f0199dc0f12f6ccafbf32e14417bfec9c2e9bd207d678300bbc1aedd21813f4f

Analysis

max time kernel
209s
max time network
180s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25e26b2aa08fdb696c36bd0a86c96b68.exe
Size

141KB
MD5

25e26b2aa08fdb696c36bd0a86c96b68
SHA1

24551b768e6888b1418ebcdb51448803da092427
SHA256

f0199dc0f12f6ccafbf32e14417bfec9c2e9bd207d678300bbc1aedd21813f4f
SHA512

6308a5c0f55b8da4eb4ccadb2466047df1c8690c3b14515386be36a288bb8a39ccf2c947e2501da425ce218538bd4c5dbfd14bd1ee853e3b16d4ea333576bf6a
SSDEEP

1536:TqBj4JLnyokEjWN0wo3xxXLrgtBWcqnV:uBj4IESN0wIrc5A

Score

7^/10

evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2932	iexplore.exe
660	iexplore.exe
1348	winamp.exe
2804	winamp.exe
2068	firewall.exe
1360	firewall.exe
2316	spooIsv.exe
1992	spooIsv.exe
2412	algs.exe
2496	algs.exe
3048	Isass.exe
1304	Isass.exe

Loads dropped DLL 16 IoCs

pid	Process
2216	25e26b2aa08fdb696c36bd0a86c96b68.exe
2216	25e26b2aa08fdb696c36bd0a86c96b68.exe
2932	iexplore.exe
660	iexplore.exe
660	iexplore.exe
1348	winamp.exe
2804	winamp.exe
2804	winamp.exe
2068	firewall.exe
1360	firewall.exe
1360	firewall.exe
2316	spooIsv.exe
1992	spooIsv.exe
1992	spooIsv.exe
2496	algs.exe
2496	algs.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-3-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2216-23-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/660-54-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2804-81-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1360-110-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1992-138-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2496-166-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1304-173-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1304-181-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\Isass.exe"	Isass.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winamp.exe	iexplore.exe
File created	C:\Windows\SysWOW64\osxcdy.bat	spooIsv.exe
File created	C:\Windows\SysWOW64\pxhhw.bat	winamp.exe
File created	C:\Windows\SysWOW64\algs.exe	spooIsv.exe
File opened for modification	C:\Windows\SysWOW64\algs.exe	spooIsv.exe
File created	C:\Windows\SysWOW64\kckv.bat	algs.exe
File created	C:\Windows\SysWOW64\explorer.exe	Isass.exe
File created	C:\Windows\SysWOW64\jtmvy.bat	iexplore.exe
File created	C:\Windows\SysWOW64\firewall.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\iexplore.exe	25e26b2aa08fdb696c36bd0a86c96b68.exe
File opened for modification	C:\Windows\SysWOW64\spooIsv.exe	firewall.exe
File created	C:\Windows\SysWOW64\glmbmt.bat	firewall.exe
File created	C:\Windows\SysWOW64\Isass.exe	algs.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	algs.exe
File created	C:\Windows\SysWOW64\iexplore.exe	25e26b2aa08fdb696c36bd0a86c96b68.exe
File created	C:\Windows\SysWOW64\winamp.exe	iexplore.exe
File created	C:\Windows\SysWOW64\spooIsv.exe	firewall.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2932 set thread context of 660	2932	iexplore.exe	34
PID 1348 set thread context of 2804	1348	winamp.exe	38
PID 2068 set thread context of 1360	2068	firewall.exe	42
PID 2316 set thread context of 1992	2316	spooIsv.exe	46
PID 2412 set thread context of 2496	2412	algs.exe	50
PID 3048 set thread context of 1304	3048	Isass.exe	53

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	2592	WerFault.exe	1

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2592	25e26b2aa08fdb696c36bd0a86c96b68.exe
2932	iexplore.exe
1348	winamp.exe
2068	firewall.exe
2316	spooIsv.exe
2412	algs.exe
3048	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2592 wrote to memory of 2216	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	29
PID 2216 wrote to memory of 2800	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	31
PID 2216 wrote to memory of 2800	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	31
PID 2216 wrote to memory of 2800	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	31
PID 2216 wrote to memory of 2800	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	31
PID 2592 wrote to memory of 2044	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	30
PID 2592 wrote to memory of 2044	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	30
PID 2592 wrote to memory of 2044	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	30
PID 2592 wrote to memory of 2044	2592	25e26b2aa08fdb696c36bd0a86c96b68.exe	30
PID 2216 wrote to memory of 2932	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	33
PID 2216 wrote to memory of 2932	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	33
PID 2216 wrote to memory of 2932	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	33
PID 2216 wrote to memory of 2932	2216	25e26b2aa08fdb696c36bd0a86c96b68.exe	33
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 2932 wrote to memory of 660	2932	iexplore.exe	34
PID 660 wrote to memory of 532	660	iexplore.exe	35
PID 660 wrote to memory of 532	660	iexplore.exe	35
PID 660 wrote to memory of 532	660	iexplore.exe	35
PID 660 wrote to memory of 532	660	iexplore.exe	35
PID 660 wrote to memory of 1348	660	iexplore.exe	37
PID 660 wrote to memory of 1348	660	iexplore.exe	37
PID 660 wrote to memory of 1348	660	iexplore.exe	37
PID 660 wrote to memory of 1348	660	iexplore.exe	37
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 1348 wrote to memory of 2804	1348	winamp.exe	38
PID 2804 wrote to memory of 2080	2804	winamp.exe	39
PID 2804 wrote to memory of 2080	2804	winamp.exe	39
PID 2804 wrote to memory of 2080	2804	winamp.exe	39
PID 2804 wrote to memory of 2080	2804	winamp.exe	39
PID 2804 wrote to memory of 2068	2804	winamp.exe	41
PID 2804 wrote to memory of 2068	2804	winamp.exe	41
PID 2804 wrote to memory of 2068	2804	winamp.exe	41
PID 2804 wrote to memory of 2068	2804	winamp.exe	41
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 2068 wrote to memory of 1360	2068	firewall.exe	42
PID 1360 wrote to memory of 1048	1360	firewall.exe	43
PID 1360 wrote to memory of 1048	1360	firewall.exe	43
PID 1360 wrote to memory of 1048	1360	firewall.exe	43
PID 1360 wrote to memory of 1048	1360	firewall.exe	43
PID 1360 wrote to memory of 2316	1360	firewall.exe	45
PID 1360 wrote to memory of 2316	1360	firewall.exe	45
PID 1360 wrote to memory of 2316	1360	firewall.exe	45
PID 1360 wrote to memory of 2316	1360	firewall.exe	45
PID 2316 wrote to memory of 1992	2316	spooIsv.exe	46
PID 2316 wrote to memory of 1992	2316	spooIsv.exe	46
PID 2316 wrote to memory of 1992	2316	spooIsv.exe	46
PID 2316 wrote to memory of 1992	2316	spooIsv.exe	46

C:\Users\Admin\AppData\Local\Temp\25e26b2aa08fdb696c36bd0a86c96b68.exe
"C:\Users\Admin\AppData\Local\Temp\25e26b2aa08fdb696c36bd0a86c96b68.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\25e26b2aa08fdb696c36bd0a86c96b68.exe
  2222
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwjuafyt.bat" "
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\iexplore.exe
    C:\Windows\system32\iexplore.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\iexplore.exe
      2222
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\jtmvy.bat" "
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\winamp.exe
        
        2222
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\pxhhw.bat" "
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\firewall.exe
        
        C:\Windows\system32\firewall.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\firewall.exe
        
        2222
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\glmbmt.bat" "
        9⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\spooIsv.exe
        
        C:\Windows\system32\spooIsv.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\spooIsv.exe
        
        2222
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\osxcdy.bat" "
        11⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\algs.exe
        
        C:\Windows\system32\algs.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\algs.exe
        
        2222
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\kckv.bat" "
        13⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\system32\Isass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 464
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\Isass.exe
2222
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwjuafyt.bat

Filesize
202B

MD5
72b839c0fb4d6742bfca94c78f6e78d5

SHA1
1301d0762da49f705a228e650c0d00b9c4012ed6

SHA256
16d97f89117d539d475ef6a87bfe2d45c95a7c07354e1a83650fcbe40af7a493

SHA512
a129ebd75df528c02d6683ead3d9a7585993a374ebd620af3529d4155a8b394e71f4ae210c33384722f579a4666038758b740afa54591c4afc593f921ab082eb

Download Submit
C:\Windows\SysWOW64\glmbmt.bat

Filesize
128B

MD5
9dbb155901a433b23692770b23efb0ce

SHA1
3e049ceee9b33b13561f198051a83dd0746a8874

SHA256
ac22513a7f5e156d1b51ff65f469943c88dfffcfd0dd7ce137ebfa0c633493ca

SHA512
e263cd8941082116dfe3e73d51319be80a7a9419cabfcb0a19a62fac7829fa380ffc37a1ebbb2ebe94c794a4acc5ed7f029fb46c90af87a5079741a4d9ccae69

Download Submit
C:\Windows\SysWOW64\iexplore.exe

Filesize
141KB

MD5
25e26b2aa08fdb696c36bd0a86c96b68

SHA1
24551b768e6888b1418ebcdb51448803da092427

SHA256
f0199dc0f12f6ccafbf32e14417bfec9c2e9bd207d678300bbc1aedd21813f4f

SHA512
6308a5c0f55b8da4eb4ccadb2466047df1c8690c3b14515386be36a288bb8a39ccf2c947e2501da425ce218538bd4c5dbfd14bd1ee853e3b16d4ea333576bf6a

Download Submit
C:\Windows\SysWOW64\jtmvy.bat

Filesize
127B

MD5
07086dfcf7e1a0307a916a9657c52c62

SHA1
17b4b800c503b17d2e6f5b08992562411b4ff5e7

SHA256
c7b5f2074c1e56b4d260572a27d2dc0fdd12ce94640a646a8acc56b046db0a3a

SHA512
363cbe1b3693b4d5c45b89806dd846823b3fe3d734e5e18e127fd3003e3d1c984fba587681f0ab0ef6d202252d97ca78b27502f70d902f1e610064a15b5d5d5f

Download Submit
C:\Windows\SysWOW64\kckv.bat

Filesize
114B

MD5
90454711932a38c1d0b30bc1b9467cfb

SHA1
366aab8a9b42e615a4deee00f88af00ebef59016

SHA256
d1bb64d3104493a8db9870804e7c6ce9c017de065b7dcd7e100658ee0414ee0c

SHA512
ad61c79ebf4efd1b1d37693fc1420304b141be0226b910c2d45bd221c7fe21a387b05ebe02b6cc4ea526e30570b97dc9ae1dc61b1f54d9faf6b44baed96763cb

Download Submit
C:\Windows\SysWOW64\osxcdy.bat

Filesize
125B

MD5
e31b32f8d6f1149453eac8e0a20ed244

SHA1
6079a618f76f47317c4a66d2494289c8e09b1f7f

SHA256
8f885c750e1dd8c8b602d099c916adab3e56484d9bd8bb2d501ada56803e72a4

SHA512
ff34dad495e9a476517d474f03eab6f4e4f5ada8c62da6796d73596c04c95a5fa4a0316b00dfb968ba3aa751b584432764d92be8e6a4c0a78bcf5c79a0eacb06

Download Submit
C:\Windows\SysWOW64\pxhhw.bat

Filesize
121B

MD5
aa6435e521d7bdf2c75f214980adf3de

SHA1
dee1ce34372d800813ed1a5ffdca3fe524d95431

SHA256
a32d295450ee102cddbe05f3e702b48c116d61a4476fb6cc54e0e7e9a4a7b9a8

SHA512
51a5c4182fb152082aa61e968fdbebe8074c15a69865e3c3712c2f14fbbce9cf6542144059a6c04d2f5920af272a2da0f880652a59a87fd3f2a09a55190d5fa4

Download Submit
memory/660-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-181-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-173-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1348-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1360-114-0x0000000001EC0000-0x0000000001EED000-memory.dmp

Filesize
180KB

Download
memory/1360-110-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-141-0x0000000002110000-0x000000000213D000-memory.dmp

Filesize
180KB

Download
memory/1992-138-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-174-0x0000000002110000-0x000000000213D000-memory.dmp

Filesize
180KB

Download
memory/2068-90-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2068-89-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2068-88-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/2216-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-27-0x0000000002460000-0x000000000248D000-memory.dmp

Filesize
180KB

Download
memory/2216-3-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-118-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2412-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2412-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2496-176-0x0000000002280000-0x00000000022AD000-memory.dmp

Filesize
180KB

Download
memory/2496-166-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-167-0x0000000002280000-0x00000000022AD000-memory.dmp

Filesize
180KB

Download
memory/2592-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2592-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2932-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2932-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2932-32-0x0000000000250000-0x000000000027D000-memory.dmp

Filesize
180KB

Download