ramnit | 81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe
Size

326KB
MD5

834352e9f4dc7be5490f3c537a3c67d8
SHA1

b62006881416e5a622440d707675fccb71ff08d1
SHA256

81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc
SHA512

cd54336a69d5f5fdd8fc239a2b74fd4b8e3bd687d76b87bf1c729e4c8ec9ab0ce7bb67411aacceeb8aad6d62e4b5418e86533742853edaa992e9ed0ed3688fb9
SSDEEP

6144:G5BJM60rrnM5GDwDxIl3EIofWjcg96M6TgG3uP7Int0aQ7ZVUH0K5s:yq1rnM5VDalcfWjc7Tb33a9VsJ5s

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
520	WaterMark.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1480-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1480-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1480-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1764-84-0x0000000000400000-0x000000000048F000-memory.dmp	upx
behavioral1/memory/520-87-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/520-205-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe
1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe
1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2EE.tmp	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
520	WaterMark.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe
1632	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	WaterMark.exe
Token: SeDebugPrivilege	1632	svchost.exe
Token: SeDebugPrivilege	1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe
Token: SeDebugPrivilege	520	WaterMark.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
520	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1480	1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe	28
PID 1764 wrote to memory of 1480	1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe	28
PID 1764 wrote to memory of 1480	1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe	28
PID 1764 wrote to memory of 1480	1764	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe	28
PID 1480 wrote to memory of 520	1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe	29
PID 1480 wrote to memory of 520	1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe	29
PID 1480 wrote to memory of 520	1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe	29
PID 1480 wrote to memory of 520	1480	81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe	29
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1680	520	WaterMark.exe	30
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 520 wrote to memory of 1632	520	WaterMark.exe	31
PID 1632 wrote to memory of 260	1632	svchost.exe	7
PID 1632 wrote to memory of 260	1632	svchost.exe	7
PID 1632 wrote to memory of 260	1632	svchost.exe	7
PID 1632 wrote to memory of 260	1632	svchost.exe	7
PID 1632 wrote to memory of 260	1632	svchost.exe	7
PID 1632 wrote to memory of 332	1632	svchost.exe	6
PID 1632 wrote to memory of 332	1632	svchost.exe	6
PID 1632 wrote to memory of 332	1632	svchost.exe	6
PID 1632 wrote to memory of 332	1632	svchost.exe	6
PID 1632 wrote to memory of 332	1632	svchost.exe	6
PID 1632 wrote to memory of 368	1632	svchost.exe	5
PID 1632 wrote to memory of 368	1632	svchost.exe	5
PID 1632 wrote to memory of 368	1632	svchost.exe	5
PID 1632 wrote to memory of 368	1632	svchost.exe	5
PID 1632 wrote to memory of 368	1632	svchost.exe	5
PID 1632 wrote to memory of 376	1632	svchost.exe	4
PID 1632 wrote to memory of 376	1632	svchost.exe	4
PID 1632 wrote to memory of 376	1632	svchost.exe	4
PID 1632 wrote to memory of 376	1632	svchost.exe	4
PID 1632 wrote to memory of 376	1632	svchost.exe	4
PID 1632 wrote to memory of 416	1632	svchost.exe	3
PID 1632 wrote to memory of 416	1632	svchost.exe	3
PID 1632 wrote to memory of 416	1632	svchost.exe	3
PID 1632 wrote to memory of 416	1632	svchost.exe	3
PID 1632 wrote to memory of 416	1632	svchost.exe	3
PID 1632 wrote to memory of 460	1632	svchost.exe	2
PID 1632 wrote to memory of 460	1632	svchost.exe	2
PID 1632 wrote to memory of 460	1632	svchost.exe	2
PID 1632 wrote to memory of 460	1632	svchost.exe	2
PID 1632 wrote to memory of 460	1632	svchost.exe	2
PID 1632 wrote to memory of 476	1632	svchost.exe	1
PID 1632 wrote to memory of 476	1632	svchost.exe	1
PID 1632 wrote to memory of 476	1632	svchost.exe	1
PID 1632 wrote to memory of 476	1632	svchost.exe	1
PID 1632 wrote to memory of 476	1632	svchost.exe	1
PID 1632 wrote to memory of 484	1632	svchost.exe	8

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:724
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1184
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:880
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1328
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:656
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1832
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe
  "C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
    C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1680
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
\Users\Admin\AppData\Local\Temp\81ecf1e8d5fc1b219decfaf8d374d25dc55665ab99ad3a57984b1eb9e56299bcmgr.exe

Filesize
102KB

MD5
70b04c8c018befad3751d3f4d24d3bcb

SHA1
78df84b2b59d909efc9630ff1408f4b4c5392f7d

SHA256
90530f86af79995047d051ca4fdbe02456ff4445073fe6f4e0c13e3f97d6ccee

SHA512
649f6ba6af342d064981f2e02780ba6d68f204e3b8648685787a5e58e6cbeadec1d13c363c1d19a7136633cde8361f560d89311c6ef6b99dbb2b7c684aef9f06

Download Submit
memory/520-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/520-205-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1480-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1480-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1480-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1632-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1632-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1680-80-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1680-88-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1680-76-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1680-79-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1680-206-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1764-86-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download
memory/1764-85-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download
memory/1764-84-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1764-861-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download
memory/1764-862-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download