f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Analysis

max time kernel
121s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 8 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral4/memory/1984-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/1984-31-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
C:\Windows\System\svchost.exe	BazaLoader
behavioral4/memory/2296-43-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/1984-44-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral4/memory/2296-70-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

5068 netsh.exe
4644 netsh.exe
1232 netsh.exe
1616 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2296 svchost.exe

pid	process
5068	netsh.exe
4644	netsh.exe
1232	netsh.exe
1616	netsh.exe

pid	process
2296	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4848 schtasks.exe

pid	process
4848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid	process
280	powershell.exe
280	powershell.exe
2860	powershell.exe
2860	powershell.exe
1984	svchost_dump_SCY - Copy.exe
1984	svchost_dump_SCY - Copy.exe
3596	powershell.exe
3596	powershell.exe
1488	powershell.exe
1488	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe
Token: SeBackupPrivilege	4688	WMIC.exe
Token: SeRestorePrivilege	4688	WMIC.exe
Token: SeShutdownPrivilege	4688	WMIC.exe
Token: SeDebugPrivilege	4688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4688	WMIC.exe
Token: SeRemoteShutdownPrivilege	4688	WMIC.exe
Token: SeUndockPrivilege	4688	WMIC.exe
Token: SeManageVolumePrivilege	4688	WMIC.exe
Token: 33	4688	WMIC.exe
Token: 34	4688	WMIC.exe
Token: 35	4688	WMIC.exe
Token: 36	4688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe
Token: SeBackupPrivilege	4688	WMIC.exe
Token: SeRestorePrivilege	4688	WMIC.exe
Token: SeShutdownPrivilege	4688	WMIC.exe
Token: SeDebugPrivilege	4688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4688	WMIC.exe
Token: SeRemoteShutdownPrivilege	4688	WMIC.exe
Token: SeUndockPrivilege	4688	WMIC.exe
Token: SeManageVolumePrivilege	4688	WMIC.exe
Token: 33	4688	WMIC.exe
Token: 34	4688	WMIC.exe
Token: 35	4688	WMIC.exe
Token: 36	4688	WMIC.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 1984 wrote to memory of 4688	1984	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1984 wrote to memory of 4688	1984	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1984 wrote to memory of 5068	1984	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1984 wrote to memory of 5068	1984	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1984 wrote to memory of 4644	1984	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1984 wrote to memory of 4644	1984	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1984 wrote to memory of 280	1984	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1984 wrote to memory of 280	1984	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1984 wrote to memory of 2860	1984	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1984 wrote to memory of 2860	1984	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1984 wrote to memory of 1448	1984	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1984 wrote to memory of 1448	1984	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1984 wrote to memory of 4848	1984	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1984 wrote to memory of 4848	1984	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1984 wrote to memory of 2296	1984	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1984 wrote to memory of 2296	1984	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2296 wrote to memory of 5004	2296	svchost.exe	WMIC.exe
PID 2296 wrote to memory of 5004	2296	svchost.exe	WMIC.exe
PID 2296 wrote to memory of 1616	2296	svchost.exe	netsh.exe
PID 2296 wrote to memory of 1616	2296	svchost.exe	netsh.exe
PID 2296 wrote to memory of 1232	2296	svchost.exe	netsh.exe
PID 2296 wrote to memory of 1232	2296	svchost.exe	netsh.exe
PID 2296 wrote to memory of 3596	2296	svchost.exe	powershell.exe
PID 2296 wrote to memory of 3596	2296	svchost.exe	powershell.exe
PID 2296 wrote to memory of 1488	2296	svchost.exe	powershell.exe
PID 2296 wrote to memory of 1488	2296	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1448

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1232

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b59f3fa12628f63b5713c4833570d7f

SHA1
badcf18f1fdc94b1eadf63f27c09ad092c4a6ccb

SHA256
2332e52881483559d787508831c00192c4f0a4fedc232b0309e566a30247af1d

SHA512
01724fd9f7a20ec5ff3d2686593d5d95069135834e9b156ced36985067fb36e7b3ec2a0018e41fa125ad5d1e42c80be9e148632a9b655f2d41c1400a4320abe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnyls2sn.xxo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus

Filesize
2.7MB

MD5
1a54941e69d95e9a46d184486f32ff9f

SHA1
fa94366a0032895f00742ef06e5663c888245847

SHA256
2553820f11ff6d383401860b42b7ce8168950d72a9cef7434dfd4b372f0a10da

SHA512
ddbdefd03d9d669c4e958542be9b87ed05c83289c17f4364858b4d412c7d91946d0b1f97e9279edded849d012b2e8bbc9db8af32bf32a22d8466d7caf253727b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
871KB

MD5
92f306539a39a11c44906493e2ba2b12

SHA1
6d2db71dfa42a9edc7018e14299b6eb246b87e5e

SHA256
58463ac4719a8493bf38cceaabba8a352da4203d9ea8766a70137e38e17acf0a

SHA512
47afdd9176d384864a65906545c6230190a5dccd46592ebd81a8f8b96599247e32a2f412892b7f1f3ae2a5f111fa49f020f99a3c2ba4bf86b49ba1f378488adc

Download Submit
C:\Windows\System\svchost.exe

Filesize
277KB

MD5
860246c417ad0f21043f236e397d34c4

SHA1
cb37b7c2fec68a476421a1cee66beb0a1484d085

SHA256
003a0ecaea4f76a5be44485cbfb3a5e7661266c920c3d2a52a7c7f1ebb3e5855

SHA512
ce1853854c15dbf498c97ccebba1c5e48122634f59193245d578b8f121d424e17cca5c06c8218fa34430a7f40e46c4a3cc9b532b11e6f1ff4f85f4940331ab27

Download Submit
C:\Windows\System\svchost.exe

Filesize
161KB

MD5
7209bf5b2d09ff2a4b51a199588bdb63

SHA1
76719d52ab52f19f8223c2d762ca2d96488924f5

SHA256
494a6d5cd0bcaf3bb8e5a0f1053d1991a1b901460e0f9b6e29fe2319a3e2d41b

SHA512
018d45241399b79dce2451fe7c349c78c6f765d1a687d9e9bf8b2bc106f06c578b74488bafe7ff05af7d9b399db138e7e7107fdaf896573d9c05e07cb48c9c74

Download Submit
C:\Windows\System\svchost.exe

Filesize
212KB

MD5
cb8895db5b6aaccb68a5a944414a1c1f

SHA1
3e6997cf427620ce6e42e23911b29eed450b9628

SHA256
9c7bc70e59e20dd910ed612d4008e9b194841c89b9bae9f3a5072ea988890f51

SHA512
59fe52c5959b9ca3bc5247dcbfd4df60942bea8b339332a7ea754ee3529144ffe71b1b146244f0c65cf8c7824a7c95e93f7f4605c66438dcdf43b022052613cc

Download Submit
memory/280-11-0x000001E5C76A0000-0x000001E5C76B0000-memory.dmp

Filesize
64KB

Download
memory/280-9-0x000001E5AF180000-0x000001E5AF1A2000-memory.dmp

Filesize
136KB

Download
memory/280-30-0x00007FFA59BF0000-0x00007FFA5A6B2000-memory.dmp

Filesize
10.8MB

Download
memory/280-25-0x000001E5C76A0000-0x000001E5C76B0000-memory.dmp

Filesize
64KB

Download
memory/280-10-0x00007FFA59BF0000-0x00007FFA5A6B2000-memory.dmp

Filesize
10.8MB

Download
memory/280-13-0x000001E5C76A0000-0x000001E5C76B0000-memory.dmp

Filesize
64KB

Download
memory/280-12-0x000001E5C76A0000-0x000001E5C76B0000-memory.dmp

Filesize
64KB

Download
memory/1488-67-0x00007FFA59980000-0x00007FFA5A442000-memory.dmp

Filesize
10.8MB

Download
memory/1488-74-0x00007FFA59980000-0x00007FFA5A442000-memory.dmp

Filesize
10.8MB

Download
memory/1488-58-0x000001716B9F0000-0x000001716BA00000-memory.dmp

Filesize
64KB

Download
memory/1488-71-0x000001716B9F0000-0x000001716BA00000-memory.dmp

Filesize
64KB

Download
memory/1984-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1984-31-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1984-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2296-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2296-75-0x000000003B530000-0x000000003BA12000-memory.dmp

Filesize
4.9MB

Download
memory/2296-70-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2860-24-0x000001CA917F0000-0x000001CA91800000-memory.dmp

Filesize
64KB

Download
memory/2860-34-0x00007FFA59BF0000-0x00007FFA5A6B2000-memory.dmp

Filesize
10.8MB

Download
memory/2860-29-0x000001CA917F0000-0x000001CA91800000-memory.dmp

Filesize
64KB

Download
memory/2860-23-0x000001CA917F0000-0x000001CA91800000-memory.dmp

Filesize
64KB

Download
memory/2860-14-0x00007FFA59BF0000-0x00007FFA5A6B2000-memory.dmp

Filesize
10.8MB

Download
memory/3596-54-0x0000020061070000-0x0000020061080000-memory.dmp

Filesize
64KB

Download
memory/3596-55-0x0000020061070000-0x0000020061080000-memory.dmp

Filesize
64KB

Download
memory/3596-57-0x0000020061070000-0x0000020061080000-memory.dmp

Filesize
64KB

Download
memory/3596-53-0x00007FFA59980000-0x00007FFA5A442000-memory.dmp

Filesize
10.8MB

Download
memory/3596-69-0x00007FFA59980000-0x00007FFA5A442000-memory.dmp

Filesize
10.8MB

Download