c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc

Analysis

max time kernel
240s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe
Size

1.5MB
MD5

acf5f8ea08344b58eeb8d546b01fe689
SHA1

1ed97ea8e34d8af7a5bb36f73ac6145724719f3e
SHA256

c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc
SHA512

f4ec7e2a4f407401b3a951ce4fd05f6ed511d834338185a644bbf3fc213efd2451718e7b775734ef7ae822e1223dd91c0d1efb976b220f3d8f1dd73021adbc67
SSDEEP

24576:vyT2HQvGlUKcjtn6Rq/++GkO6nvgk6rhABJ7M+Tx/1+ASQmkgOvdmBH9:6KHQvGaKmt6M/JGkOzkhJL/1OGtvc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	160930046.exe

Executes dropped EXE 6 IoCs

pid	Process
3800	Mc841959.exe
2168	YB093725.exe
1768	md528212.exe
212	160930046.exe
2148	1.exe
2032	232544829.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	md528212.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Mc841959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Mc841959.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	YB093725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YB093725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	md528212.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1312	2032	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	1.exe
2148	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	160930046.exe
Token: SeDebugPrivilege	2148	1.exe
Token: SeDebugPrivilege	2032	232544829.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3800	3480	c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe	79
PID 3480 wrote to memory of 3800	3480	c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe	79
PID 3480 wrote to memory of 3800	3480	c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe	79
PID 3800 wrote to memory of 2168	3800	Mc841959.exe	80
PID 3800 wrote to memory of 2168	3800	Mc841959.exe	80
PID 3800 wrote to memory of 2168	3800	Mc841959.exe	80
PID 2168 wrote to memory of 1768	2168	YB093725.exe	81
PID 2168 wrote to memory of 1768	2168	YB093725.exe	81
PID 2168 wrote to memory of 1768	2168	YB093725.exe	81
PID 1768 wrote to memory of 212	1768	md528212.exe	82
PID 1768 wrote to memory of 212	1768	md528212.exe	82
PID 1768 wrote to memory of 212	1768	md528212.exe	82
PID 212 wrote to memory of 2148	212	160930046.exe	85
PID 212 wrote to memory of 2148	212	160930046.exe	85
PID 1768 wrote to memory of 2032	1768	md528212.exe	86
PID 1768 wrote to memory of 2032	1768	md528212.exe	86
PID 1768 wrote to memory of 2032	1768	md528212.exe	86

C:\Users\Admin\AppData\Local\Temp\c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe
"C:\Users\Admin\AppData\Local\Temp\c475777b2361308205e150cc95b93d59ea62f7f721f36b0ac1e17a3ae05ecfcc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc841959.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc841959.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB093725.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB093725.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\md528212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\md528212.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\160930046.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\160930046.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232544829.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232544829.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1216
        6⤵
        Program crash
        
        PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2032 -ip 2032
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc841959.exe

Filesize
1.3MB

MD5
cbd2650dc6926f419dc45124570031f5

SHA1
1d5d771540c84abcaf4f6ed34f3fc863dd05e635

SHA256
26dbbf23c62fd0e70b83592d868314b4872f2c974fdb2ded7959f9003f15f4f0

SHA512
aa65ae8ca4884aca1a2504a7ff7e38bd21c28a3164b3e1a7ca1f5e8b2db7eba107f97b145e4e6b70a4dae4fb989fdc59af35ed249d3c64800210ea9504ebdb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mc841959.exe

Filesize
1.3MB

MD5
cbd2650dc6926f419dc45124570031f5

SHA1
1d5d771540c84abcaf4f6ed34f3fc863dd05e635

SHA256
26dbbf23c62fd0e70b83592d868314b4872f2c974fdb2ded7959f9003f15f4f0

SHA512
aa65ae8ca4884aca1a2504a7ff7e38bd21c28a3164b3e1a7ca1f5e8b2db7eba107f97b145e4e6b70a4dae4fb989fdc59af35ed249d3c64800210ea9504ebdb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB093725.exe

Filesize
871KB

MD5
5e11a9199be548620f50bfbb39ae57a5

SHA1
b9ec64624cc920e803b280ec5488f5cbbdbb7ed0

SHA256
49b386001f279221e98e13d68c8c39a0605e92314e8e4d71afb4d3576c38c896

SHA512
ae3a0041d4bf4225dd53cec41bf0cdfee34318fe390bccf68d8293c27ea9310373b3ef3db830406ebe024dafcf38edfaa641aedd2651a96dd3981dc43d9cfb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB093725.exe

Filesize
871KB

MD5
5e11a9199be548620f50bfbb39ae57a5

SHA1
b9ec64624cc920e803b280ec5488f5cbbdbb7ed0

SHA256
49b386001f279221e98e13d68c8c39a0605e92314e8e4d71afb4d3576c38c896

SHA512
ae3a0041d4bf4225dd53cec41bf0cdfee34318fe390bccf68d8293c27ea9310373b3ef3db830406ebe024dafcf38edfaa641aedd2651a96dd3981dc43d9cfb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\md528212.exe

Filesize
699KB

MD5
2667b7a6aaaca2c152970c1f1b6b1ecc

SHA1
0d73792eb5f80b1e02cbdec2dac42a76bec2e7b5

SHA256
5846ca77777f213eb81867d0aaadc2fb833d85813924e5d3e15d62833cd9838b

SHA512
a0e0299e2dd0ff656332c6af3085de87128737b3279713cf32eee1bb221189fce1036552c94260ae5e28f5c2dd8d142bc0f68d7d74fe3919205bf02557e6b1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\md528212.exe

Filesize
699KB

MD5
2667b7a6aaaca2c152970c1f1b6b1ecc

SHA1
0d73792eb5f80b1e02cbdec2dac42a76bec2e7b5

SHA256
5846ca77777f213eb81867d0aaadc2fb833d85813924e5d3e15d62833cd9838b

SHA512
a0e0299e2dd0ff656332c6af3085de87128737b3279713cf32eee1bb221189fce1036552c94260ae5e28f5c2dd8d142bc0f68d7d74fe3919205bf02557e6b1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\160930046.exe

Filesize
299KB

MD5
abc8f4a5f0f64c809ee9e588e439c7e2

SHA1
3b876b741ac6f32e6faa42bd78524506bd70433c

SHA256
c832258986072da06658b2b339d6d5868bb55a0214ba2c9a97dad97c2cd68b08

SHA512
99e26859892ac05482c70bbe2e748d350927c0560ccc7adc024da7bb09c1e31fa0388958479672b3cbce479376b031fa46071f8d6bf2b1cbc5e1be99f9ac1f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\160930046.exe

Filesize
299KB

MD5
abc8f4a5f0f64c809ee9e588e439c7e2

SHA1
3b876b741ac6f32e6faa42bd78524506bd70433c

SHA256
c832258986072da06658b2b339d6d5868bb55a0214ba2c9a97dad97c2cd68b08

SHA512
99e26859892ac05482c70bbe2e748d350927c0560ccc7adc024da7bb09c1e31fa0388958479672b3cbce479376b031fa46071f8d6bf2b1cbc5e1be99f9ac1f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232544829.exe

Filesize
478KB

MD5
136efe696ee60fb77acdf8bcb453a6d0

SHA1
8589c3169109152fe337fc439a955ae48ca5284f

SHA256
07582cfb14f022d0d51930596f04ff72fc131265ba47b5a10f378a3b0ff17ee1

SHA512
5df8b059d90228e0c0fcde481486a9607758eab499b796b7149a9cd62f4ce6eeaac8d22a3194e2bfc3634587855489b01b0a81e7763f223fb12d7b1553f3ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232544829.exe

Filesize
478KB

MD5
136efe696ee60fb77acdf8bcb453a6d0

SHA1
8589c3169109152fe337fc439a955ae48ca5284f

SHA256
07582cfb14f022d0d51930596f04ff72fc131265ba47b5a10f378a3b0ff17ee1

SHA512
5df8b059d90228e0c0fcde481486a9607758eab499b796b7149a9cd62f4ce6eeaac8d22a3194e2bfc3634587855489b01b0a81e7763f223fb12d7b1553f3ecfe

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/212-201-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-213-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-169-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-168-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-171-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-173-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-175-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-177-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-179-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-181-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-183-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-185-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-187-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-189-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-191-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-193-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-195-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-197-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-199-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-166-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-203-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-205-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-207-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-209-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-211-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-167-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-215-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-217-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-219-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-221-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-223-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-225-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-227-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-229-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-231-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/212-2297-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-165-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-164-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-163-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/212-161-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/212-162-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2032-2315-0x0000000000910000-0x000000000095C000-memory.dmp

Filesize
304KB

Download
memory/2032-2318-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-2320-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-2323-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4450-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4451-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4452-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4453-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4455-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2032-4459-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/2148-2310-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download