7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
120s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral4/memory/3416-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/3416-27-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/2008-43-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/3416-44-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/2008-71-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2044 netsh.exe
3916 netsh.exe
4604 netsh.exe
2676 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2008 svchost.exe

pid	process
2044	netsh.exe
3916	netsh.exe
4604	netsh.exe
2676	netsh.exe

pid	process
2008	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2876 schtasks.exe

pid	process
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
2524	powershell.exe
2524	powershell.exe
3272	powershell.exe
3272	powershell.exe
3416	svchost_dump_SCY - Copy.exe
3416	svchost_dump_SCY - Copy.exe
3580	powershell.exe
3580	powershell.exe
3472	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 3416 wrote to memory of 1800	3416	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3416 wrote to memory of 1800	3416	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3416 wrote to memory of 2044	3416	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3416 wrote to memory of 2044	3416	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3416 wrote to memory of 3916	3416	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3416 wrote to memory of 3916	3416	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3416 wrote to memory of 2524	3416	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3416 wrote to memory of 2524	3416	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3416 wrote to memory of 3272	3416	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3416 wrote to memory of 3272	3416	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3416 wrote to memory of 4008	3416	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3416 wrote to memory of 4008	3416	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3416 wrote to memory of 2876	3416	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3416 wrote to memory of 2876	3416	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3416 wrote to memory of 2008	3416	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3416 wrote to memory of 2008	3416	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2008 wrote to memory of 1620	2008	svchost.exe	WMIC.exe
PID 2008 wrote to memory of 1620	2008	svchost.exe	WMIC.exe
PID 2008 wrote to memory of 2676	2008	svchost.exe	netsh.exe
PID 2008 wrote to memory of 2676	2008	svchost.exe	netsh.exe
PID 2008 wrote to memory of 4604	2008	svchost.exe	netsh.exe
PID 2008 wrote to memory of 4604	2008	svchost.exe	netsh.exe
PID 2008 wrote to memory of 3580	2008	svchost.exe	powershell.exe
PID 2008 wrote to memory of 3580	2008	svchost.exe	powershell.exe
PID 2008 wrote to memory of 3472	2008	svchost.exe	powershell.exe
PID 2008 wrote to memory of 3472	2008	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2044

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4008

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2876

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f0404139c8992e662223dacf857f0620

SHA1
7d48d64bf1166036ef276c0a27504880aea7df36

SHA256
7aad903820a111129ca02193788effb49f9b297795f26e311b92db10435a3b3f

SHA512
c340335d06840a2dbdf7cd689e5ed20961ef7ebc4eae178743f85f304bcf45252407ef67358b75849b68138ebf4ebdf6e5575cd2b88c5e7e38eefcf3f530727b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7af0cbe52696e307275601db3476248a

SHA1
5d01afae5b07ebd60abf71edc4f57e585fd48ae9

SHA256
802e48f1b79a6c30b92f1b25f59fdd65f983c6408a5955860609c419fe98d6c6

SHA512
88f264506aa11fe3b2746f73dab3124640db6062c19dbd9c3e028c0152101a8f4fbc2233562a7981faa5d9fe3185ea23a446878af38d8f063cd098c6ae2966c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3q3c5cxn.wey.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus

Filesize
1KB

MD5
08cbcad09b2c26c87312e04decde0523

SHA1
5c4bf18bf897878d8eb72b8057768c65485e79fc

SHA256
6d60e86c1924c424cd8580b9ea6001935952031b8553cbc13f5ad3eb2bfb36ef

SHA512
f13d811aabc399d9ee4ada36d95def91fc2e07e7fc3fe22ae513b50989dbccc4efc5b09c8fced45e38c0426053ea9548227bc3470d768f2f2889791b3489b597

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
65KB

MD5
2fc7c05cffdc19a1f94e613c6649365d

SHA1
ca7aa46af961344191d6308362b59638e612ae8c

SHA256
97e0315e4cd9fb13f6f8b03d3b42071dbfe24eef02196e8154258f5881adca0b

SHA512
e0f1e104309bffddd3646f790e78b26e0c84d24b38fdc6ec966bb3d4d7493147f25fbf74b1d3447edcad955fb749d9c2a400b0c8f59162043ab865ad6f1160a5

Download Submit
C:\Windows\System\svchost.exe

Filesize
141KB

MD5
cb49cc237e518cb1872d196d57526262

SHA1
3a1893620b23e81e0eebab25b64c4a99fa570bd4

SHA256
b59a4c066685abe5fbd5d1b13d020c2001bd1a4c16303960b7949c1d265291c0

SHA512
0208daa201b2da010233ad3c31da1dd6989a126654b8968e979ec527ca5d136c9171033fae1a9728e12d88bfa4749d202aff72765974c20f4b7bb234bd449748

Download Submit
C:\Windows\System\svchost.exe

Filesize
128KB

MD5
122906f78f38290a8122f71a605fb6a4

SHA1
f48b1e22e745a129e7fd5f3c3846890ac076e075

SHA256
6420153a7e4164bad38c60f6a35b2f6425a56a8e1062081e651ddbfb834def4e

SHA512
e2b9431f43e5be690c1679e36cfc13a9e4beba2f2a509888c447d74ecbd63cbd6ee9043a434c4681c6bcb82b930ccd0a253ce1140a962b537fc6e88ffcaf9ebb

Download Submit
C:\Windows\System\svchost.exe

Filesize
233KB

MD5
dca8e099e41ae0060866c94c0b2ef469

SHA1
429be33212544fc15560663e52a243f7f9ad066d

SHA256
5a764267a98a9a73395265233d320208e221c22983810d8504d3ab50869094e5

SHA512
72b645f3e7b5cf5e0a22a07d987995496a6a9e65172654991d9c32359ab5f7c032f65a3f38cffb4416bb1dcbbd6b5991c6ca1012b1d51066140261b1eb015c8d

Download Submit
memory/2008-76-0x000000003B530000-0x000000003BA12000-memory.dmp

Filesize
4.9MB

Download
memory/2008-71-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2008-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2524-29-0x00007FFBA9E90000-0x00007FFBAA952000-memory.dmp

Filesize
10.8MB

Download
memory/2524-24-0x000001D960240000-0x000001D960250000-memory.dmp

Filesize
64KB

Download
memory/2524-13-0x000001D960240000-0x000001D960250000-memory.dmp

Filesize
64KB

Download
memory/2524-12-0x000001D960240000-0x000001D960250000-memory.dmp

Filesize
64KB

Download
memory/2524-11-0x000001D960240000-0x000001D960250000-memory.dmp

Filesize
64KB

Download
memory/2524-10-0x00007FFBA9E90000-0x00007FFBAA952000-memory.dmp

Filesize
10.8MB

Download
memory/2524-9-0x000001D9602F0000-0x000001D960312000-memory.dmp

Filesize
136KB

Download
memory/3272-23-0x0000024FDDFF0000-0x0000024FDE000000-memory.dmp

Filesize
64KB

Download
memory/3272-31-0x0000024FDDFF0000-0x0000024FDE000000-memory.dmp

Filesize
64KB

Download
memory/3272-14-0x00007FFBA9E90000-0x00007FFBAA952000-memory.dmp

Filesize
10.8MB

Download
memory/3272-28-0x0000024FDDFF0000-0x0000024FDE000000-memory.dmp

Filesize
64KB

Download
memory/3272-34-0x00007FFBA9E90000-0x00007FFBAA952000-memory.dmp

Filesize
10.8MB

Download
memory/3416-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3416-27-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3416-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3472-72-0x0000028E517B0000-0x0000028E517C0000-memory.dmp

Filesize
64KB

Download
memory/3472-75-0x00007FFBA9CF0000-0x00007FFBAA7B2000-memory.dmp

Filesize
10.8MB

Download
memory/3472-58-0x0000028E517B0000-0x0000028E517C0000-memory.dmp

Filesize
64KB

Download
memory/3472-59-0x0000028E517B0000-0x0000028E517C0000-memory.dmp

Filesize
64KB

Download
memory/3472-68-0x00007FFBA9CF0000-0x00007FFBAA7B2000-memory.dmp

Filesize
10.8MB

Download
memory/3580-70-0x00007FFBA9CF0000-0x00007FFBAA7B2000-memory.dmp

Filesize
10.8MB

Download
memory/3580-55-0x000001FB0D9E0000-0x000001FB0D9F0000-memory.dmp

Filesize
64KB

Download
memory/3580-54-0x000001FB0D9E0000-0x000001FB0D9F0000-memory.dmp

Filesize
64KB

Download
memory/3580-53-0x00007FFBA9CF0000-0x00007FFBAA7B2000-memory.dmp

Filesize
10.8MB

Download
memory/3580-57-0x000001FB0D9E0000-0x000001FB0D9F0000-memory.dmp

Filesize
64KB

Download