x0000000002200000-0x0000000002239000-memory.dmp

Filesize
228KB

Download
memory/1196-87-0x0000000002200000-0x0000000002239000-memory.dmp

Filesize
228KB

Download
memory/1196-88-0x0000000002200000-0x0000000002239000-memory.dmp

Filesize
228KB

Download
memory/1196-89-0x0000000002200000-0x0000000002239000-memory.dmp

Filesize
228KB

Download
memory/1292-98-0x0000000002750000-0x00000000027B2000-memory.dmp

Filesize
392KB

Download
memory/1292-105-0x00000000037B0000-0x0000000003812000-memory.dmp

Filesize
392KB

Download
memory/1292-68-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1292-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-102-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1292-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-97-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-114-0x00000000037B0000-0x0000000003812000-memory.dmp

Filesize
392KB

Download
memory/1292-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-276-0x00000000037B0000-0x0000000003812000-memory.dmp

Filesize
392KB

Download
memory/1292-69-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1668-139-0x0000000003A50000-0x0000000003A89000-memory.dmp

Filesize
228KB

Download
memory/1668-142-0x0000000003A50000-0x0000000003A89000-memory.dmp

Filesize
228KB

Download
memory/1668-138-0x0000000003A50000-0x0000000003A89000-memory.dmp

Filesize
228KB

Download
memory/1668-141-0x0000000003A50000-0x0000000003A89000-memory.dmp

Filesize
228KB

Download
memory/1908-65-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1908-92-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-99-0x00000000026F0000-0x0000000002752000-memory.dmp

Filesize
392KB

Download
memory/1908-56-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1908-96-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1908-95-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-94-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-93-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-100-0x00000000026F0000-0x0000000002752000-memory.dmp

Filesize
392KB

Download
memory/1908-255-0x00000000026F0000-0x0000000002729000-memory.dmp

Filesize
228KB

Download
memory/1908-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1908-57-0x0000000001F20000-0x0000000001F82000-memory.dmp

Filesize
392KB

Download
memory/1908-254-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1908-58-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1908-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1908-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-110-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-117-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-128-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-130-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-132-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-140-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-123-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-121-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-119-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-125-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-135-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-111-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-277-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-112-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-108-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1936-145-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/1936-146-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download