3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637

Analysis

max time kernel
291s
max time network
299s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/04/2023, 07:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Size

2.4MB
MD5

a62505758e85f40fa06345da8af15d21
SHA1

21f1f6c7e18985baeb9082c3ccb7f30bdd32867a
SHA256

3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637
SHA512

8c712db84b35f977caa4f87efad7b54f6340c6efa46c4a9a222947cb917f32a122bc9f34c3f85f91927b511f1c372471a2db25b9668289733ac1f7dace747014
SSDEEP

24576:FkfiQkUbTO8OwvQZGrpl9Y1fHUDNsk8scl9VgXRP1O8l7Y5q6Q3k4U+A4lZVQ8C7:qfiXGr1fdCTeP/Kq6P4V7WyvOkEm92w

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jvlbsdhzhh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hroqfbdcbjn\\Jvlbsdhzhh.exe\""	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jvlbsdhzhh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hroqfbdcbjn\\Jvlbsdhzhh.exe\""	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1576 set thread context of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
592	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	796	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeIncreaseQuotaPrivilege	796	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: 33	1704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1704	AUDIODG.EXE
Token: 33	1704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1704	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	796	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeShutdownPrivilege	856	explorer.exe
Token: SeDebugPrivilege	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	900	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeShutdownPrivilege	856	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe
856	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 592	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	27
PID 1728 wrote to memory of 592	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	27
PID 1728 wrote to memory of 592	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	27
PID 1728 wrote to memory of 592	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	27
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 1728 wrote to memory of 796	1728	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	29
PID 856 wrote to memory of 1584	856	explorer.exe	32
PID 856 wrote to memory of 1584	856	explorer.exe	32
PID 856 wrote to memory of 1584	856	explorer.exe	32
PID 1576 wrote to memory of 1700	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	35
PID 1576 wrote to memory of 1700	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	35
PID 1576 wrote to memory of 1700	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	35
PID 1576 wrote to memory of 1700	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	35
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37
PID 1576 wrote to memory of 900	1576	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
"C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
  C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
    "C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
      C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Hroqfbdcbjn\Jvlbsdhzhh.exe

Filesize
2.4MB

MD5
a62505758e85f40fa06345da8af15d21

SHA1
21f1f6c7e18985baeb9082c3ccb7f30bdd32867a

SHA256
3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637

SHA512
8c712db84b35f977caa4f87efad7b54f6340c6efa46c4a9a222947cb917f32a122bc9f34c3f85f91927b511f1c372471a2db25b9668289733ac1f7dace747014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RJEUHRE0V77GI34FNFVA.temp

Filesize
7KB

MD5
b2bfa177501257e71b80679b13d37d71

SHA1
b5a3eed372c09d1bcbe88d636dd6b4cbce72f102

SHA256
469069a8291f1709e3220043efe492c5500f2ac2982476dd0cff47f98f09c715

SHA512
7fd4ff37be9abf1145d5092bff616fef7ed13f4bceaaf5a509280e48a9e5973eca9dc31428cd6d86b9b4b9eb762df7b13737c8e31358ad0a10af85d8b15a183b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b2bfa177501257e71b80679b13d37d71

SHA1
b5a3eed372c09d1bcbe88d636dd6b4cbce72f102

SHA256
469069a8291f1709e3220043efe492c5500f2ac2982476dd0cff47f98f09c715

SHA512
7fd4ff37be9abf1145d5092bff616fef7ed13f4bceaaf5a509280e48a9e5973eca9dc31428cd6d86b9b4b9eb762df7b13737c8e31358ad0a10af85d8b15a183b

Download Submit
memory/592-62-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/592-61-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/592-64-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/592-65-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/796-103-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-112-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-69-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-70-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/796-72-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-74-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-76-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-77-0x0000000000BB0000-0x0000000000CB8000-memory.dmp

Filesize
1.0MB

Download
memory/796-78-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-79-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-81-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-83-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-85-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-87-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-89-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-91-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-93-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-95-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-97-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-99-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-101-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-104-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/796-67-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-106-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-108-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-110-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-68-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/796-114-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-116-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-118-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-120-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-122-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-124-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-126-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-128-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-130-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-132-0x0000000000BB0000-0x0000000000CB2000-memory.dmp

Filesize
1.0MB

Download
memory/796-1982-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/856-5365-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/856-5368-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/900-7566-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/900-5465-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/1576-5363-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1576-5366-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1700-5367-0x00000000007F0000-0x0000000000830000-memory.dmp

Filesize
256KB

Download
memory/1700-5364-0x00000000007F0000-0x0000000000830000-memory.dmp

Filesize
256KB

Download
memory/1728-55-0x0000000004C60000-0x0000000004E0A000-memory.dmp

Filesize
1.7MB

Download
memory/1728-56-0x00000000044B0000-0x0000000004538000-memory.dmp

Filesize
544KB

Download
memory/1728-54-0x0000000000D30000-0x0000000000F9E000-memory.dmp

Filesize
2.4MB

Download
memory/1728-57-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/1728-58-0x0000000004990000-0x0000000004A22000-memory.dmp

Filesize
584KB

Download
memory/1728-63-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download